Managing IAM Roles

In this article

    For each data protection and disaster recovery operation in Veeam Backup for AWS, you must specify an IAM role. Veeam Backup for AWS uses permissions of the specified IAM role to access AWS services and resources, and to perform the necessary operation.

    For example, Veeam Backup for AWS requires access to the following AWS resources:

    • EC2 resources — to display the list of EC2 instances in backup policy settings, to create cloud-native snapshots, snapshot replicas, to launch worker instances and to restore backed-up data.
    • S3 resources — to store backed-up data to backup repositories, to perform transform operations with backup chains, and to copy backed-up data from backup repositories to worker instances during restore.

    If you plan to back up and restore data within the initial AWS account, you can use the Default Backup Restore IAM role that is added to Veeam Backup for AWS upon the product installation from AWS Marketplace or from the AMI using the Automatic configuration mode. If you have installed Veeam Backup for AWS from the AMI using the Manual configuration mode, or plan to protect data of another AWS account, or keep backed-up data in another AWS account, you must add IAM roles that have permissions to access AWS services and resources of the account.

    To specify an IAM role for the necessary operation, you must first add this IAM role to Veeam Backup for AWS. You can add IAM roles that already exist in your AWS accounts, or instruct Veeam Backup for AWS to create and add IAM roles with predefined permission sets. To learn how to create and add IAM roles in Veeam Backup for AWS, see Adding IAM Roles.

    Note

    To grant an IAM role permissions on required AWS services and resources , in the IAM Management Console, you must create an IAM policy in the JSON format, and then attach it to the IAM role that you plan to use in Veeam Backup for AWS. To learn how to create an IAM policy, see Appendix A. Creating IAM Policies. To learn how to create an IAM role in the IAM Management Console, see  Appendix B. Creating IAM Roles. For more information on required IAM role permissions, see IAM Permissions.

    Default Backup Restore IAM Role

    Veeam Backup for AWS comes with the predefined Default Backup Restore IAM role. This IAM role has all the required permissions to perform operations within the initial AWS account — back up any instance or VPC within the account, store backups in any Amazon S3 bucket within the account, and so on. For more information on this role permissions, see Full List of IAM Permissions.

    You do not need to add the Default Backup Restore IAM to Veeam Backup for AWS. This role is created in the initial AWS account and added to Veeam Backup for AWS automatically upon the product installation  from AWS Marketplace or from the AMI using the Automatic configuration mode.

    Related Resources

    This section assumes that you have a good understanding of IAM Roles, Creating IAM Policies and Adding and Removing IAM Identity Permissions.

    In This Section