Required IAM Permissions

In this article

    While installing the solution from AWS Marketplace, Veeam Backup for AWS creates 2 IAM roles:

    • Impersonation IAM role — is attached to the backup appliance and is then used to assume other IAM roles added to the Veeam Backup for AWS infrastructure.
    • Default Backup Restore IAM role — is automatically added to the backup appliance and is assigned all the permissions required to perform operations within the initial AWS account — to back up AWS resources within the account, to store backups in any Amazon S3 bucket within the account, and so on.

    When installing the solution from the AMI, you can either create these IAM roles manually, or instruct Veeam Backup for AWS to use one-time access keys for automatic creation of the required IAM roles.

    Creating IAM Roles Manually

    If you choose to create IAM roles manually, you must do this in the AWS Management Console before you start installing Veeam Backup for AWS. To learn how to create IAM roles, see Appendix B. Creating IAM Roles.

    Note that the created IAM roles must have specific permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Effect": "Allow",

               "Action": [

                   "sts:AssumeRole"

               ],

               "Resource": "*"

           }

       ]

    }

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "aws-marketplace:MeterUsage"

               ],

               "Resource": "*",

               "Effect": "Allow"

           }

       ]

    }

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "sts:AssumeRole"

               ],

               "Resource": "*",

               "Effect": "Allow"

           }

       ]

    }

    Tip

    You will be able to add other IAM roles and specify granular permissions to perform different backup and restore operations within the initial or in another AWS account after Veeam Backup for AWS installation. For more information, see Managing Permissions.

    Using One-Time Access Keys

    If you choose to use one-time keys to create IAM roles automatically, no additional steps are required before or during Veeam Backup for AWS installation. However, after you install, you must choose the Automatic configuration mode for the backup appliance configuration. To learn how to choose the configuration mode, see After You Install.

    Note that to perform the initial configuration you must specify the keys of an IAM user that has the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Sid": "VisualEditor0",

               "Effect": "Allow",

               "Action": [

                   "iam:CreateInstanceProfile",

                   "iam:DeleteInstanceProfile",

                   "iam:GetRole",

                   "ec2:DescribeInstances",

                   "iam:GetInstanceProfile",

                   "ec2:DescribeIamInstanceProfileAssociations",

                   "cloudwatch:DeleteAlarms",

                   "ec2:CreateTags",

                   "iam:RemoveRoleFromInstanceProfile",

                   "iam:CreateRole",

                   "iam:DeleteRole",

                   "iam:AttachRolePolicy",

                   "iam:PutRolePolicy",

                   "iam:ListInstanceProfiles",

                   "iam:AddRoleToInstanceProfile",

                   "dlm:CreateLifecyclePolicy",

                   "cloudwatch:PutMetricAlarm",

                   "iam:PassRole",

                   "iam:DetachRolePolicy",

                   "iam:SimulatePrincipalPolicy",

                   "ec2:DisassociateIamInstanceProfile",

                   "iam:DeleteRolePolicy",

                   "dlm:DeleteLifecyclePolicy",

                   "ec2:AssociateIamInstanceProfile"

               ],

               "Resource": "*"

           }

       ]

    }