For protection of AWS resources, Commvault provides a set of identity-based policies that you attach to an IAM user, group, or role. These policies determine what the identity can do by specifying the permissions that it has.
Support for Customer Modification of Commvault-Provided Policies
Supported
Applying least-privilege permissions by removing IAM policies for AWS resources that you don't use or protect is supported. For more information, see Apply least-privilege permissions in the AWS documentation.
Not Supported
Modifying the individual actions within an IAM policy is not supported.
Policy for Amazon DocumentDB
Policy for Amazon DynamoDB
- Policy: AWS_DynamoDB_permissions.json
Policies for Amazon EC2
Amazon EC2 Backup
The following identity-based policy and referenced statement is mandatory for performing backups of Amazon EC2 instances and related Amazon EBS volumes.
-
Required policy: amazon_restricted_role_permissions.json
-
Mandatory statement: "Sid":"AmazonEC2BackupAndRestore2024eV3"
Amazon EC2 Recovery
The following identity-based policy and referenced statement is mandatory for performing recovery of Amazon EC2 instances and related Amazon EBS volumes.
-
Required policy: amazon_restricted_role_permissions.json
-
Mandatory statement: "Sid":"AmazonEC2BackupAndRestore2024eV3"
Amazon VPC Backup
The following identity-based policy and referenced statement is mandatory for performing backups of Amazon VPC resources.
-
Required policy: amazon_restricted_role_permissions.json
-
Mandatory statement: "Sid":"VPCBackupPermissions"
Amazon VPC Recovery
The following identity-based policy and referenced statement is mandatory for performing recovery of Amazon VPC resources.
-
Required policy: amazon_vpc_restore_permissions.json
-
Mandatory statements:
-
"Sid":"VPCRestorePermissions2024eV1"
-
"Sid": "VPCRestorePermissionToCreateFlowLog"
-
Agentless File Recovery
The following identity-based policy is required to perform file and folder recovery to an existing Amazon EC2 instance using AWS Systems Manager (AWS SSM).
Required policies:
-
AmazonSSMManagedInstanceCore is required to allow the Commvault Cloud access node to access the AWS Systems Manager service core functionality.
-
vsa_SSMInstanceProfileS3Policy.json is required to allow the Commvault Cloud software to restore file and folders to a temporary staging S3 bucket, then deposit on the selected EC2 instance via AWS SSM.
Application-Consistent Backup and Recovery
The following identity-based policy is required to perform application-consistent backups or file system backups of the certain workloads running on Amazon EC2 compute, and protected by installing a Commvault Cloud agent on the host operating system:
- Required policy: amazon_DB_FS_backup_restore_permissions.json
The workloads are as follows:
-
UNIX and Linux file systems
-
Microsoft Windows file systems
-
Db2 databases
-
MongoDB databases (installed on compute, excluding MongoDB Atlas)
-
Microsoft SQL Server databases (including Always On Availability Groups)
-
MySQL databases (including MariaDB databases)
-
Oracle databases (excluding Oracle RAC databases)
-
PostgreSQL databases
-
SAP for Oracle databases
-
SAP HANA databases
-
Sybase databases