This is an archive version of the document. To get the most up-to-date information, see the current version.

Required Permissions

Make sure user accounts that you plan to use have permissions described in this section:

User account permissions required to install and work with Veeam Backup & Replication
AWS user account and IAM role permissions
Permissions for virtualization servers and hosts
Azure user account permissions

Veeam Backup & Replication User Account Permissions

The user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Installing and Using Veeam Backup & Replication section in the Veeam Backup & Replication User Guide.

AWS User Account and IAM Role Permissions

The AWS account that you plan to use when deploying a new Veeam Backup for AWS appliance or connecting to an existing Veeam Backup for AWS appliance must have the following permissions:

{

"iam:CreateInstanceProfile",

"ec2:AuthorizeSecurityGroupIngress",

"ec2:DescribeAddresses",

"ec2:DescribeInstances",

"ec2:CreateKeyPair",

"ec2:CreateVpc",

"iam:RemoveRoleFromInstanceProfile",

"iam:CreateRole",

"ec2:AttachInternetGateway",

"s3:ListBucket",

"iam:PutRolePolicy",

"iam:AddRoleToInstanceProfile",

"iam:SimulatePrincipalPolicy",

"ec2:StartInstances",

"ec2:DescribeAvailabilityZones",

"ec2:CreateRoute",

"ec2:CreateInternetGateway",

"ec2:CreateSecurityGroup",

"ec2:DescribeVolumes",

"ec2:DeleteInternetGateway",

"ec2:DescribeRouteTables",

"ec2:ReleaseAddress",

"iam:DeleteInstanceProfile",

"ec2:AuthorizeSecurityGroupEgress",

"ec2:TerminateInstances",

"iam:GetInstanceProfile",

"ec2:CreateTags",

"ec2:RunInstances",

"iam:DeleteRole",

"ec2:AllocateAddress",

"ec2:DescribeSecurityGroups",

"ec2:DescribeImages",

"s3:PutObject",

"ec2:DescribeVpcs",

"ec2:DeleteSecurityGroup",

"ec2:DescribeInstanceTypes",

"ec2:DeleteVpc",

"sts:GetCallerIdentity",

"ec2:CreateSubnet",

"ec2:DescribeSubnets",

"s3:GetBucketLocation"

}

While performing data protection and disaster recovery operations, Veeam Backup for AWS uses permissions of IAM roles to access AWS services and resources.

In the AWS account that you specify when adding or deploying the Veeam Backup for AWS appliance, the Default Backup Restore IAM role is created automatically. This IAM role has all the permissions required to perform operations within the initial AWS account — to back up any Amazon EC2 instance within the account, to store backups in any Amazon S3 bucket within the account, and so on.

If you want to specify granular permissions, to protect EC2 instances of another AWS account or to keep backed-up data in another AWS account, you must add IAM roles that have access to AWS services and resources of that account. For more information on IAM roles and how to add them, see the IAM Roles section in the Veeam Backup for AWS User Guide.

If you plan to copy image-level backups or to restore guest OS files from image-level backups, make sure that the accounts specified for S3 repositories where the image-level backups are stored have permissions described in the Using Amazon S3 Object Storage section in the Veeam Backup & Replication User Guide. For more information on how to specify user accounts for existing S3 repositories, see Connecting to Existing Appliance. For more information on how to specify user accounts for new S3 repositories, see Adding New S3 Repositories.

Permissions for Virtualization Servers and Hosts

If you plan to copy backups to on-premises repositories, to perform restore to VMware vSphere or Microsoft Hyper-V, or to perform other tasks related to virtualization servers or hosts, you must check that the user account specified for these servers and host has permissions listed in both the Using Virtualization Servers and Hosts section in the Veeam Backup & Replication User Guide for VMware vSphere and in the Using Virtualization Servers and Hosts section in the Veeam Backup & Replication User Guide for Microsoft Hyper-V.

Azure User Account Permissions

The Azure user account that you plan to use when restoring EC2 instances to Microsoft Azure must have permissions described in the Adding Microsoft Azure Accounts section of the Veeam Backup & Replication User Guide.