For every data protection and disaster recovery operation that you plan to perform in Veeam Backup for AWS, you must specify an IAM role. Veeam Backup for AWS uses the specified IAM role to access AWS resources. Depending on the operation that you plan to perform, the specified IAM role must have permissions on the following AWS resources:
- EC2 resources — to allow Veeam Backup for AWS display the list of EC2 instances in backup policy settings, create cloud-native snapshots, launch worker instances and restore backed-up data.
- S3 resources — to allow Veeam Backup for AWS store backed-up data to S3 repositories, perform transform operations with backup chains, and copy backed-up data from S3 repositories to worker instances during restore.
To grant an IAM role permissions on the necessary AWS resources, in IAM Management Console, you must create a policy in the JSON format and attach it to the IAM role. Policy examples are described in the following Veeam KB articles: KB3032, KB3033, KB3034.
Using IAM Roles
You can use IAM roles or cross-account IAM roles created in the initial AWS account — AWS account where the EC2 instance hosting Veeam Backup for AWS runs. For resource isolation, it is recommended that you use separate IAM roles for different operations in Veeam Backup for AWS. For details on how to add IAM roles to Veeam Backup for AWS, see Adding IAM Roles.
Default Backup Restore IAM Role
During installation, Veeam Backup for AWS creates the Default Backup Restore IAM role in the initial AWS account. The Default Backup Restore IAM role has permissions on all EC2 instances and S3 buckets in the initial AWS account. This preconfigured IAM role is already added to Veeam Backup for AWS — you can use it to back up and restore EC2 instance data within the initial AWS account.