The Commvault software uses AWS permissions to perform protection operations for your Amazon DocumentDB instances.
The software uses permissions only to access snapshot, volume, and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.
For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.
Commvault supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).
|
Permission |
Usage |
|---|---|
|
rds:AddTagsToResource |
Grants permission to add metadata tags to an Amazon RDS resource |
|
rds:CreateDBClusterSnapshot |
Allows creating a snapshot of an Amazon RDS DB cluster. This permission allows the creation of a DB instance’s snapshot at a given instant in time when the backup operation is triggered. |
|
rds:CreateDBInstance |
Allows creating an Amazon RDS DB instance. This permission is required for creating new DB instances in a DB cluster. During a restore of a DB Cluster, rds:RestoreDBClusterFromSnapshot permission is required for the restoration of a cluster, and rds:CreateDBInstance is required to add the writer DB instance to the cluster. |
|
rds:DeleteDBClusterSnapshot |
Allows deleting an Amazon RDS DB cluster snapshot. This permission is required for deleting any intermediate DB cluster snapshots that may have been created during copying or sharing of snapshots or during out-of-place restores. |
|
rds:DescribeDBClusters |
Allows describing Amazon RDS DB clusters. This permission is required to verify the state of a DB Cluster. It is the equivalent of rds:DescribeDBInstances, but for a cluster. |
|
rds:DescribeDBClusterSnapshots |
Allows describing Amazon RDS DB cluster snapshots. This permission is required to verify whether the snapshot is present and in available state for restore. The properties of the DB instance present in the snapshot are also used later to restore the snapshot to an RDS instance. |
|
rds:DescribeDBInstances |
Allows describing Amazon RDS DB instances. This permission is required to verify the state of a DB Instance, whether it is in available state for backup. Also, to verify whether a restore completed successfully or not and the DB instance is in available state. |
|
rds:ListTagsForResource |
Allows listing tags of an Amazon RDS resource. This permission is required for viewing and retaining the tags for a resource during copying, sharing and cross account operations. |
|
rds:RestoreDBClusterFromSnapshot |
Allows restoring an Amazon RDS DB cluster from a snapshot. It is required to create a new DB cluster from a DB snapshot or DB cluster snapshot. |
|
ec2:DescribeAccountAttributes |
Allows describing attributes of an AWS account. |
|
ec2:DescribeAvailabilityZones |
Allows describing Amazon EC2 availability zones. |
|
ec2:DescribeRegions |
Allows describing Amazon EC2 regions. |
|
ec2:DescribeSecurityGroups |
Allows describing Amazon EC2 security groups. |
|
ec2:DescribeSubnets |
Allows describing Amazon VPC subnets. |
|
ec2:DescribeVpcs |
Allows describing Amazon VPCs (Virtual Private Clouds). |
|
iam:GetAccountAuthorizationDetails |
Allows retrieving details of IAM policies and permissions attached to the AWS account. |
|
iam:GetUser |
Allows retrieving information about an IAM user. Required for authentication of user and the session. |
|
kms:CreateGrant |
Allows creating a grant for an AWS KMS key. A grant is a policy instrument that allows AWS principals to use KMS keys in cryptographic operations. |
|
kms:DescribeKey |
Allows describing details of an AWS KMS key. This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec, that help you distinguish different types of KMS keys. |
|
kms:Decrypt |
Allows decrypting data using an AWS KMS key. |
|
kms:Encrypt |
Allows encrypting data using an AWS KMS key. |
|
kms:GenerateDataKey |
Allows generating a data encryption key using an AWS KMS key. |
|
kms:GenerateDataKeyPairWithoutPlaintext |
Controls permission to use the AWS KMS key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy |
|
kms:GenerateDataKeyWithoutPlaintext |
Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key. |
|
kms:ListAliases |
Allows listing KMS key aliases. These include aliases that one created and associated with their customer managed keys, and aliases that AWS created and associated with AWS managed keys in your account. AWS aliases have the format aws/ |
|
kms:ListKeys |
Allows listing AWS KMS keys. It has similar functionality to kms:ListAliases. It is used to get a list of all KMS keys in the caller’s AWS account and Region. |
|
kms:ListResourceTags |
Allows listing tags of an AWS KMS key. |
|
kms:ReEncrypt |
Allows re-encrypting data using an AWS Key Management Service (KMS) key. |
|
kms:ReEncryptFrom |
Controls permission to decrypt data as part of the process that decrypts and re-encrypts the data within AWS KMS |
|
kms:ReEncryptTo |
Controls permission to encrypt data as part of the process that decrypts and re-encrypts the data within AWS KMS |