The Commvault software uses AWS permissions to perform protection operations for your Amazon Redshift instances.
The software uses permissions only to access snapshot, volume, and instance configuration information that is required to back up instances to storage, to recover instances, and to clean up intermediate entities that are created by Commvault during those operations. Also, when a user account that has the required administrative privileges requests that a recovered instance overwrite the original instance, the permissions are used to remove the original instance, but only after confirmation from the user.
For AWS information about policies and permissions, see Policies and permissions in IAM in the AWS documentation.
Commvault supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).
|
Permission |
Usage |
|---|---|
|
redshift:CreateClusterSnapshot |
Grants permission to create a manual snapshot of the specified cluster |
|
redshift:CreateSnapshotCopyGrant |
Grants permission to create a snapshot copy grant and encrypt copied snapshots in a destination AWS Region |
|
redshift:CreateTags |
Grants permission to add one or more tags to a specified resource |
|
redshift:DeleteClusterSnapshot |
Grants permission to delete a manual snapshot |
|
redshift:DescribeClusters |
Grants permission to describe properties of provisioned clusters |
|
redshift:DescribeClusterSnapshots |
Grants permission to describe one or more snapshot objects, which contain metadata about your cluster snapshots |
|
redshift:DescribeSnapshotCopyGrants |
Grants permission to describe snapshot copy grants owned by the specified AWS account in the destination AWS Region |
|
redshift:DescribeTags |
Grants permission to describe tags |
|
redshift:DisableSnapshotCopy |
Grants permission to disable the automatic copy of snapshots for a cluster |
|
redshift:EnableSnapshotCopy |
Grants permission to enable the automatic copy of snapshots for a cluster |
|
redshift:RestoreFromClusterSnapshot |
Grants permission to create a cluster from a snapshot |
|
ec2:DescribeAccountAttributes |
Allows describing attributes of an AWS account. |
|
ec2:DescribeAvailabilityZones |
Allows describing Amazon EC2 availability zones. |
|
ec2:DescribeRegions |
Allows describing Amazon EC2 regions. |
|
ec2:DescribeSecurityGroups |
Allows describing Amazon EC2 security groups. |
|
ec2:DescribeSubnets |
Allows describing Amazon VPC subnets. |
|
ec2:DescribeVpcs |
Allows describing Amazon VPCs (Virtual Private Clouds). |
|
iam:GetAccountAuthorizationDetails |
Allows retrieving details of IAM policies and permissions attached to the AWS account. |
|
iam:GetUser |
Allows retrieving information about an IAM user. Required for authentication of user and the session. |
|
kms:CreateGrant |
Allows creating a grant for an AWS KMS key. A grant is a policy instrument that allows AWS principals to use KMS keys in cryptographic operations. |
|
kms:DescribeKey |
Allows describing details of an AWS KMS key. This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec, that help you distinguish different types of KMS keys. |
|
kms:Decrypt |
Allows decrypting data using an AWS KMS key. |
|
kms:Encrypt |
Allows encrypting data using an AWS KMS key. |
|
kms:GenerateDataKey |
Allows generating a data encryption key using an AWS KMS key. |
|
kms:GenerateDataKeyWithoutPlaintext |
Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key. |
|
kms:ListAliases |
Allows listing KMS key aliases. These include aliases that one created and associated with their customer managed keys, and aliases that AWS created and associated with AWS managed keys in your account. AWS aliases have the format aws/ |
|
kms:ListKeys |
Allows listing AWS KMS keys. It has similar functionality to kms:ListAliases. It is used to get a list of all KMS keys in the caller’s AWS account and Region. |
|
kms:ListResourceTags |
Allows listing tags of an AWS KMS key. |
|
kms:ReEncrypt |
Allows re-encrypting data using an AWS Key Management Service (KMS) key. |