How Commvault Uses AWS Permissions to Protect Amazon RDS for Snapshot-Based Protection

The Commvault Cloud software uses AWS permissions to perform protection operations for your Amazon RDS instances using snapshots.

The software uses permissions only to access snapshot, volume, and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault Cloud during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.

For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.

Commvault Cloud supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).

Permission	Usage
rds-db:connect	Allows users to connect to Amazon RDS databases using IAM-based authentication.
rds:AddTagsToResource	Allows adding tags to an Amazon RDS resource. Tags add metadata to RDS resources which can be used for unique identification.
rds:CopyDBClusterSnapshot	Allows copying an Amazon RDS DB cluster snapshot to another region or account. This permission is required for DB Cluster Snapshots as CopyDBSnapshot is required for DB Snapshots.
rds:CopyDBSnapshot	Allows copying an Amazon RDS DB snapshot to another region or account. When snap replication is enabled (replica copy is added to backup plan), CopyDBSnapshot permission is required to copy a snapshot from one region to another as AWS directly does not allow sharing of snapshot to a different account in a region which is not same as the source snapshot’s region. This is also the case with encrypted snapshots, they are first copied to a different region, as an intermediate snap and then shared to the destination account. Post which, the intermediate is deleted.
rds:CopyOptionGroup	Grants permission to copy the specified option group
rds:CreateDBClusterSnapshot	Allows creating a snapshot of an Amazon RDS DB cluster. This permission allows the creation of a DB instance’s snapshot at a given instant in time when the backup operation is triggered.
rds:CreateDBInstance	Allows creating an Amazon RDS DB instance. This permission is required for creating new DB instances in a DB cluster. During a restore of a DB Cluster, rds:RestoreDBClusterFromSnapshot permission is required for the restoration of a cluster, and rds:CreateDBInstance is required to add the writer DB instance to the cluster.
rds:CreateTenantDatabase	Grants permission to create a tenant database
rds:CreateDBSnapshot	Grants permission to create a DBSnapshot
rds:DeleteDBClusterSnapshot	Allows deleting an Amazon RDS DB cluster snapshot. This permission is required for deleting any intermediate DB cluster snapshots that may have been created during copying or sharing of snapshots or during out-of-place restores.
rds:DeleteDBSnapshot	Allows deleting an Amazon RDS DB snapshot. This permission is required for deleting any intermediate snapshots that may have been created during copying or sharing of snapshots or during out-of-place restores.
rds:DescribeDBClusterAutomatedBackups	Allows describing automated backups for both current and deleted DB clusters. This can be useful for tracking backup status and details for your DB clusters.
rds:DescribeDBClusters	Allows describing Amazon RDS DB clusters. This permission is required to verify the state of a DB Cluster. It is the equivalent of rds:DescribeDBInstances, but for a cluster.
rds:DescribeDBClusterSnapshots	Allows describing Amazon RDS DB cluster snapshots. This permission is required to verify whether the snapshot is present and in available state for restore. The properties of the DB instance present in the snapshot are also used later to restore the snapshot to an RDS instance.
rds:DescribeDBInstanceAutomatedBackups	Allows describing about automated backups for both current and deleted DB instances. This can be useful for tracking backup status and details for your DB instances.
rds:DescribeDBInstances	Allows describing Amazon RDS DB instances. This permission is required to verify the state of a DB Instance, whether it is in available state for backup. Also, to verify whether a restore completed successfully or not and the DB instance is in available state.
rds:DescribeDBSnapshots	Allows describing Amazon RDS DB snapshots. This permission is required to verify whether the snapshot is present and in available state for restore. The properties of the DB instance present in the snapshot are also used later to restore the snapshot to an RDS instance.
rds:ListTagsForResource	Allows listing tags of an Amazon RDS resource. This permission is required for viewing and retaining the tags for a resource during copying, sharing and cross account operations.
rds:ModifyDBClusterSnapshotAttribute	Allows modifying attributes of an Amazon RDS DB cluster snapshot.
rds:ModifyDBCluster	Allows modifying attributes of an Amazon RDS DB cluster.
rds:ModifyDBInstance	Allows modifying attributes of an Amazon RDS DB instance.
rds:ModifyDBSnapshotAttribute	Allows modifying attributes of an Amazon RDS DB snapshot. Also allows sharing snapshots with other AWS accounts.
rds:RestoreDBClusterFromSnapshot	Allows restoring an Amazon RDS DB cluster from a snapshot. It is required to create a new DB cluster from a DB snapshot or DB cluster snapshot.
rds:RestoreDBInstanceFromDBSnapshot	Grants permission to restore the DB instance from a DB snapshot
rds:RestoreDBClusterToPointInTime	Grants permission to restore the DB cluster to a point in time
rds:RestoreDBInstanceToPointInTime	Grants permission to restore the DB instance to a point in time
ec2:DescribeAccountAttributes	Allows describing attributes of an AWS account.
ec2:DescribeAvailabilityZones	Allows describing Amazon EC2 availability zones.
ec2:DescribeRegions	Allows describing Amazon EC2 regions.
ec2:DescribeSecurityGroups	Allows describing Amazon EC2 security groups.
ec2:DescribeSubnets	Allows describing Amazon VPC subnets.
ec2:DescribeVpcs	Allows describing Amazon VPCs (Virtual Private Clouds).
iam:GetAccountAuthorizationDetails	Allows retrieving details of IAM policies and permissions attached to the AWS account.
iam:GetUser	Allows retrieving information about an IAM user. Required for authentication of user and the session.
iam:PassRole	Allows a user to delegate permissions to an AWS service by passing an IAM role to that service.
kms:CreateGrant	Allows creating a grant for an AWS KMS key. A grant is a policy instrument that allows AWS principals to use KMS keys in cryptographic operations.
kms:DescribeKey	Allows describing details of an AWS KMS key. This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec, that help you distinguish different types of KMS keys.
kms:Decrypt	Allows decrypting data using an AWS KMS key.
kms:Encrypt	Allows encrypting data using an AWS KMS key.
kms:GenerateDataKey	Allows generating a data encryption key using an AWS KMS key.
kms:GenerateDataKeyWithoutPlaintext	Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key.
kms:ListAliases	Allows listing KMS key aliases. These include aliases that one created and associated with their customer managed keys, and aliases that AWS created and associated with AWS managed keys in your account. AWS aliases have the format aws/, such as aws/rds.
kms:ListKeys	Allows listing AWS KMS keys. It has similar functionality to kms:ListAliases. It is used to get a list of all KMS keys in the caller’s AWS account and Region.
kms:ListResourceTags	Allows listing tags of an AWS KMS key.
kms:ReEncrypt	Allows re-encrypting data using an AWS Key Management Service (KMS) key.