This is an archive version of the document. To get the most up-to-date information, see the current version.IAM Role Permissions on CMKs
Depending on an operation performed with EC2 instances that have encrypted EBS volumes, IAM roles specified for the operation may require permissions on CMKs.
- Creating cloud-native snapshots
- Creating image-level backups
- Creating snapshot replicas
- Restoring from cloud-native snapshots
- Restoring from image-level backups
Tip |
For information on how to grant permissions on a CMK to an IAM role, see this Veeam KB article. |
Creating Cloud-Native Snapshots
The process of creating cloud-native snapshots of an EC2 instance with encrypted EBS volumes does not differ from the same process for an EC2 instance with unencrypted EBS volumes. An IAM role specified for creating cloud-native snapshots does not require permissions on CMKs with which the EBS volumes are encrypted.
Note that Veeam Backup for AWS encrypts created cloud-native snapshots with the same CMKs with which EBS volumes of the processed EC2 instance are encrypted.
The process of creating image-level backups of an EC2 instance with encrypted EBS volumes differs depending on whether a worker instance processing EBS volume data is launched in the same AWS account or not.
Image-Level Backup in Same AWS Account
If the worker instance is launched in the same AWS account where the processed EC2 instance resides, Veeam Backup for AWS performs the following steps:
- Creates a cloud-native snapshot of the EC2 instance.
- Re-creates EBS volumes from the cloud-native snapshot, and then attaches them to the worker instance to read and further transfer EBS volume data to an S3 repository.
An IAM role specified for launching worker instances requires permissions on CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).
Cross-Account Image-Level Backup
If the worker instance is launched in an AWS account different from the one where the processed EC2 instance resides, Veeam Backup for AWS performs the following steps:
- Creates a cloud-native snapshot of the EC2 instance.
- Shares the created cloud-native snapshot with an AWS account where the worker instance is launched.
To share the snapshot, an IAM role that was specified for creating this snapshot requires permissions on CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).
Important |
If EBS volumes of the EC2 instance are encrypted with the default key for EBS encryption (aws/ebs alias), Veeam Backup for AWS will not be able to share the snapshot with another AWS account and the backup process will fail. For more information, see this Veeam KB article. |
- Re-creates EBS volumes from the shared cloud-native snapshot, and then attaches them to the worker instance to read and further transfer EBS volume data to an S3 repository.
Note that according to AWS requirements, EBS volumes created from encrypted snapshots must also be encrypted. Thus, Veeam Backup for AWS encrypts re-created EBS volumes with the default encryption key specified for the AWS region where the worker instance is launched.
An IAM role specified for launching worker instances requires permissions on the following CMKs:
- Source CMKs.
- The default encryption key.
The process of creating snapshot replicas of an EC2 instance with encrypted EBS volumes differs depending on whether you create snapshot replicas within the same AWS account where the EC2 instance resides or not.
Snapshot Replication in Same AWS Account
If you create snapshot replicas within the same AWS account where the EC2 instance resides, Veeam Backup for AWS performs the following steps:
- Creates a cloud-native snapshot of the EC2 instance.
- Copies the created cloud-native snapshot to the target AWS region.
An IAM role specified for creating snapshot replicas requires permissions on the following CMKs:
- CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).
- A CMK with which you want to encrypt EBS volume data in the snapshot replica (target CMK).
Note that if you do not specify the target CMK, the snapshot replica of an encrypted EC2 instance will be encrypted with the default encryption key specified for the target AWS region. In this case, the IAM role will require permissions on the default encryption key.
Cross-Account Snapshot Replication
If you create a snapshot replica in an AWS account different from the one where the EC2 instance resides, Veeam Backup for AWS performs the following steps:
- Creates a cloud-native snapshot of the EC2 instance.
- Shares the created cloud-native snapshot with the target AWS account.
To share the snapshot, an IAM role that was specified for creating this snapshot requires permissions on CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).
Important |
If EBS volumes of the EC2 instance are encrypted with the default key for EBS encryption (aws/ebs alias), Veeam Backup for AWS will not be able to share the snapshot with another AWS account and the replication process will fail. For more information, see this Veeam KB article. |
- Copies the shared cloud-native snapshot to the target AWS region.
An IAM role specified for creating snapshot replicas requires permissions on the following CMKs:
- Source CMKs.
- A CMK with which you want to encrypt EBS volume data in the snapshot replica (target CMK).
Note that if you do not specify the target CMK, the snapshot replica of an encrypted EC2 instance will be encrypted with the default encryption key specified for the target AWS region in the target AWS account. Thus, the IAM role will require permissions on the default encryption key.
Restoring from Cloud-Native Snapshots
The process of restoring an EC2 instance from an encrypted cloud-native snapshot differs depending on whether you perform restore to the same location where the cloud-native snapshot resides or not.
Note |
Consider the following:
|
Restore to Same AWS Region in Same AWS Account
To restore the EC2 instance to the same AWS region in the source AWS account, Veeam Backup for AWS uses permissions of an IAM role specified for restore. The IAM role requires permissions on the following CMKs:
- CMKs with which the cloud-native snapshot is encrypted (source CMKs).
- A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).
Restore to Different AWS Region in Same AWS Account
To restore the EC2 instance to a different AWS region in the source AWS account, Veeam Backup for AWS performs the following steps:
- Copies the cloud-native snapshot to the target AWS region.
To copy the snapshot, Veeam Backup for AWS uses permissions of an IAM role that was specified for creating this snapshot. The IAM role requires permissions on the following CMKs:
- CMKs with which EBS volumes of the backed-up EC2 instance are encrypted (source CMKs).
- A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).
- Uses the copied cloud-native snapshot to create EBS volumes in the target AWS region.
The IAM role specified for restore requires permissions on the target CMK.
Cross-Account Restore to Same AWS Region
To restore the EC2 instance to the same AWS region in an AWS account that is different from the source AWS account, Veeam Backup for AWS performs the following steps:
- Shares the cloud-native snapshot with the target AWS account.
To share the snapshot, an IAM role that was specified for creating this snapshot requires permissions on CMKs with which EBS volumes of the backed-up EC2 instance are encrypted (source CMKs).
Important |
According to AWS limitations, cloud-native snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the cloud-native snapshot is encrypted with the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article. |
- Uses the shared cloud-native snapshot to create EBS volumes in the same AWS region within the target AWS account.
An IAM role specified for restore requires permissions on the following CMKs:
- Source CMKs.
- A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).
Cross-Account Restore to Different AWS Region
To restore the EC2 instance to a different AWS region in an AWS account different from the source AWS account, Veeam Backup for AWS performs the following steps:
- Copies the cloud-native snapshot to the target AWS region in the source AWS account.
To copy the snapshot, Veeam Backup for AWS uses permissions of an IAM role that was specified for creating this snapshot. The IAM role requires permissions on the following CMKs:
- CMKs with which EBS volumes of the backed-up EC2 instance are encrypted (source CMKs).
- A default encryption key specified for the target AWS region in the source AWS account.
- Shares the copied cloud-native snapshot with the target AWS account.
Important |
According to AWS limitations, cloud-native snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the default encryption key specified for the target AWS region in the source AWS account is the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article. |
- Uses the shared cloud-native snapshot to create EBS volumes in the target AWS region within the target AWS account.
An IAM role specified for restore requires permissions on the following CMKs:
- The default encryption key.
- A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).
Restoring from Image-Level Backups
The process of restoring an EC2 instance with encrypted EBS volumes from an image-level backup differs depending on whether a worker instance is launched in the same AWS account to which you perform restore or not.
Note |
Consider the following:
|
If the worker instance is launched in the same AWS account to which you perform restore, an IAM role specified for launching worker instances requires permissions on the CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).
If the worker instance is launched in an AWS account that is different from an AWS account to which you perform restore, Veeam Backup for AWS performs the following steps:
- On the worker instance, Veeam Backup for AWS restores EBS volumes from the image-level backup to the target AWS region in the source AWS account.
To protect your data at this stage, Veeam Backup for AWS encrypts restored EBS volumes with a default encryption key specified for the target AWS region in the source AWS account. Thus, an IAM role specified for launching worker instances requires permissions on the default encryption key.
- Creates snapshots of restored EBS volumes.
- Shares the created EBS snapshots with the target AWS account.
Important |
According to AWS limitations, snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the default encryption key specified for the target AWS region in the source AWS account is the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article. |
- Uses shared EBS snapshots to create EBS volumes in the target AWS region within the target AWS account.
An IAM role specified for restore requires permissions on the following CMKs:
- The default encryption key.
- A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).
