This page describes the JSON permission definition files that Commvault uses for cleanroom recovery in AWS.
How these files are used
These JSON files are permission-definition source files that Commvault uses to create and manage the AWS IAM roles, groups, and attached policies that are required for cleanroom recovery.
When you choose the option to let Commvault create the AWS permissions, the runbook wizard opens an AWS CloudFormation stack that uses Commvault-provided permission definitions to create the required AWS IAM resources. Your organization can also review and manage the resulting AWS IAM resources according to your IAM governance requirements.
These files are not standalone CloudFormation templates or complete AWS IAM role exports.
If the workflow creates CommvaultCleanroomUserGroup, it can also generate the IAM user and credentials that are used for cleanroom access. If CommvaultCleanroomUserGroup already exists in the AWS account, the workflow can reuse the existing group. After credentials are generated, use them to create a credential entry in Credential Manager.
AWS permission files
The following JSON files are used for AWS cleanroom recovery:
| File | Creates or defines | Primary use | Used with |
|---|---|---|---|
| sts-commvault-cleanroom-admin-role.json | CommvaultCleanroomAdminRole |
Defines the administrative role that Commvault uses for cleanroom permission setup and related recovery operations | Commvault software |
| iam-commvault-cleanroom-role.json | CommvaultCleanroomRole |
Defines the main cleanroom IAM role and its attached policies | Commvault software |
| group-policies-commvault-cleanroom-user-group.json | CommvaultCleanroomUserGroup |
Defines the IAM group and the attached policies used for cleanroom access | Commvault software |
| tenant-role-policies-commvault-cleanroom-tenant-role.json | CommvaultCleanroomTenantRole |
Defines the tenant-scoped role and its attached policies | Commvault SaaS |
Common policy coverage
These files include policy definitions for the AWS resources and operations that are commonly required for cleanroom recovery, including the following areas:
-
S3 cloud library access
-
Amazon EC2 backup and restore operations
-
Amazon RDS operations
-
Amazon Redshift operations
-
Amazon DocumentDB-related restore operations
-
File system and EBS snapshot operations
-
Amazon DynamoDB operations
-
VPC restore operations
-
Amazon S3 operations
-
Recovery-related IAM, VPC endpoint, security group, internet gateway, NAT gateway, route table, EC2, S3, and prefix list management
File-specific differences
sts-commvault-cleanroom-admin-role.json
Creates CommvaultCleanroomAdminRole.
Use this role when Commvault must create or manage AWS IAM and network-related resources that are required for cleanroom recovery.
Additional policy coverage:
- STS assume-role access
iam-commvault-cleanroom-role.json
Creates CommvaultCleanroomRole.
Use this role as the main cleanroom IAM role for AWS recovery operations.
Additional policy coverage:
- Amazon FSx and Amazon EFS read access
group-policies-commvault-cleanroom-user-group.json
Creates CommvaultCleanroomUserGroup.
Use this group when the cleanroom workflow requires an IAM user group for cleanroom access.
Additional policy coverage:
- Amazon FSx and Amazon EFS read access
tenant-role-policies-commvault-cleanroom-tenant-role.json
Creates CommvaultCleanroomTenantRole.
Use this role when the cleanroom workflow requires a tenant-scoped role.
Additional policy coverage:
-
STS assume-role access
-
Amazon FSx and Amazon EFS read access
Permissions workflow options
You can use either of the following approaches:
-
Let Commvault create the AWS permissions from the runbook wizard.
-
Let your AWS administrator manage the resulting IAM roles, groups, and related permissions according to your organization's requirements.