This is an archive version of the document. To get the most up-to-date information, see the current version.

Managing IAM Roles

Note

This section assumes that you have a good understanding of IAM Roles, Creating IAM Policies and Adding and Removing IAM Identity Permissions.

Veeam Backup for AWS uses permissions of IAM roles to access AWS services and resources, and to perform the backup and restore operations. For example, Veeam Backup for AWS requires access to the following AWS resources:

  • EC2 resources — to display the list of EC2 instances in backup policy settings, to create cloud-native snapshots, snapshot replicas, to launch worker instances and to restore backed-up data.
  • S3 resources — to store backed-up data in backup repositories, to perform transform operations with backup chains, and to copy backed-up data from backup repositories to worker instances during restore.

For each data protection and disaster recovery operation performed by Veeam Backup for AWS, you must specify an IAM role:

  • If you plan to protect data within the initial AWS account, you can specify the Default Backup Restore IAM role that has been added to Veeam Backup for AWS upon the product installation either from AWS Marketplace or from the AMI using the Automatic configuration mode. This IAM role has already been assigned all the required permissions to perform operations in Veeam Backup for AWS. For more information on the Default Backup Restore IAM role permissions, see Full List of IAM Permissions.

However, you can also specify a custom IAM role that has granular permissions to perform specific operations within the initial AWS account. For more information on the granular permissions, see IAM Permissions.

  • If you plan to protect data of another AWS account, to keep backed-up data in another AWS account, or if you have installed Veeam Backup for AWS from the AMI using the Manual configuration mode, you must specify a custom IAM role that has granular permissions to perform operations in a specific AWS account.

To be able to use a custom IAM role to perform backup and restore operations, you must first add this IAM role to Veeam Backup for AWS. You can add IAM roles that already exist in your AWS accounts, or instruct Veeam Backup for AWS to create and add IAM roles with predefined permission sets. To learn how to add IAM roles in Veeam Backup for AWS, see Adding IAM Roles. To learn how to create IAM roles in the AWS Management Console, see Appendix A. Creating IAM Roles in AWS.

In This Section