Step 4. Enable EFS Indexing

At the Indexing step of the wizard, you can instruct Veeam Backup for AWS to perform indexing of the processed EFS file systems. EFS indexing allows you to perform EFS file-level recovery operations without specifying the exact paths to the necessary files folders and to restore them using different restore points during one restore session. While performing EFS indexing of a file system, Veeam Backup for AWS creates a catalog of all files and directories (an index) and saves the index to a backup repository. This index is further used to reproduce the file system structure and to enable browsing and searching for specific files within an EFS backup.

To learn how indexing works, see EFS Backup.


To perform indexing of the EFS file systems, Veeam Backup for AWS deploys a worker instance per each processed file system in the same AWS account where the file system resides — production account. By default, the most appropriate network settings of AWS Regions are used to deploy these worker instances. However, you can add specific worker configurations that will be used to deploy worker instances used for EFS indexing operations.

Limitations and Requirements

Before you enable EFS indexing, consider the following:

  • A file system must have at least one mount target created.
  • A mount target that will be used by worker instances to connect to the file system must be associated with a security group that allows inbound access on port 2049.
  • If no specific worker configurations are added to Veeam Backup for AWS, the most appropriate network settings of AWS Regions are used to deploy worker instances for EFS indexing operations. For Veeam Backup for AWS to be able to deploy a worker instance used to create an index of a file system:
  • A VPC in which the file system has the mount target must have at least one security group that allows outbound access on ports 2049 and 443. These ports are used by worker instances to mount the file system and to communicate with AWS services.
  • The DNS resolution option must be enabled for the VPC. For more information, see AWS Documentation.
  • As Veeam Backup for AWS uses public access to communicate with worker instances, the public IPv4 addressing attribute must be enabled at least for one subnet in the Availability Zone in which the file system has a mount target and the VPC to which the subnet belongs must have an internet gateway attached. VPC and subnet route tables must have routes that direct internet-bound traffic to this internet gateway.

If you want worker instances to operate in a private network, enable the private network deployment functionality and configure specific VPC endpoints for the subnet to let Veeam Backup for AWS use private IPv4 addresses. Alternatively, configure VPC interface endpoints as described in section Appendix C. Configuring Endpoints in AWS.

Enabling EFS Indexing

To enable indexing of the processed file systems, do the following:

  1. Set the Enable indexing toggle to On.
  2. In the Repositories window, select a repository where the created EFS indexes will be stored, and click Apply.

For a backup repository to be displayed in the Repositories list, it must be added to Veeam Backup for AWS as described in section Adding Backup Repositories Using Web UI. The list shows only backup repositories of the S3 Standard storage class that have encryption enabled and immutability disabled.

  1. In the IAM role section, choose an IAM role that will be attached to the worker instances and used by Veeam Backup for AWS to communicate with these instances. The role must be assigned permissions listed in section Worker Deployment Role Permissions in Production Accounts.

For an IAM role to be displayed in the list, it must be added to Veeam Backup for AWS with the Production worker role selected as described in section Adding IAM Roles. The list shows only IAM roles that belong to the production account — account to which the file systems belong. Note that the specified IAM role must be included in one or more instance profiles. For more information on instance profiles, see AWS Documentation.


It is recommended that you check whether both the IAM role specified at step 3.1 of the wizard and the IAM role specified in the IAM role section have the required permissions. If some permissions of the IAM role are missing, the backup policy will fail to complete successfully. To run the IAM role permission check, click Check Permissions and follow the instructions provided in section Checking IAM Role Permissions.

Creating EFS Backup Policy