How Commvault Uses AWS Permissions to Protect Amazon RDS for Export-Based Protection

The Commvault Cloud software uses AWS permissions to perform protection operations for your Amazon RDS instances using export.

The software uses permissions only to access snapshot, volume, and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault Cloud during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.

For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.

Commvault Cloud supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).

Permission

Usage

rds-db:connect

Allows users to connect to Amazon RDS databases using IAM-based authentication.

rds:CopyOptionGroup

Grants permission to copy the specified option group.

rds:DescribeDBClusters

Allows describing Amazon RDS DB clusters. This permission is required to verify the state of a DB Cluster. It is the equivalent of rds:DescribeDBInstances, but for a cluster.

rds:DescribeDBInstances

Allows describing Amazon RDS DB instances. This permission is required to verify the state of a DB Instance, whether it is in available state for backup. Also, to verify whether a restore completed successfully or not and the DB instance is in available state.

rds:ListTagsForResource

Allows listing tags of an Amazon RDS resource. This permission is required for viewing and retaining the tags for a resource during copying, sharing and cross account operations.

ec2:DescribeAccountAttributes

Allows describing attributes of an AWS account.

ec2:DescribeAvailabilityZones

Allows describing Amazon EC2 availability zones.

ec2:DescribeRegions

Allows describing Amazon EC2 regions.

ec2:DescribeSecurityGroups

Allows describing Amazon EC2 security groups.

ec2:DescribeSubnets

Allows describing Amazon VPC subnets.

ec2:DescribeVpcs

Allows describing Amazon VPCs (Virtual Private Clouds).

iam:GetAccountAuthorizationDetails

Allows retrieving details of IAM policies and permissions attached to the AWS account.

iam:GetUser

Allows retrieving information about an IAM user. Required for authentication of user and the session.

kms:CreateGrant

Allows creating a grant for an AWS KMS key. A grant is a policy instrument that allows AWS principals to use KMS keys in cryptographic operations.

kms:DescribeKey

Allows describing details of an AWS KMS key. This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec, that help you distinguish different types of KMS keys.

kms:Decrypt

Allows decrypting data using an AWS KMS key.

kms:Encrypt

Allows encrypting data using an AWS KMS key.

kms:GenerateDataKey

Allows generating a data encryption key using an AWS KMS key.

kms:GenerateDataKeyWithoutPlaintext

Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key.

kms:ListAliases

Allows listing KMS key aliases. These include aliases that one created and associated with their customer managed keys, and aliases that AWS created and associated with AWS managed keys in your account. AWS aliases have the format aws/, such as aws/rds.

kms:ListKeys

Allows listing AWS KMS keys. It has similar functionality to kms:ListAliases. It is used to get a list of all KMS keys in the caller’s AWS account and Region.

kms:ListResourceTags

Allows listing tags of an AWS KMS key.

kms:ReEncrypt

Allows re-encrypting data using an AWS Key Management Service (KMS) key.

Loading...