Service IAM Role in Backup Account
To allow Veeam Backup for AWS to launch worker instances in the backup account to perform backup and restore operations, the Service IAM role specified in the worker instance settings must be granted the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", "ec2:AttachVolume", "ec2:CopySnapshot", "ec2:CreateKeyPair", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteKeyPair", "ec2:DeleteSnapshot", "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:GetEbsDefaultKmsKeyId", "ec2:ModifyInstanceAttribute", "ec2:ModifySnapshotAttribute", "ec2:ModifyVolume", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreateRole", "iam:DeleteInstanceProfile", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetContextKeysForPrincipalPolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:ListAccountAliases", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy", "kinesis:CreateStream", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:PutRecord", "kms:CreateGrant", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:GetKeyPolicy", "kms:ListAliases", "kms:ListKeys", "kms:ReEncryptFrom", "kms:ReEncryptTo", "servicequotas:ListServiceQuotas", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage", "ssm:GetCommandInvocation", "ssm:GetParameter", "ssm:SendCommand" ], "Resource": "*" } ] } |