Veeam Backup for AWS 6a [Archived]
User Guide
Related documents
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

FLR Worker IAM Role Permissions

You can instruct Veeam Backup for AWS to launch worker instances in production accounts when performing file-level restore operations for EC2 instances. To do that, enable worker deployment in the production account in the file-level restore settings, and specify an IAM role that will be used to launch worker instances, and then attached to these instances and used by Veeam Backup for AWS to communicate with them.

IAM Role Requirements and Permissions

To allow Veeam Backup for AWS to launch worker instances, attach IAM roles to the instances and further to communicate with these instances, IAM roles specified in the file-level restore settings must meet the following requirements:

  1. The IAM roles must be included at least in one instance profile. For more information on instance profiles, see AWS Documentation.
  2. The backup appliance must be granted permissions to assume the IAM roles.

To allow the backup appliance to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "AWS": "<Role ARN>"

     }

   }

 ]

}

Where <Role ARN> is the ARN either of the Impersonation IAM role attached to the backup appliance or of an AWS account to which the backup appliance belongs.

For more information on the Impersonation IAM role, see Required IAM Permissions. To learn how to configure trust relationships for a role and how to find the ARN of the Impersonation IAM role, see Appendix A. Creating IAM Roles in AWS.

  1. The Amazon EC2 service must be granted permissions to assume the IAM roles.

To allow the Amazon EC2 service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "Service": "ec2.amazonaws.com"

     }

   }

 ]

}

To learn how to configure trust relationships, see Appendix A. Creating IAM Roles in AWS.

  1. The IAM roles must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Action": [

               "ec2:AttachNetworkInterface",

               "ec2:AttachVolume",

               "ec2:CopySnapshot",

               "ec2:CreateKeyPair",

               "ec2:CreateNetworkInterface",

               "ec2:CreateSnapshot",

               "ec2:CreateTags",

               "ec2:CreateVolume",

               "ec2:DeleteKeyPair",

               "ec2:DeleteNetworkInterface",

               "ec2:DeleteSnapshot",

               "ec2:DeleteVolume",

               "ec2:DescribeAccountAttributes",

               "ec2:DescribeAddresses",

               "ec2:DescribeAvailabilityZones",

               "ec2:DescribeInstanceAttribute",

               "ec2:DescribeInstances",

               "ec2:DescribeKeyPairs",

               "ec2:DescribeNetworkInterfaces",

               "ec2:DescribeRegions",

               "ec2:DescribeRouteTables",

               "ec2:DescribeSecurityGroups",

               "ec2:DescribeSnapshots",

               "ec2:DescribeSubnets",

               "ec2:DescribeVolumeAttribute",

               "ec2:DescribeVolumes",

               "ec2:DescribeVpcs",

               "ec2:DetachVolume",

               "ec2:ModifyInstanceAttribute",

               "ec2:RunInstances",

               "ec2:StartInstances",

               "ec2:StopInstances",

               "ec2:TerminateInstances",

               "ec2messages:AcknowledgeMessage",

               "ec2messages:DeleteMessage",

               "ec2messages:FailMessage",

               "ec2messages:GetEndpoint",

               "ec2messages:GetMessages",

               "ec2messages:SendReply",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:GetRole",

               "iam:ListAccountAliases",

               "iam:ListInstanceProfilesForRole",

               "iam:PassRole",

               "iam:SimulatePrincipalPolicy",

               "kms:CreateGrant",

               "kms:DescribeKey",

               "kms:GetKeyPolicy",

               "kms:ListAliases",

               "kms:ListKeys",

               "kms:ReEncryptFrom",

               "kms:ReEncryptTo",

               "sqs:CreateQueue",

               "sqs:DeleteMessage",

               "sqs:DeleteQueue",

               "sqs:ListQueues",

               "sqs:ReceiveMessage",

               "sqs:SendMessage",

               "ssm:DescribeAssociation",

               "ssm:DescribeDocument",

               "ssm:GetCommandInvocation",

               "ssm:GetDeployablePatchSnapshotForInstance",

               "ssm:GetDocument",

               "ssm:GetManifest",

               "ssm:GetParameter",

               "ssm:GetParameters",

               "ssm:ListAssociations",

               "ssm:ListInstanceAssociations",

               "ssm:PutComplianceItems",

               "ssm:PutConfigurePackageResult",

               "ssm:PutInventory",

               "ssm:SendCommand",

               "ssm:UpdateAssociationStatus",

               "ssm:UpdateInstanceAssociationStatus",

               "ssm:UpdateInstanceInformation",

               "ssmmessages:CreateControlChannel",

               "ssmmessages:CreateDataChannel",

               "ssmmessages:OpenControlChannel",

               "ssmmessages:OpenDataChannel"

           ],

                     "Resource": "*",

                     "Effect": "Allow"

         }

   ]

}

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.

View all results across Veeam
Back to document search