Appendix A. Creating IAM Roles in AWS
You must specify an IAM role for each data protection and disaster recovery operation performed by Veeam Backup for AWS — the solution uses permissions of the specified IAM roles to access AWS services and resources. You can either create an IAM role using Veeam Backup for AWS, or, first create the role in AWS using the AWS Management Console, AWS CLI or AWS API, and then add this role to Veeam Backup for AWS.
This section describes how to create an IAM role for Veeam Backup for AWS using the AWS Management Console. To do that, perform the following steps:
- Log in to the AWS Management Console using credentials of an AWS account in which you want to create the IAM role.
- In the AWS services section, navigate to All Services > Security, Identity, & Compliance and click IAM. The IAM console will open.
- In the IAM console, navigate to Access Management > Roles and click Create role. The Create role wizard will open.
- At the Trust step of the wizard, do the following:
- To create the IAM role in the same AWS account where the backup appliance reside, click AWS service. Then, in the Choose a use case section, select EC2 to create the Backup Policy, Service or Restore IAM role or S3 to create the Repository IAM role.
In this case you must also configure trusted relationships for the created IAM role to allow Veeam Backup for AWS to assume the role.
- To create the IAM role in another account, click Another AWS account. Then, in the Account ID field, enter the ID of the trusted account — an AWS account where the backup appliance belongs.
If you want to increase the security of the role, select the Require external ID check box and enter a password. To learn how to use an external ID to increase security of an IAM role, see AWS Documentation.
- At the Permissions step of the wizard, select an IAM policy that must be attached to the IAM role.
For an IAM policy to be displayed in the list, it must be created in advance as described in section Appendix B. Creating IAM Policies in AWS.
- At the Tags step of the wizard, specify AWS tags that will be assigned to the IAM role.
- At the Review step of the wizard, specify a name and description for the IAM role. Review the configured settings and click Create role.
- Add the created IAM role to the Veeam Backup for AWS configuration database as described in section Adding IAM Roles.
After the IAM role is created, configure trust relationships to allow the Veeam Backup for AWS service to use the IAM role for performing operations. To do that:
- Open the EC2 Management console and navigate to Instances.
- In the Instances section, locate the EC2 instance running the backup appliance.
- At the Description tab, click a link to the right of IAM role.
- On the Summary page, copy the Role ARN — you will need it later.
- Open the IAM console and navigate to Roles.
- Click the name of the IAM role for which you want to configure trust relationships.
- On the Summary page, switch to the Trust relationships tab.
- Click Edit trust relationship.
- In the Policy Document field, paste the following:
"AWS": "<Role ARN>"
Where <Role ARN> is the ARN that you have copied at step 4.
- Click Update Trust Policy. Note that it may take up to 5 minutes for AWS to update the trust policy.