AWS IAM Policies and Permissions

Commvault requires access to your AWS account via AWS Identity and Access Management (IAM) policies which are associated with IAM Roles or users. For more information, on the AWS documentation site, see Policies and permissions in IAM.

If you are performing backups to an Amazon S3 library, also add Amazon S3 permissions.

For Commvault to perform backup and restores of AWS resources, you must grant permission for Commvault via an IAM User or Role with the IAM policies defined below:

IAM Policy Definitions for Configuring IAM Roles and Users

AWS service to protect	AWS IAM policy
Amazon EC2	amazon_restricted_role_permissions.json If you are performing backups to an Amazon S3 library, also add Amazon S3 permissions.
Amazon RDS	amazon_rds_backup_restore_permissions.json
Amazon Redshift	amazon_redshift_backup_restore_permissions.json
Amazon DocumentDB	amazon_documentdb_backup_restore_permissions.json
Amazon DynamoDB	AWS_DynamoDB_permissions.json
Amazon S3 on Outposts	Amazon_S3_on_Outposts_permissions.json
Amazon EC2 with databases, file systems, and application agents	amazon_DB_FS_backup_restore_permissions.json
Virtual machine conversion to Amazon EC2	amazon_permission_conversion.json
Commvault Cloud Storage Creation with AWS STS – IAM Role Policy Authentication	See Configuring EC2 IAM Role Details for STS Assume IAM Role.
Commvault Cloud Storage Creation with AWS STS Assume Role	See Configuring STS Assume IAM Role.
AWS VM Import/Export IAM Role	trust-policy.json role-policy.json

How Commvault Uses AWS Permissions

Commvault requires access to your AWS account using AWS Identity and Access Management (IAM) policies that are associated with IAM roles or users. The roles and permissions must have the permissions that are necessary for Commvault to perform data protection operations.

These permissions are used only to access snapshot, volume, and instance configuration information that is required to back up instances to storage media, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. When a user with the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are also used to remove the original instance, but only after confirmation from the user.

Commvault usage of AWS permissions is controlled by the account settings that are used to create the Amazon EC2 hypervisor in Commvault.

Note

When using resources from an admin account, you must add JSON permissions to both admin and tenant accounts. The permissions that you need to add depends on the operations that you want the account to be able to perform. To restrict operations, see "Permission Usage" below.

For information about how Commvault uses each permission, see Amazon Web Services Permission Usage.

AWS Organizations and Service Control Policy

Commvault Backup & Recovery protects Amazon environments that use AWS Organizations, Amazon Control Tower, and Service Control Policies (SCPs).

Important

When implementing the IAM policies, validate their operation using IAM Access Analyzer and the steps in Troubleshooting AWS Organizations policies. When implementing changes to IAM policies in environments that are governed using SCPs, run backup and recovery tests to verify that the results are as expected.

For more information about AWS permissions, in the AWS documentation, see Amazon Elastic Compute Cloud API Reference or Amazon Simple Storage Service API Reference.