Required Permissions

In this article

    Make sure user accounts that you plan to use have permissions described in this section.

    Veeam Backup & Replication User Account Permissions

    The user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Installing and Using Veeam Backup & Replication section in the Veeam Backup & Replication User Guide.

    AWS User Account and IAM Role Permissions

    When deploying a new Veeam Backup for AWS appliance, connecting to an existing Veeam Backup for AWS appliance, adding standard backup repositories or archive repositories, you specify an AWS account. This AWS account must have permissions from the following list.

    Required PermissionsList of Permissions

    {

     "cloudwatch:DeleteAlarms",

     "cloudwatch:PutMetricAlarm",

     "dlm:CreateLifecyclePolicy",

     "dlm:DeleteLifecyclePolicy",

     "ec2:AllocateAddress",

     "ec2:AssociateAddress",

     "ec2:AttachInternetGateway",

     "ec2:AttachVolume",

     "ec2:AuthorizeSecurityGroupEgress",

     "ec2:AuthorizeSecurityGroupIngress",

     "ec2:CreateInternetGateway",

     "ec2:CreateKeyPair",

     "ec2:CreateRoute",

     "ec2:CreateSecurityGroup",

     "ec2:CreateSnapshot",

     "ec2:CreateSubnet",

     "ec2:CreateTags",

     "ec2:CreateVolume",

     "ec2:CreateVpc",

     "ec2:DeleteInternetGateway",

     "ec2:DeleteSecurityGroup",

     "ec2:DeleteSnapshot",

     "ec2:DeleteSubnet",

     "ec2:DeleteVolume",

     "ec2:DeleteVpc",

     "ec2:DescribeAddresses",

     "ec2:DescribeAvailabilityZones",

     "ec2:DescribeIamInstanceProfileAssociations",

     "ec2:DescribeImages",

     "ec2:DescribeInstanceTypes",

     "ec2:DescribeInstances",

     "ec2:DescribeInternetGateways",

     "ec2:DescribeKeyPairs",

     "ec2:DescribeRegions",

     "ec2:DescribeRouteTables",

     "ec2:DescribeSecurityGroups",

     "ec2:DescribeSnapshots",

     "ec2:DescribeSubnets",

     "ec2:DescribeVolumes",

     "ec2:DescribeVpcs",

     "ec2:DetachInternetGateway",

     "ec2:DetachVolume",

     "ec2:DisassociateAddress",

     "ec2:ModifyVpcAttribute",

     "ec2:ReleaseAddress",

     "ec2:RunInstances",

     "ec2:StartInstances",

     "ec2:StopInstances",

     "ec2:TerminateInstances",

     "iam:AddRoleToInstanceProfile",

     "iam:AttachRolePolicy",

     "iam:CreateInstanceProfile",

     "iam:CreatePolicy",

     "iam:CreateRole",

     "iam:CreateServiceLinkedRole",

     "iam:DeleteInstanceProfile",

     "iam:DeleteRole",

     "iam:DeleteRolePolicy",

     "iam:DetachRolePolicy",

     "iam:GetInstanceProfile",

     "iam:GetPolicy",

     "iam:GetRole",

     "iam:ListAttachedRolePolicies",

     "iam:ListInstanceProfilesForRole",

     "iam:ListRolePolicies",

     "iam:PassRole",

     "iam:PutRolePolicy",

     "iam:RemoveRoleFromInstanceProfile",

     "iam:SimulatePrincipalPolicy",

     "iam:UpdateAssumeRolePolicy",

     "s3:CreateBucket",

     "s3:GetBucketLocation",

     "s3:GetBucketObjectLockConfiguration",

     "s3:GetBucketVersioning",

     "s3:GetObject",

     "s3:ListAllMyBuckets",

     "s3:ListBucket",

     "s3:PutObject",

     "ssm:GetCommandInvocation",

     "ssm:SendCommand",

     "sts:GetCallerIdentity"

    }

    You can also specify granular permissions. For more information, see the following Veeam KB articles: KB4139, KB4140, KB4141.

    When performing data protection and disaster recovery operations, you specify an IAM role or an IAM user. Veeam Backup for AWS uses permissions of IAM roles and IAM users to access AWS services and resources.

    In the AWS account that you specify when adding or deploying the Veeam Backup for AWS appliance, the Default Backup Restore IAM role is created automatically. This IAM role has all the permissions required to perform operations within the initial AWS account — to back up any Amazon EC2 instance within the account, to store backups in any Amazon S3 bucket within the account, and so on.

    If you want to specify granular permissions, to protect EC2 instances of another AWS account or to keep backed-up data in another AWS account, you must add IAM roles that have access to AWS services and resources of that account. Examples of permissions for different operations are described in the following Veeam KB articles: KB3032, KB3033, KB3034. To specify an IAM role for the necessary operation, you must first add this IAM role to Veeam Backup for AWS. For more information on IAM roles and how to add them, see the IAM Roles section in the Veeam Backup for AWS User Guide.

    If you plan to copy image-level backups or to restore guest OS files from image-level backups, make sure that the accounts specified for standard backup repositories where the image-level backups are stored have permissions described in the Using Amazon S3 Object Storage section in the Veeam Backup & Replication User Guide. For more information on how to specify user accounts for existing standard backup repositories, see Connecting to Existing Appliance. For more information on how to specify user accounts for new standard backup repositories, see Deploying Standard Backup Repositories.

    Appliance User Role Permissions

    When connecting to an existing Veeam Backup for AWS appliance, you must specify a Veeam Backup for AWS appliance user. AWS Plug-in for Veeam Backup & Replication uses credentials of this user to authenticate against the appliance and get access to appliance functionality. The user can be the Default Admin created during the initial configuration of the appliance or another user with Portal Administrator role. For more information on roles, see the Managing Permissions section in the Veeam Backup for AWS User Guide.

    Permissions for Virtualization Servers and Hosts

    If you plan to copy backups to on-premises repositories, to perform restore to VMware vSphere or Microsoft Hyper-V, or to perform other tasks related to virtualization servers or hosts, you must check that the user account specified for these servers and host has the required permissions. these permissions are listed in the Using Virtualization Servers and Hosts section in the User Guide for VMware vSphere and in the Using Virtualization Servers and Hosts section in the User Guide for Microsoft Hyper-V.

    Azure User Account Permissions

    The Azure user account that you plan to use when restoring EC2 instances to Microsoft Azure must have permissions described in the Adding Microsoft Azure Accounts section (see step 5) in the Veeam Backup & Replication User Guide.

    Google Cloud IAM Service Account Permissions

    The IAM service account that you plan to use to connect to Google Cloud Platform must be granted roles described in the Google Cloud Platform IAM User Permissions section in the Veeam Backup & Replication User Guide.