Veeam Backup for AWS 5.0 [Archived]
User Guide
Related documents
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

EC2 Backup IAM Role Permissions

Veeam Backup for AWS uses EC2 Backup Policy IAM roles to perform the following operations:

  • To enumerate resources added to a backup policy.
  • To create cloud-native snapshots of EC2 instances protected by the policy.
  • To create EBS volumes and attaching the volumes to worker instances when performing image-level backup.
  • To create snapshot replicas, and so on.

To perform these operations, IAM roles specified in the backup policy settings must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Action": [

               "ebs:ListChangedBlocks",

               "ebs:ListSnapshotBlocks",

               "ec2:CopySnapshot",

               "ec2:CreateSnapshot",

               "ec2:CreateSnapshots",

               "ec2:CreateTags",

               "ec2:DeleteSnapshot",

               "ec2:DeleteTags",

               "ec2:DescribeAvailabilityZones",

               "ec2:DescribeConversionTasks",

               "ec2:DescribeImages",

               "ec2:DescribeInstanceAttribute",

               "ec2:DescribeInstances",

               "ec2:DescribeInstanceTypes",

               "ec2:DescribeRegions",

               "ec2:DescribeSnapshotAttribute",

               "ec2:DescribeSnapshots",

               "ec2:DescribeSubnets",

               "ec2:DescribeTags",

               "ec2:DescribeVolumeAttribute",

               "ec2:DescribeVolumes",

               "ec2:GetEbsDefaultKmsKeyId",

               "ec2:ModifySnapshotAttribute",

               "events:DeleteRule",

               "events:DescribeRule",

               "events:ListTargetsByRule",

               "events:PutRule",

               "events:PutTargets",

               "events:RemoveTargets",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:ListAccountAliases",

               "iam:ListInstanceProfiles",

               "iam:SimulatePrincipalPolicy",

               "kms:CreateGrant",

               "kms:DescribeKey",

               "kms:GetKeyPolicy",

               "kms:ListAliases",

               "kms:ListKeys",

               "kms:ReEncryptFrom",

               "kms:ReEncryptTo",

               "servicequotas:ListServiceQuotas",

               "sns:CreateTopic",

               "sns:DeleteTopic",

               "sns:ListSubscriptionsByTopic",

               "sns:ListTopics",

               "sns:SetTopicAttributes",

               "sns:Subscribe",

               "sns:Unsubscribe",

               "sqs:CreateQueue",

               "sqs:DeleteMessage",

               "sqs:DeleteQueue",

               "sqs:ListQueues",

               "sqs:ReceiveMessage",

               "sqs:SetQueueAttributes",

               "ssm:DescribeInstanceInformation",

               "ssm:GetCommandInvocation",

               "ssm:SendCommand"

           ],

                     "Resource": "*",

                     "Effect": "Allow"

         }

   ]

}

View all results across Veeam
Back to document search