Appendix A. Creating IAM Roles in AWS


This section provides instructions on steps performed in a third-party application. Keep in mind that the instructions may become outdated. For up-to-date instructions, see AWS Documentation.

You must specify an IAM role for each data protection and disaster recovery operation performed by Veeam Backup for AWS — the solution uses permissions of the specified IAM roles to access AWS services and resources. You can either create an IAM role using Veeam Backup for AWS, or, first create the role in AWS using the AWS Management Console, AWS CLI or AWS API, and then add this role to Veeam Backup for AWS.

This section describes how to create an IAM role for Veeam Backup for AWS using the AWS Management Console. To do that, do the following:

  1. Log in to the AWS Management Console using credentials of an AWS account in which you want to create the IAM role.
  2. Navigate to All Services > Security, Identity, & Compliance and click IAM.
  3. In the IAM console, navigate to Access Management > Roles and click Create role.
  4. Complete the Create role wizard:
  1. At the Select trusted entity step of the wizard, do the following:
  • To create the IAM role in the same AWS account where the backup appliance reside, click AWS service. Then, in the Choose a use case section, select EC2 to create the Backup Policy, Service or Restore IAM role or S3 to create the Repository IAM role.

In this case you must also configure trust relationships for the created IAM role to allow Veeam Backup for AWS to assume the role.

  • To create the IAM role in another account, click Another AWS account. Then, in the Account ID field, enter the ID of the trusted account — an AWS account where the backup appliance belongs.

If you want to increase the security of the role, select the Require external ID check box and enter a password. To learn how to use an external ID to increase security of an IAM role, see AWS Documentation.

  1. At the Add permissions step of the wizard, select an IAM policy that must be attached to the IAM role.

For an IAM policy to be displayed in the list, it must be created in advance as described in section Appendix B. Creating IAM Policies in AWS.

  1. At the Role details step of the wizard, specify a name and description for the IAM role.
  2. At the Tags step of the wizard, specify AWS tags that will be assigned to the IAM role.
  3. Click Create role.
  1. Add the created IAM role to the Veeam Backup for AWS configuration database as described in section Adding IAM Roles.

Configuring Trust Relationships

After the IAM role is created, configure trust relationships to allow the Veeam Backup for AWS service to use the IAM role for performing operations. To do that:

  1. Open the EC2 Management console and navigate to Instances.
  2. In the Instances section, locate the EC2 instance running the backup appliance.
  3. On the Security tab, click a link to the right of IAM role.
  4. On the Summary page, copy the Role ARN — you will need it later.
  5. Open the IAM console and navigate to Roles.
  6. Click the name of the IAM role for which you want to configure trust relationships.
  7. On the Summary page, switch to the Trust relationships tab.
  8. Click Edit trust policy.
  9. In the Policy Document field, paste the following:


 "Version": "2012-10-17",

 "Statement": [


     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "AWS": "<Role ARN>"





Where <Role ARN> is the ARN that you have copied at step 4.

  1. Click Update Trust Policy. Note that it may take up to 5 minutes for AWS to update the trust policy.