Managing IAM Roles

In this article

    For each data protection and disaster recovery operation in Veeam Backup for AWS, you must specify an IAM role. Veeam Backup for AWS uses permissions of the specified IAM role to access AWS services and resources, and to perform the necessary operation.

    For example, Veeam Backup for AWS requires access to the following AWS resources:

    • EC2 resources — to display the list of EC2 instances in backup policy settings, to create cloud-native snapshots, snapshot replicas, to launch worker instances and to restore backed-up data.
    • S3 resources — to store backed-up data to S3 repositories, to perform transform operations with backup chains, and to copy backed-up data from S3 repositories to worker instances during restore.

    If you plan to back up and restore data within the initial AWS account, you can use the Default Backup Restore IAM role that is added to Veeam Backup for AWS upon the product installation. If you plan to protect data of another AWS account, or keep backed-up data in another AWS account, you must add IAM roles that have permissions to access AWS services and resources of that account.

    To specify an IAM role for the necessary operation, you must first add this IAM role to Veeam Backup for AWS. You can add IAM roles that already exist in your AWS accounts, or instruct Veeam Backup for AWS to create and add IAM roles with predefined permission sets. To learn how to create and add IAM roles in Veeam Backup for AWS, see Adding IAM Roles.


    To grant an IAM role permissions on required AWS services and resources, in the IAM Management Console, you must create an IAM policy in the JSON format, and then attach it to the IAM role that you plan to use in Veeam Backup for AWS. Policy examples are described in these Veeam KB articles: KB3032, KB3033, KB3034.

    Default Backup Restore IAM Role

    Veeam Backup for AWS comes with the predefined Default Backup Restore IAM role. This IAM role has all the required permissions to perform operations within the initial AWS account — back up any instance or VPC within the account, store backups in any Amazon S3 bucket within the account, and so on.

    You do not need to add the Default Backup Restore IAM to Veeam Backup for AWS. This role is created in the initial AWS account and added to Veeam Backup for AWS automatically upon the product installation.

    Related Resources

    This section assumes that you have a good understanding of IAM Roles, Creating IAM Policies and Adding and Removing IAM Identity Permissions.

    In This Section