AWS Permission Usage

Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The roles and permissions must have the permissions that are necessary for Commvault to perform data protection operations.

These permissions are used only to access snapshot, volume, and instance configuration information that is required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. When a user with the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create the Amazon EC2 hypervisor in Commvault.

Note

When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts. The permissions that you need to add depends on the operations that you want the account to be able to perform. To restrict operations, see "Permission Usage" below.

You can use the following IAM Policies to apply these permissions to a user account:

The following table summarizes the AWS permissions that are needed for Commvault operations and explains how Commvault uses each permission.

Permission

Usage

Backup and restores

Agentless file recovery

In-place instance restore with same GUID

VM conversion

Replication

ebs:CompleteSnapshot

Seal and complete the Amazon Elastic Block Store snapshot.

This is required for direct write restores.

tick

ebs:GetSnapshotBlock

Return data in the Amazon Elastic Block Store snapshots.

This is required for direct read backups.

tick

ebs:ListChangedBlocks

Return blocks that are different between two Amazon Elastic Block Store snapshots of the same volume.

Required for CBT-enabled backups.

tick

ebs:ListSnapshotBlocks

Return allocated blocks in an Amazon Elastic Block Store snapshot.

Required for CBT-enabled backups.

tick

ebs:PutSnapshotBlock

Write a block of data to the Amazon Elastic Block Store snapshot.

This is required for direct write restores.

tick

ebs:StartSnapshot

Create a new Amazon Elastic Block Store snapshot.

This is required for direct write restores.

tick

ec2:AssociateIamInstanceProfile

Attach IAM role to an instance.

tick

ec2:AttachNetworkInterface

Attach network interface to an instance.

tick

ec2:AttachVolume

Attach volume to access node for reads and writes during backup, restore, and replication operations.

tick

tick

tick

ec2:CancelImportTask

Cancel the import task.

tick

ec2:CopySnapshot

Copy snapshot from one region to another during snap replication.

tick

ec2:CreateImage

Create AMI of source instance during backup.

tick

tick

tick

ec2:CreateNetworkInterface

Create a new network interface.

tick

ec2:CreateSnapshot

Share the image to admin or user account.

(across AWS accounts)

tick

ec2:CreateTags

Create tags on resources such as instances, volumes, and snapshots.

This is required for direct write restores.

tick

tick

ec2:CreateVolume

Create volume from snapshot for backup or create empty volumes for restores.

tick

tick

tick

ec2:DeleteNetworkInterface

Delete old network interfaces during incremental replication.

tick

tick

tick

ec2:DeleteSnapshot

Clean up snapshots after job completion.

tick

tick

tick

ec2:DeleteTags

Delete tags after backup and restore operations.

tick

tick

tick

ec2:DeleteVolume

Clean up volumes after job completion.

tick

tick

tick

ec2:DeregisterImage

Delete AMI after backup operations and delete old integrity snapshot.

tick

tick

tick

ec2:DescribeAccountAttributes

Get supported network platforms (if EC2 is supported).

tick

tick

tick

ec2:DescribeAvailabilityZones

Get list of availability zones.

tick

tick

tick

ec2:DescribeIamInstanceProfileAssociations

Get IAM role information.

tick

ec2:DescribeImages

Get list of AMIs.

tick

tick

tick

ec2:DescribeImportImageTasks

Used for restore operations with an on-premise access node, including replication operations that use the import method.

Get import task information to check the status of the task.

tick

tick

tick

ec2:DescribeInstanceAttribute

Get EBS optimization information of instance.

tick

tick

tick

ec2:DescribeInstances

Get list of instances, including access node and source instance information.

tick

tick

tick

ec2:DescribeInstanceStatus

Validate instance status after restore operation.

tick

tick

ec2:DescribeInstanceTypeOfferings

Get list of all instance types offered in a region

tick

tick

tick

tick

ec2:DescribeInstanceTypes

Get details of instance types offered in a region

tick

tick

tick

tick

ec2:DescribeKeyPairs

Get list of key pairs.

tick

tick

tick

ec2:DescribeNetworkInterfaces

Get network interface list.

tick

tick

tick

ec2:DescribeRegions

Get list of all regions.

tick

tick

tick

ec2:DescribeSecurityGroups

Get list of security groups.

tick

tick

tick

ec2:DescribeSnapshots

Get snapshot information.

tick

tick

tick

ec2:DescribeSubnets

Get list of subnets.

tick

tick

tick

ec2:DescribeTags

Get tag list to backup and restore tags on instances and volumes.

tick

tick

tick

ec2:DescribeVolumeAttribute

Get product code associated with volume.

tick

tick

ec2:DescribeVolumes

Get volume list and information such as size, type, and attachments.

tick

tick

tick

ec2:DescribeVolumesModifications

Get IOPS values used during hotadd backups.

tick

ec2:DescribeVpcs

Get list of VPCs.

tick

tick

tick

ec2:DescribeVpcEndpoints

Get information about the EBS VPC endpoint during direct read backups.

tick

ec2:DetachNetworkInterface

Detach a network interface from an instance.

tick

tick

ec2:DetachVolume

Detach volume from access node after reads and writes.

tick

tick

tick

ec2:DisassociateIamInstanceProfile

Remove IAM role from instance.

tick

ec2:GetConsoleOutput

Get operating system information.

tick

tick

tick

ec2:GetEbsDefaultKmsKeyId

Create an encrypted snapshot with AWS managed key (default key).

This is required for direct write restores.

tick

ec2:GetEbsEncryptionBydefault

Describes whether EBS encryption by default is enabled for the account in the current region. Required for direct write restores, HotAdd streaming and backup copy jobs.

tick

ec2:ImportImage

Used for restore operations with an on-premise access node, including replication operations that use the import method.

Import image during conversion job.

tick

tick

tick

ec2:ModifyImageAttribute

Share the image to admin or user account.

tick (across AWS accounts)

tick

ec2:ModifyInstanceAttribute

Set or reset delete on termination policy after restore.

tick

tick

tick

ec2:ModifyNetworkInterfaceAttribute

Set or reset delete on termination policy after restore.

tick

tick

tick

ec2:ModifySnapshotAttribute

Share snapshot to a different region during snap replication and cross account backups and restores.

tick

tick

tick

ec2:ModifyVolume

Adjust IOPS values during hotadd backups.

tick

ec2:RunInstances

Create new instance.

tick

tick

tick

ec2:StartInstances

Start instance after job completion (based on user input).

tick

tick

tick

ec2:StopInstances

Stop instance after restore operation (based on user input).

tick

tick

tick

ec2:TerminateInstances

Delete instance if overwrite option is selected for restore operation, or delete previous replicated instance during incremental replication.

tick

tick

tick

iam:GetAccountAuthorizationDetails

Required to get account info during snap backup operations that use IAM role.

tick

tick

tick

iam:GetInstanceProfile

Required for IAM based authentication.

tick

tick

tick

iam:GetUser

Get information about the user specified in the AWS client. Used during snap replication.

tick

iam:ListInstanceProfiles

Required to get list of instance profile names to populate IAM roles for restores.

tick

tick

tick

iam:ListRoles

Required to list key pairs in restore screen using IAM role.

tick

tick

tick

iam:passrole

Required for restoring the IAM role on the restored instance during full instance restores, conversions, and replication. If you don't want the IAM role to be set by Commvault, you can remove this permission completely. You can also restrict this permission to specific roles, services, or instances. You can use the condition key “AssociatedResourceArn” to restrict the destination instances that the role can be associated to. For more information, see IAM and AWS STS condition context keys in the AWS documentation.

tick

tick

tick

iam:SimulatePrincipalPolicy

Required for simulating the set of IAM policies attached to an IAM user, group, or role to determine the policies' effective permissions for a list of API actions and AWS resources.

tick

kms:CreateAlias

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

tick

kms:CreateGrant

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:CreateKey

Create customer-managed CMK during cross account backup of volumes encrypted using default CMK.

tick

kms:Decrypt

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:DescribeKey

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:Encrypt

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:GenerateDataKey

Required for snap replication of default encrypted AWS snapshots.

Also required for direct write restores to write data to the encrypted Amazon Elastic Block Store snapshot.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:GenerateDataKeyPair

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:GenerateDataKeyWithoutPlaintext

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:GenerateDataKeyPairWithoutPlaintext

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:ListAliases

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:ListGrants

Attach encrypted volume to access node for reads and writes during backup, restore, and replication operations.

tick

tick

tick

kms:ListKeys

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:ListResourceTags

Search for cvlt-ec2 KMS key, which is automatically created by Commvault. Used during snap replication.

tick

kms:ReEncryptFrom

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:ReEncryptTo

Required for snap replication of default encrypted AWS snapshots.

tick (for default encrypted snapshots)

tick (for default encrypted snapshots)

kms:TagResource

Required to set tag on the cvlt-ec2 KMS key, which is automatically created by Commvault if the key does not exists in a given AWS region.

tick

tick

s3:CreateBucket

Required to create an S3 bucket for restores.

tick (when using Import method)

tick

tick (when using Import method)

tick (when using Import method)

s3:DeleteObject

Used for restore operations with an on-premise access node, including replication operations that use the import method.

This permission is also used for a temporary S3 bucket and does not affect the S3 storage buckets.

tick

tick

tick

tick

s3:GetBucketAcl

Share the bucket to admin account.

tick (across AWS accounts)

tick

s3:GetBucketLocation

Get the bucket region for restore operations that use a non-AWS access node.

tick

tick

tick

tick

s3:GetObject

Used for restore operations with an on-premise access node, including replication operations that use the import method.

tick

tick

tick

tick

s3:GetObjectAcl

Used to share s3 object to tenant account during cross account agentless restore.

tick

s3:ListAllMyBuckets

Used for restore operations that use an on-premise access node, including replication operations that use the import method.

tick

tick

s3:ListBucket

Used for restore operations that use an on-premise access node, including replication operations that use the import method.

tick

tick

tick

tick

s3:PutBucketAcl

Share the bucket to admin account.

tick (across AWS accounts)

tick

s3:PutObject

Used for restore operations that use an on-premise access node, including replication operations that use the import method.

tick

tick

tick

tick

s3:PutObjectAcl

Used to upload objects to S3 bucket.

tick

s3:PutObjectTagging

Required by MediaAgent if S3 library is used with DASH copy.

tick

tick

tick (when using Import method)

tick

ssm:CancelCommand

Cancel run commands.

tick

ssm:DescribeInstanceInformation

Get a list of instances that have the AWS Systems Manager (SSM) installed.

tick

ssm:ListCommands

List the run commands.

tick

ssm:SendCommand

Launch run commands.

tick

sts:AssumeRole

Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.

tick

tick

tick

tick

tick

Loading...