RDS Backup IAM Role Permissions
Veeam Backup for AWS uses RDS Backup Policy IAM roles to perform the following operations:
- To enumerate resources added to a backup policy.
- To create cloud-native snapshots of RDS resources protected by the policy.
- To create snapshot replicas, and so on.
To perform these operations, IAM roles specified in the backup policy settings must be granted the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeRegions", "events:DeleteRule", "events:DescribeRule", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:GetContextKeysForPrincipalPolicy", "iam:GetRole", "iam:ListAccountAliases", "iam:SimulatePrincipalPolicy", "kms:CreateGrant", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:ListAliases", "kms:ListKeys", "rds:AddTagsToResource", "rds:CopyDBClusterSnapshot", "rds:CopyDBSnapshot", "rds:CreateDBClusterSnapshot", "rds:CreateDBSnapshot", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBInstances", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:ListTagsForResource", "rds:ModifyDBClusterSnapshotAttribute", "rds:ModifyDBSnapshotAttribute", "rds:RemoveTagsFromResource", "sns:CreateTopic", "sns:DeleteTopic", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Unsubscribe", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage", "sqs:SetQueueAttributes" ], "Resource": "*", "Effect": "Allow" } ] } |