The Commvault Cloud software uses AWS permissions to perform protection operations for your Amazon RDS instances using export.
The software uses permissions only to access snapshot, volume, and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault Cloud during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.
For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.
Commvault Cloud supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).
|
Permission |
Usage |
|---|---|
|
rds-db:connect |
Allows users to connect to Amazon RDS databases using IAM-based authentication. |
|
rds:CopyOptionGroup |
Grants permission to copy the specified option group. |
|
rds:DescribeDBClusters |
Allows describing Amazon RDS DB clusters. This permission is required to verify the state of a DB Cluster. It is the equivalent of rds:DescribeDBInstances, but for a cluster. |
|
rds:DescribeDBInstances |
Allows describing Amazon RDS DB instances. This permission is required to verify the state of a DB Instance, whether it is in available state for backup. Also, to verify whether a restore completed successfully or not and the DB instance is in available state. |
|
rds:ListTagsForResource |
Allows listing tags of an Amazon RDS resource. This permission is required for viewing and retaining the tags for a resource during copying, sharing and cross account operations. |
|
ec2:DescribeAccountAttributes |
Allows describing attributes of an AWS account. |
|
ec2:DescribeAvailabilityZones |
Allows describing Amazon EC2 availability zones. |
|
ec2:DescribeRegions |
Allows describing Amazon EC2 regions. |
|
ec2:DescribeSecurityGroups |
Allows describing Amazon EC2 security groups. |
|
ec2:DescribeSubnets |
Allows describing Amazon VPC subnets. |
|
ec2:DescribeVpcs |
Allows describing Amazon VPCs (Virtual Private Clouds). |
|
iam:GetAccountAuthorizationDetails |
Allows retrieving details of IAM policies and permissions attached to the AWS account. |
|
iam:GetUser |
Allows retrieving information about an IAM user. Required for authentication of user and the session. |
|
kms:CreateGrant |
Allows creating a grant for an AWS KMS key. A grant is a policy instrument that allows AWS principals to use KMS keys in cryptographic operations. |
|
kms:DescribeKey |
Allows describing details of an AWS KMS key. This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec, that help you distinguish different types of KMS keys. |
|
kms:Decrypt |
Allows decrypting data using an AWS KMS key. |
|
kms:Encrypt |
Allows encrypting data using an AWS KMS key. |
|
kms:GenerateDataKey |
Allows generating a data encryption key using an AWS KMS key. |
|
kms:GenerateDataKeyWithoutPlaintext |
Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key. |
|
kms:ListAliases |
Allows listing KMS key aliases. These include aliases that one created and associated with their customer managed keys, and aliases that AWS created and associated with AWS managed keys in your account. AWS aliases have the format aws/ |
|
kms:ListKeys |
Allows listing AWS KMS keys. It has similar functionality to kms:ListAliases. It is used to get a list of all KMS keys in the caller’s AWS account and Region. |
|
kms:ListResourceTags |
Allows listing tags of an AWS KMS key. |
|
kms:ReEncrypt |
Allows re-encrypting data using an AWS Key Management Service (KMS) key. |