Managing IAM Roles


This section assumes that you have a good understanding of IAM Roles, Creating IAM Policies and Adding and Removing IAM Identity Permissions.

Veeam Backup for AWS uses permissions of IAM roles to access AWS services and resources, and to perform the backup and restore operations. For example, Veeam Backup for AWS requires access to the following AWS resources:

  • EC2 resources — to display the list of EC2 instances in backup policy settings, to create cloud-native snapshots, snapshot replicas, to launch worker instances and to restore backed-up data.
  • S3 resources — to store backed-up data in backup repositories, to perform transform operations with backup chains, and to copy backed-up data from backup repositories to worker instances during restore.

For each data protection and disaster recovery operation performed by Veeam Backup for AWS, you must specify an IAM role. By design, Veeam Backup for AWS comes with the Default Backup Restore IAM role. This role is added to the configuration database upon product installation and is automatically assigned all the permissions required to perform data protection tasks within the initial AWS account in which the backup appliance resides, unless you deployed the product from an AMI and manually assigned the role a minimum set of permissions.

If you want to back up and restore resources in other AWS accounts, or if you want to specify custom IAM roles with granular permissions to perform specific operations, add IAM roles to Veeam Backup for AWS. You can add IAM roles that already exist in your AWS accounts, or instruct Veeam Backup for AWS to create and add IAM roles with predefined permission sets. To learn how to create IAM roles in the AWS Management Console, see Appendix A. Creating IAM Roles in AWS.

In This Section