The way that you configure backups for your Amazon DocumentDB instances using a backup gateway depends on your AWS deployment and the type of authentication that you use.
For AWS workloads, the configuration wizard includes a CloudFormation template that automatically creates a JSON policy that specifies AWS IAM permissions based on the authentication method that you select, and then attaches the policy to an IAM role or a user group. The policy contains permissions for all AWS workloads that are supported by Commvault Cloud. If certain AWS workloads are not in use, you can detach policies from the IAM role or user group.
-
IAM role: You have an AWS account that is attached to an Amazon Elastic Compute Cloud (EC2) virtual machine and you need to back up buckets in the same account.
-
STS assume role with IAM policy: You have Amazon S3 buckets in different AWS accounts, or you need cross AWS accounts.
-
Access key and secret key: As a best practice, AWS recommends using IAM roles instead of access keys. For more information, see Security best practices in IAM in the AWS documentation.