For each data protection and disaster recovery operation in Veeam Backup for AWS, you must specify an IAM role. Veeam Backup for AWS uses permissions of the specified IAM role to access AWS services and resources, and perform the necessary operation.
For example, to perform the following operations, Veeam Backup for AWS requires access to the following AWS resources:
- EC2 resources — to display the list of EC2 instances in backup policy settings, create cloud-native snapshots, snapshot replicas, launch worker instances and restore backed-up data.
- S3 resources — to store backed-up data to S3 repositories, perform transform operations with backup chains, and copy backed-up data from S3 repositories to worker instances during restore.
To grant an IAM role permissions on required AWS services and resources, in the IAM Management Console, you must create an IAM policy in the JSON format, and then attach it to the IAM role that you plan to use in Veeam Backup for AWS. Policy examples are described in these Veeam KB articles: KB3032, KB3033, KB3034.
To specify an IAM role for the necessary operation, you must first add this IAM role to Veeam Backup for AWS. You can add IAM roles that already exist in your AWS accounts, or instruct Veeam Backup for AWS to create and add IAM roles with predefined permission sets. For details on how to create and add IAM roles in Veeam Backup for AWS, see Adding IAM Roles.
Veeam Backup for AWS comes with the predefined Default Backup Restore IAM role. This IAM role has all the required permissions to perform operations within the initial AWS account — back up any EC2 instance within the account, store backups in any Amazon S3 bucket within the account, and so on.
You do not need to add the Default Backup Restore IAM to Veeam Backup for AWS. This role is created in the initial AWS account and added to Veeam Backup for AWS automatically upon the product installation.