IAM Role Permissions on CMKs

Depending on an operation performed with EC2 instances that have encrypted EBS volumes, IAM roles specified for the operation may require permissions on CMKs.

Tip

For information on how to grant permissions on a CMK to an IAM role, see this Veeam KB article.

Creating Cloud-Native Snapshots

The process of creating cloud-native snapshots of an EC2 instance with encrypted EBS volumes does not differ from the same process for an EC2 instance with unencrypted EBS volumes. An IAM role specified for creating cloud-native snapshots does not require permissions on CMKs with which the EBS volumes are encrypted.

Note that Veeam Backup for AWS encrypts created cloud-native snapshots with the same CMKs with which EBS volumes of the processed EC2 instance are encrypted.

Creating Image-Level Backups

The process of creating image-level backups of an EC2 instance with encrypted EBS volumes differs depending on whether a worker instance processing EBS volume data is launched in the same AWS account or not.

Image-Level Backup in Same AWS Account

If the worker instance is launched in the same AWS account where the processed EC2 instance resides, Veeam Backup for AWS performs the following steps:

  1. Creates a cloud-native snapshot of the EC2 instance.
  2. Re-creates EBS volumes from the cloud-native snapshot, and then attaches them to the worker instance to read and further transfer EBS volume data to an S3 repository.

An IAM role specified for launching worker instances requires permissions on CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).

IAM Role Permissions on CMKs 

Cross-Account Image-Level Backup

If the worker instance is launched in an AWS account different from the one where the processed EC2 instance resides, Veeam Backup for AWS performs the following steps:

  1. Creates a cloud-native snapshot of the EC2 instance.
  2. Shares the created cloud-native snapshot with an AWS account where the worker instance is launched.

To share the snapshot, an IAM role that was specified for creating this snapshot requires permissions on CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).

Important

If EBS volumes of the EC2 instance are encrypted with the default key for EBS encryption (aws/ebs alias), Veeam Backup for AWS will not be able to share the snapshot with another AWS account and the backup process will fail. For more information, see this Veeam KB article.

  1. Re-creates EBS volumes from the shared cloud-native snapshot, and then attaches them to the worker instance to read and further transfer EBS volume data to an S3 repository.

Note that according to AWS requirements, EBS volumes created from encrypted snapshots must also be encrypted. Thus, Veeam Backup for AWS encrypts re-created EBS volumes with the default encryption key specified for the AWS region where the worker instance is launched.

An IAM role specified for launching worker instances requires permissions on the following CMKs:

  • Source CMKs.
  • The default encryption key.

IAM Role Permissions on CMKs 

Creating Snapshot Replicas

The process of creating snapshot replicas of an EC2 instance with encrypted EBS volumes differs depending on whether you create snapshot replicas within the same AWS account where the EC2 instance resides or not.

Snapshot Replication in Same AWS Account

If you create snapshot replicas within the same AWS account where the EC2 instance resides, Veeam Backup for AWS performs the following steps:

  1. Creates a cloud-native snapshot of the EC2 instance.
  2. Copies the created cloud-native snapshot to the target AWS region.

An IAM role specified for creating snapshot replicas requires permissions on the following CMKs:

  • CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).
  • A CMK with which you want to encrypt EBS volume data in the snapshot replica (target CMK).

Note that if you do not specify the target CMK, the snapshot replica of an encrypted EC2 instance will be encrypted with the default encryption key specified for the target AWS region. In this case, the IAM role will require permissions on the default encryption key.

IAM Role Permissions on CMKs 

Cross-Account Snapshot Replication

If you create a snapshot replica in an AWS account different from the one where the EC2 instance resides, Veeam Backup for AWS performs the following steps:

  1. Creates a cloud-native snapshot of the EC2 instance.
  2. Shares the created cloud-native snapshot with the target AWS account.

To share the snapshot, an IAM role that was specified for creating this snapshot requires permissions on CMKs with which EBS volumes of the EC2 instance are encrypted (source CMKs).

Important

If EBS volumes of the EC2 instance are encrypted with the default key for EBS encryption (aws/ebs alias), Veeam Backup for AWS will not be able to share the snapshot with another AWS account and the replication process will fail. For more information, see this Veeam KB article.

  1. Copies the shared cloud-native snapshot to the target AWS region.

An IAM role specified for creating snapshot replicas requires permissions on the following CMKs:

  • Source CMKs.
  • A CMK with which you want to encrypt EBS volume data in the snapshot replica (target CMK).

Note that if you do not specify the target CMK, the snapshot replica of an encrypted EC2 instance will be encrypted with the default encryption key specified for the target AWS region in the target AWS account. Thus, the IAM role will require permissions on the default encryption key.

IAM Role Permissions on CMKs 

Restoring from Cloud-Native Snapshots

The process of restoring an EC2 instance from an encrypted cloud-native snapshot differs depending on whether you perform restore to the same location where the cloud-native snapshot resides or not.

Note

Consider the following:

  • An AWS account in which the cloud-native snapshot resides is also referred to as the source AWS account.
  • An AWS account to which you restore the EC2 instance is also referred to as the target AWS account.

Restore to Same AWS Region in Same AWS Account

To restore the EC2 instance to the same AWS region in the source AWS account, Veeam Backup for AWS uses permissions of an IAM role specified for restore. The IAM role requires permissions on the following CMKs:

  • CMKs with which the cloud-native snapshot is encrypted (source CMKs).
  • A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

Restore to Different AWS Region in Same AWS Account

To restore the EC2 instance to a different AWS region in the source AWS account, Veeam Backup for AWS performs the following steps:

  1. Copies the cloud-native snapshot to the target AWS region.

To copy the snapshot, Veeam Backup for AWS uses permissions of an IAM role that was specified for creating this snapshot. The IAM role requires permissions on the following CMKs:

  • CMKs with which EBS volumes of the backed-up EC2 instance are encrypted (source CMKs).
  • A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).
  1. Uses the copied cloud-native snapshot to create EBS volumes in the target AWS region.

The IAM role specified for restore requires permissions on the target CMK.

IAM Role Permissions on CMKs 

Cross-Account Restore to Same AWS Region

To restore the EC2 instance to the same AWS region in an AWS account that is different from the source AWS account, Veeam Backup for AWS performs the following steps:

  1. Shares the cloud-native snapshot with the target AWS account.

To share the snapshot, an IAM role that was specified for creating this snapshot requires permissions on CMKs with which EBS volumes of the backed-up EC2 instance are encrypted (source CMKs).

Important

According to AWS limitations, cloud-native snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the cloud-native snapshot is encrypted with the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article.

  1. Uses the shared cloud-native snapshot to create EBS volumes in the same AWS region within the target AWS account.

An IAM role specified for restore requires permissions on the following CMKs:

  • Source CMKs.
  • A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

IAM Role Permissions on CMKs 

Cross-Account Restore to Different AWS Region

To restore the EC2 instance to a different AWS region in an AWS account different from the source AWS account, Veeam Backup for AWS performs the following steps:

  1. Copies the cloud-native snapshot to the target AWS region in the source AWS account.

To copy the snapshot, Veeam Backup for AWS uses permissions of an IAM role that was specified for creating this snapshot. The IAM role requires permissions on the following CMKs:

  • CMKs with which EBS volumes of the backed-up EC2 instance are encrypted (source CMKs).
  • A default encryption key specified for the target AWS region in the source AWS account.
  1. Shares the copied cloud-native snapshot with the target AWS account.

Important

According to AWS limitations, cloud-native snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the default encryption key specified for the target AWS region in the source AWS account is the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article.

  1. Uses the shared cloud-native snapshot to create EBS volumes in the target AWS region within the target AWS account.

An IAM role specified for restore requires permissions on the following CMKs:

  • The default encryption key.
  • A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

IAM Role Permissions on CMKs 

Restoring from Image-Level Backups

The process of restoring an EC2 instance with encrypted EBS volumes from an image-level backup differs depending on whether a worker instance is launched in the same AWS account to which you perform restore or not.

Note

Consider the following:

  • An AWS account that owns an IAM role specified for launching worker instances is also referred to as the source AWS account.
  • An AWS account to which you restore the EC2 instance is also referred to as the target AWS account.
  • Veeam Backup for AWS always launches a worker instance in a target AWS region specified in restore settings. For more information, see Worker Instances.

Restore to Same AWS Account

If the worker instance is launched in the same AWS account to which you perform restore, an IAM role specified for launching worker instances requires permissions on the CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

Cross-Account Restore

If the worker instance is launched in an AWS account that is different from an AWS account to which you perform restore, Veeam Backup for AWS performs the following steps:

  1. On the worker instance, Veeam Backup for AWS restores EBS volumes from the image-level backup to the target AWS region in the source AWS account.

To protect your data at this stage, Veeam Backup for AWS encrypts restored EBS volumes with a default encryption key specified for the target AWS region in the source AWS account. Thus, an IAM role specified for launching worker instances requires permissions on the default encryption key.

  1. Creates snapshots of restored EBS volumes.
  2. Shares the created EBS snapshots with the target AWS account.

Important

According to AWS limitations, snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the default encryption key specified for the target AWS region in the source AWS account is the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article.

  1. Uses shared EBS snapshots to create EBS volumes in the target AWS region within the target AWS account.

An IAM role specified for restore requires permissions on the following CMKs:

  • The default encryption key.
  • A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

IAM Role Permissions on CMKs 

I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.