Required IAM Permissions
When you install the solution using CloudFormation Template, Veeam Backup for AWS creates 2 IAM roles:
- Impersonation IAM role — is attached to the backup appliance and is then used to assume other IAM roles added to Veeam Backup for AWS.
- Default Backup Restore IAM role — is automatically added to Veeam Backup for AWS and is assigned all the permissions required to perform operations within the initial AWS account. For example, the role is used to back up AWS resources within the account, to store backups in any Amazon S3 bucket within the account, and so on.
When you install the solution from the AMI, you can either create these IAM roles manually, or instruct Veeam Backup for AWS to use one-time access keys for automatic creation of the required IAM roles.
If you choose to use one-time keys of an IAM user to create IAM roles automatically, no additional steps are required before or during Veeam Backup for AWS installation. However, after installation, you must instruct Veeam Backup for AWS to automatically create IAM roles required for the backup appliance configuration. To learn how to do that, see After You Install.
The IAM user must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudwatch:DeleteAlarms", "cloudwatch:PutMetricAlarm", "ec2:AssociateIamInstanceProfile", "ec2:CreateTags", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeInstances", "ec2:DisassociateIamInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeleteInstanceProfile", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetAccountSummary" "iam:GetInstanceProfile", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListPolicyVersions", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy" ], "Resource": "*" } ] } |
If you choose to create IAM roles manually, you must do this in the AWS Management Console before you start installing Veeam Backup for AWS. To learn how to create IAM roles, see Appendix A. Creating IAM Roles in AWS.
The created IAM roles must have specific permissions:
- The Impersonation IAM role attached to the backup appliance operating in the BYOL or Free license edition must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "*" } ] } |
- The Impersonation IAM role attached to the backup appliance operating in the Paid license edition must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:MeterUsage" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "sts:AssumeRole" ], "Resource": "*", "Effect": "Allow" } ] } |
- You must allow the Impersonation IAM role to assume the Default Backup Restore IAM role. To do that, configure trust relationships for the role and add the following statement to the trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "<Role ARN>" } } ] } |
To learn how to configure trust relationships, see Before You Begin.
- The Default Backup Restore IAM role must have permissions required to perform all operations available in Veeam Backup for AWS within the initial AWS account. For more information on the required permissions, see Full List of IAM Permissions.
However, if you plan to use this role for specific operations or do not plan to use this role at all, you can assign the role granular permissions. For more information, see IAM Permissions.
Tip |
You will be able to add other IAM roles later, after Veeam Backup for AWS installation. For more information, see Managing IAM Roles. |