Veeam Backup for AWS 6a [Archived]
User Guide
Related documents
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

RDS Backup IAM Role Permissions

Veeam Backup for AWS uses RDS Backup IAM roles to perform the following operations:

  • To enumerate resources added to a backup session.
  • To create cloud-native snapshots of RDS resources.
  • To create snapshot replicas, and so on.

Note

The same scope of permissions is required for IAM roles used to perform backup operations automatically as described in section Creating RDS Backup Policies, and IAM roles used to perform backup operations manually as described in section Creating RDS Snapshots Manually.

To perform backup operations, IAM roles specified in the RDS backup settings must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Action": [

               "ec2:DescribeAvailabilityZones",

               "ec2:DescribeRegions",

               "events:DeleteRule",

               "events:DescribeRule",

               "events:ListTargetsByRule",

               "events:PutRule",

               "events:PutTargets",

               "events:RemoveTargets",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:ListAccountAliases",

               "iam:SimulatePrincipalPolicy",

               "kms:CreateGrant",

               "kms:DescribeKey",

               "kms:GetKeyPolicy",

               "kms:ListAliases",

               "kms:ListKeys",

               "rds:AddTagsToResource",

               "rds:CopyDBClusterSnapshot",

               "rds:CopyDBSnapshot",

               "rds:CreateDBClusterSnapshot",

               "rds:CreateDBSnapshot",

               "rds:DeleteDBClusterSnapshot",

               "rds:DeleteDBSnapshot",

               "rds:DescribeDBClusters",

               "rds:DescribeDBClusterSnapshots",

               "rds:DescribeDBInstances",

               "rds:DescribeDBSnapshots",

               "rds:DescribeDBSubnetGroups",

               "rds:ListTagsForResource",

               "rds:ModifyDBClusterSnapshotAttribute",

               "rds:ModifyDBSnapshotAttribute",

               "rds:RemoveTagsFromResource",

               "sns:CreateTopic",

               "sns:DeleteTopic",

               "sns:ListSubscriptionsByTopic",

               "sns:ListTopics",

               "sns:SetTopicAttributes",

               "sns:Subscribe",

               "sns:Unsubscribe",

               "sqs:CreateQueue",

               "sqs:DeleteMessage",

               "sqs:DeleteQueue",

               "sqs:ListQueues",

               "sqs:ReceiveMessage",

               "sqs:SetQueueAttributes"

           ],

                     "Resource": "*",

                     "Effect": "Allow"

         }

   ]

}

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.

View all results across Veeam
Back to document search