The Commvault Cloud software uses AWS permissions to perform protection operations for your Amazon DynamoDB instances.
The software uses permissions only to access exports, imports and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault Cloud during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.
For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.
Commvault Cloud supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).
|
Permission |
Usage |
|---|---|
|
dynamodb:BatchWriteItem |
Grants permission to put or delete multiple items in one or more tables |
|
dynamodb:CreateTable |
Grants permission to the CreateTable operation adds a new table to your account |
|
dynamodb:DeleteTable |
Grants permission to the DeleteTable operation which deletes a table and all of its items |
|
dynamodb:DescribeBackup |
Grants permission to describe an existing backup of a table |
|
dynamodb:DescribeContinuousBackups |
Grants permission to check the status of the backup restore settings on the specified table |
|
dynamodb:DescribeExport |
Grants permission to describe an existing Export of a table |
|
dynamodb:DescribeImport |
Grants permission to describe an existing import |
|
dynamodb:DescribeTable |
Grants permission to return information about the table |
|
dynamodb:Describestream |
Grants permission to return information about a stream, including the current status of the stream, its Amazon Resource Name (ARN), the composition of its shards, and its corresponding DynamoDB table |
|
dynamodb:ExportTableToPointInTime |
Grants permission to initiate an Export of a DynamoDB table to S3 |
|
dynamodb:GetRecords |
Grants permission to retrieve the stream records from a given shard |
|
dynamodb:GetShardIterator |
Grants permission to return a shard iterator |
|
dynamodb:ImportTable |
Grants permission to initiate an import from S3 to a DynamoDB table |
|
dynamodb:ListExports |
Grants permission to list exports associated with the account and endpoint |
|
dynamodb:ListGlobalTables |
Grants permission to list all global tables that have a replica in the specified region |
|
dynamodb:ListImports |
Grants permission to list imports associated with the account and endpoint |
|
dynamodb:ListStreams |
Grants permission to return an array of stream ARNs associated with the current account and endpoint |
|
dynamodb:ListTables |
Grants permission to return an array of table names associated with the current account and endpoint |
|
dynamodb:ListTagsOfResource |
Grants permission to list all tags on an Amazon DynamoDB resource |
|
dynamodb:Scan |
Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index |
|
dynamodb:UpdateTable |
Grants permission to modify the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table |
|
ec2:DescribeAccountAttributes |
Grants permission to describe the attributes of the AWS account |
|
ec2:DescribeAvailabilityZones |
Grants permission to describe one or more of the Availability Zones that are available to you |
|
ec2:DescribeRegions |
Allows describing Amazon EC2 regions. |
|
ec2:DescribeSecurityGroups |
Allows describing Amazon EC2 security groups. |
|
ec2:DescribeSubnets |
Allows describing Amazon VPC subnets. |
|
ec2:DescribeVpcs |
Allows describing Amazon VPCs (Virtual Private Clouds). |
|
iam:GetAccountAuthorizationDetails |
Allows retrieving details of IAM policies and permissions attached to the AWS account. |
|
iam:GetUser |
Allows retrieving information about an IAM user. Required for authentication of user and the session. |
|
kms:Decrypt |
Allows decrypting data using an AWS KMS key. |
|
kms:DescribeKey |
Allows describing details of an AWS KMS key. This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec, that help you distinguish different types of KMS keys. |
|
kms:Encrypt |
Allows encrypting data using an AWS KMS key. |
|
kms:GenerateDataKey |
Allows generating a data encryption key using an AWS KMS key. |
|
kms:GenerateDataKeyWithoutPlaintext |
Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key. |
|
kms:ListGrants |
Controls permission to view all grants for an AWS KMS key |
|
kms:ReEncryptFrom |
Controls permission to decrypt data as part of the process that decrypts and re-encrypts the data within AWS KMS |
|
kms:ReEncryptTo |
Controls permission to encrypt data as part of the process that decrypts and re-encrypts the data within AWS KMS |
|
logs:CreateLogGroup |
Grants permission to create a new log group with the specified name |
|
logs:CreateLogStream |
Grants permission to create a new log stream with the specified name |
|
logs:DeleteLogGroup |
Grants permission to delete a specified log group, including all the log streams and archived log events within it. |
|
logs:DeleteLogStream |
Allows you to delete a specified log stream, including all the log events within it. |
|
logs:DescribeLogGroups |
Grants permission to return all the log groups that are associated with the AWS account making the request |
|
logs:DescribeLogStreams |
Grants permission to return all the log streams that are associated with the specified log group |
|
logs:GetLogEvents |
Grants permission to retrieve log events from a specified log stream within a log group. |
|
logs:PutLogEvents |
Grants permission to upload a batch of log events to the specified log stream |
|
logs:PutRetentionPolicy |
Allows you to set or update the retention policy for a log group, which determines how long log events are kept before being automatically deleted. |
|
logs:TagLogGroup |
Allows you to add or update tags for a specified log group. Tags are metadata that help you organize and manage your resources. |
|
s3:CreateBucket |
Grants permission to create a new bucket |
|
s3:DeleteObject |
Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object |
|
s3:DeleteObjectVersion |
Grants permission to remove a specific version of an object |
|
s3:GetBucketAcl |
Grants permission to use the acl subresource to return the access control list (ACL) of an Amazon S3 bucket |
|
s3:GetBucketLocation |
Grants permission to return the Region that an Amazon S3 bucket resides in |
|
s3:GetObject |
Grants permission to retrieve objects from Amazon S3 |
|
s3:GetObjectAcl |
Grants permission to return the access control list (ACL) of an object |
|
s3:ListAllMyBuckets |
Grants permission to list all buckets owned by the authenticated sender of the request |
|
s3:ListBucket |
Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000) |
|
s3:PutBucketAcl |
Grants permission to set the permissions on an existing bucket using access control lists (ACLs) |
|
s3:PutBucketPublicAccessBlock |
Grants permission to create or modify the PublicAccessBlock configuration for a specific Amazon S3 bucket |
|
s3:PutEncryptionConfiguration |
Grants permission to set the encryption |
|
s3:PutObject |
Grants permission to add an object to a bucket |
|
s3:PutObjectAcl |
Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket |
|
s3:PutObjectTagging |
Grants permission to set the supplied tag-set to an object that already exists in a bucket |