Required Permissions

Make sure user accounts that you plan to use have permissions described in this section:

Veeam Backup & Replication User Account Permissions

The user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Installing and Using Veeam Backup & Replication section in the Veeam Backup & Replication User Guide.

AWS User Account and IAM Role Permissions

When deploying a new Veeam Backup for AWS appliance, connecting to an existing Veeam Backup for AWS appliance or adding S3 repositories, you specify an AWS account. This AWS account must have permissions from the following list.

Required PermissionsList of Permissions

{

 "cloudwatch:DeleteAlarms",

 "cloudwatch:PutMetricAlarm",

 "dlm:CreateLifecyclePolicy",

 "dlm:DeleteLifecyclePolicy",

 "ec2:AllocateAddress",

 "ec2:AssociateAddress",

 "ec2:AttachInternetGateway",

 "ec2:AttachVolume",

 "ec2:AuthorizeSecurityGroupEgress",

 "ec2:AuthorizeSecurityGroupIngress",

 "ec2:CreateInternetGateway",

 "ec2:CreateKeyPair",

 "ec2:CreateRoute",

 "ec2:CreateSecurityGroup",

 "ec2:CreateSnapshot",

 "ec2:CreateSubnet",

 "ec2:CreateTags",

 "ec2:CreateVolume",

 "ec2:CreateVpc",

 "ec2:DeleteInternetGateway",

 "ec2:DeleteSecurityGroup",

 "ec2:DeleteSnapshot",

 "ec2:DeleteSubnet",

 "ec2:DeleteVolume",

 "ec2:DeleteVpc",

 "ec2:DescribeAddresses",

 "ec2:DescribeAvailabilityZones",

 "ec2:DescribeIamInstanceProfileAssociations",

 "ec2:DescribeImages",

 "ec2:DescribeInstanceTypes",

 "ec2:DescribeInstances",

 "ec2:DescribeInternetGateways",

 "ec2:DescribeKeyPairs",

 "ec2:DescribeRouteTables",

 "ec2:DescribeSecurityGroups",

 "ec2:DescribeSnapshots",

 "ec2:DescribeSubnets",

 "ec2:DescribeVolumes",

 "ec2:DescribeVpcs",

 "ec2:DetachInternetGateway",

 "ec2:DetachVolume",

 "ec2:DisassociateAddress",

 "ec2:ModifyVpcAttribute",

 "ec2:ReleaseAddress",

 "ec2:RunInstances",

 "ec2:StartInstances",

 "ec2:StopInstances",

 "ec2:TerminateInstances",

 "iam:AddRoleToInstanceProfile",

 "iam:AttachRolePolicy",

 "iam:CreateInstanceProfile",

 "iam:CreatePolicy",

 "iam:CreateRole",

 "iam:CreateServiceLinkedRole",

 "iam:DeleteInstanceProfile",

 "iam:DeleteRole",

 "iam:DeleteRolePolicy",

 "iam:DetachRolePolicy",

 "iam:GetInstanceProfile",

 "iam:GetPolicy",

 "iam:GetRole",

 "iam:ListAttachedRolePolicies",

 "iam:PassRole",

 "iam:PutRolePolicy",

 "iam:RemoveRoleFromInstanceProfile",

 "iam:SimulatePrincipalPolicy",

 "s3:CreateBucket",

 "s3:GetBucketLocation",

 "s3:GetBucketObjectLockConfiguration",

 "s3:GetBucketVersioning",

 "s3:GetObject",

 "s3:ListAllMyBuckets",

 "s3:ListBucket",

 "s3:PutObject",

 "ssm:SendCommand",

 "sts:GetCallerIdentity"

}

When performing data protection and disaster recovery operations, you specify an IAM role or an IAM user. Veeam Backup for AWS uses permissions of IAM roles and IAM users to access AWS services and resources.

In the AWS account that you specify when adding or deploying the Veeam Backup for AWS appliance, the Default Backup Restore IAM role is created automatically. This IAM role has all the permissions required to perform operations within the initial AWS account — to back up any Amazon EC2 instance within the account, to store backups in any Amazon S3 bucket within the account, and so on.

If you want to specify granular permissions, to protect EC2 instances of another AWS account or to keep backed-up data in another AWS account, you must add IAM roles that have access to AWS services and resources of that account. Examples of permissions for different operations are described in the following Veeam KB articles: KB3032, KB3033, KB3034. To specify an IAM role for the necessary operation, you must first add this IAM role to Veeam Backup for AWS. For more information on IAM roles and how to add them, see the IAM Roles section in the Veeam Backup for AWS User Guide.

If you plan to copy image-level backups or to restore guest OS files from image-level backups, make sure that the accounts specified for S3 repositories where the image-level backups are stored have permissions described in the Using Amazon S3 Object Storage section in the Veeam Backup & Replication User Guide. For more information on how to specify user accounts for existing S3 repositories, see Connecting to Existing Appliance. For more information on how to specify user accounts for new S3 repositories, see Adding New S3 Repositories.

Appliance User Role Permissions

When connecting to an existing Veeam Backup for AWS appliance, you must specify a Veeam Backup for AWS appliance user. AWS Plug-in for Veeam Backup & Replication uses credentials of this user to authenticate against the appliance and get access to appliance functionality. The user can be the Default Admin created during the initial configuration of the appliance or another user with Portal Administrator role. For more information on roles, see the Managing Permissions section in the Veeam Backup for AWS User Guide.

Permissions for Virtualization Servers and Hosts

If you plan to copy backups to on-premises repositories, to perform restore to VMware vSphere or Microsoft Hyper-V, or to perform other tasks related to virtualization servers or hosts, you must check that the user account specified for these servers and host has permissions listed in both the Using Virtualization Servers and Hosts section in the Veeam Backup & Replication User Guide for VMware vSphere and in the Using Virtualization Servers and Hosts section in the Veeam Backup & Replication User Guide for Microsoft Hyper-V.

Azure User Account Permissions

The Azure user account that you plan to use when restoring EC2 instances to Microsoft Azure must have permissions described in the Adding Microsoft Azure Accounts section in the Veeam Backup & Replication User Guide.

I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.