This is an archive version of the document. To get the most up-to-date information, see the current version.IAM Permissions Changelog
This section describes the latest changes in IAM permissions required for Veeam Backup for AWS to perform operations.
When you update Veeam Backup for AWS version 5.0 to version 6.0, consider that additional permissions must be granted to the IAM roles:
- For Veeam Backup for AWS to be able to collect and back up network interfaces of EC2 instances, EC2 backup IAM roles must be additionally granted the following permissions:
- For Veeam Backup for AWS to be able to restore network interfaces of EC2 instances, EC2 restore IAM roles must be additionally granted the following permissions:
"ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeAddresses", "ec2:DisassociateAddress", "ec2:ModifyNetworkInterfaceAttribute" |
- For Veeam Backup for AWS to be able to restore EFS file systems, EFS restore IAM roles must be additionally granted the following permission:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:DeleteObjectVersion", "s3:GetObjectRetention" "s3:GetObjectVersion", "s3:PutObjectRetention" ], "Resource": "arn:aws:s3:::<yourbucketname>/*" }, { "Effect": "Allow", "Action": [ "s3:ListBucketVersions", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketVersioning" ], "Resource": "arn:aws:s3:::<yourbucketname>" } ] } |
You can update the roles manually in AWS, or instruct Veeam Backup for AWS to do it as described in section Updating IAM Roles.
Important |
If you instruct Veeam Backup for AWS to deploy worker instances in production accounts, you must assign additional permissions to IAM roles used to perform backup and restore operations. For more information on the required permissions, see sections EC2 Backup IAM Role Permissions and EC2 Restore IAM Permissions. |
