Required IAM Permissions

In this article

    When you install the solution from AWS Marketplace, Veeam Backup for AWS creates 2 IAM roles:

    • Impersonation IAM role — is attached to the backup appliance and is then used to assume other IAM roles added to the Veeam Backup for AWS infrastructure.
    • Default Backup Restore IAM role — is automatically added to Veeam Backup for AWS and is assigned all the permissions required to perform operations within the initial AWS account. For example, the role is used to back up AWS resources within the account, to store backups in any Amazon S3 bucket within the account, and so on.

    When you install the solution from the AMI, you can either create these IAM roles manually, or instruct Veeam Backup for AWS to use one-time access keys for automatic creation of the required IAM roles.

    Creating IAM Roles Manually

    If you choose to create IAM roles manually, you must do this in the AWS Management Console before you start installing Veeam Backup for AWS. To learn how to create IAM roles, see Appendix A. Creating IAM Roles in AWS.

    The created IAM roles must have specific permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Effect": "Allow",

               "Action": [

                   "sts:AssumeRole"

               ],

               "Resource": "*"

           }

       ]

    }

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "aws-marketplace:MeterUsage"

               ],

               "Resource": "*",

               "Effect": "Allow"

           }

       ]

    }

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "sts:AssumeRole"

               ],

               "Resource": "*",

               "Effect": "Allow"

           }

       ]

    }

    However, if you plan to use this role for specific operations or do not plan to use this role at all, you can assign the role granular permissions. For more information, see IAM Permissions.

    Tip

    You will be able to add other IAM roles later, after Veeam Backup for AWS installation. For more information, see Managing IAM Roles.

    Using One-Time Access Keys

    If you choose to use one-time keys of an IAM user to create IAM roles automatically, no additional steps are required before or during Veeam Backup for AWS installation. However, after installation, you must instruct Veeam Backup for AWS to automatically create IAM roles required for the backup appliance configuration. To learn how to do that, see After You Install.

    The IAM user must have the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Sid": "VisualEditor0",

               "Effect": "Allow",

               "Action": [

                   "iam:CreateInstanceProfile",

                   "iam:DeleteInstanceProfile",

                   "iam:GetRole",

                   "ec2:DescribeInstances",

                   "iam:GetInstanceProfile",

                   "ec2:DescribeIamInstanceProfileAssociations",

                   "cloudwatch:DeleteAlarms",

                   "ec2:CreateTags",

                   "iam:RemoveRoleFromInstanceProfile",

                   "iam:CreateRole",

                   "iam:DeleteRole",

                   "iam:AttachRolePolicy",

                   "iam:PutRolePolicy",

                   "iam:ListInstanceProfiles",

                   "iam:AddRoleToInstanceProfile",

                   "dlm:CreateLifecyclePolicy",

                   "cloudwatch:PutMetricAlarm",

                   "iam:PassRole",

                   "iam:DetachRolePolicy",

                   "iam:SimulatePrincipalPolicy",

                   "ec2:DisassociateIamInstanceProfile",

                   "iam:DeleteRolePolicy",

                   "dlm:DeleteLifecyclePolicy",

                   "ec2:AssociateIamInstanceProfile"

               ],

               "Resource": "*"

           }

       ]

    }