commvault.com commvault.com
Solved

Commvault AWS API Limited Permissions

  • 20 August 2021
  • 3 replies
  • 90 views
L
Rank
Badge +1

Hi all,

 

Had a question regarding the current IAM policies being provided by Commvault for AWS policies that are all documented here.

 

My question is in relation to this policy.

 

More pointed, I’m interested to understand if anyone has taken the time to configure these policies in a “least privilege access” approach utilizing something like condition based tags. I understand that Commvault provides this policy. But as you can see, the bottom half of that policy is still far more wide open than what would meet a “least privilege access” approach.

 

For instance I’d like to understand what SSM is being used for and how we could approach restricting these specific permissions to only the resources we need to give it access to:

 

"ssm:CancelCommand"

"ssm:SendCommand"

"ssm:ListCommands"

"ssm:ListDocuments"

"ssm:DescribeDocument"

"ssm:DescribeInstanceInformation"

 

Open to thoughts, suggestions!

 

Thanks,

icon

Best answer by Bhama 20 August 2021, 19:34

View original

3 replies

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

Hey @lancecwhite , appreciate the post!!

I’m going to tag in some of our developers and see if they can provide some input (in addition to what anyone else can contribute :grinning: )

https://www.linkedin.com/in/michael-struening
B
Rank
Userlevel 2
Badge +3

Hi All,

 

 https://documentation.commvault.com/11.24/expert/101442_amazon_web_services_permission_usage_01.html

 

Below permissions are required if you intend to do agentless file level restore to instance. 

If you dont plan on using that feature, you can simply remove those permission from your json file. 

ssm:CancelCommand

Cancel run commands.

  

2514.png

      

ssm:DescribeDocument

Describe the run command document.

  

2514.png

      

ssm:DescribeInstanceInformation

Get a list of instances that have the AWS Systems Manager (SSM) installed.

  

2514.png

      

ssm:ListCommands

List the run commands.

  

2514.png

      

ssm:ListDocuments

List all run command documents in the account.

  

2514.png

      

ssm:SendCommand

Launch run commands.

  

2514.png

 

Thanks,

Bhama

 

L
Rank
Badge +1

@Bhama  Thanks for the url.

 

I think my concern is more geared towards trying to limit the instances that SSM will have permissions to execute these agentless restores against. I understand that we could implement some sort of Tag based approach to limit the scope of the permissions, but I was curious to understand if anyone else had taken the time to fully review these policies and could share how they approached limiting them.

 

But again, thank you for the URL and ill certainly share my approach with the community once I come up with one.

Reply


Terms & ConditionsCookie settings