Full List of IAM Permissions
If you want Veeam Backup for AWS to use a single IAM role to perform all restore and backup operations, you can use the Default Backup Restore IAM role created during Veeam Backup for AWS installation or a custom IAM role that must meet the following requirements:
- The IAM role must be included at least in one instance profile. For more information on instance profiles, see AWS Documentation.
- The backup appliance must be granted permissions to assume the IAM roles. For more information on the requirements for adding IAM roles, see Before You Begin.
- The Amazon EC2, Amazon S3 Batch Operations and Amazon Backup services must be granted permissions to assume the IAM roles.
To allow an Amazon service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "backup.amazonaws.com", "batchoperations.s3.amazonaws.com", "ec2.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } |
To learn how to modify role trust policies, see AWS Documentation.
- The IAM roles must be granted the following permissions:
Important |
Since the size of a managed IAM policy added to an IAM role cannot exceed 6.144 characters, it is recommended to create 3 IAM policies that will cover all the required permissions. For more information on IAM character limits, see AWS Documentation. |
Permissions, part 1
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "backup-storage:MountCapsule", "backup:CopyFromBackupVault", "backup:CopyIntoBackupVault", "backup:CreateBackupVault", "backup:DeleteBackupVault", "backup:DeleteRecoveryPoint", "backup:DescribeBackupVault", "backup:DescribeBackupJob", "backup:DescribeCopyJob", "backup:DescribeRecoveryPoint", "backup:DescribeRegionSettings", "backup:DescribeRestoreJob", "backup:ListBackupVaults", "backup:ListRecoveryPointsByBackupVault", "backup:ListTags", "backup:StartBackupJob", "backup:StartCopyJob", "backup:StartRestoreJob", "backup:StopBackupJob", "backup:TagResource", "backup:UntagResource", "backup:UpdateRegionSettings", "ds:DescribeDirectories", "dynamodb:DeleteTable", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeTable", "dynamodb:DescribeTimeToLive", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "dynamodb:RestoreTableFromAwsBackup", "dynamodb:StartAwsBackupJob", "dynamodb:TagResource", "dynamodb:UpdateContinuousBackups", "dynamodb:UpdateTable", "dynamodb:UpdateTimeToLive", "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", "ec2:AcceptVpcEndpointConnections", "ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AssociateClientVpnTargetNetwork", "ec2:AssociateDhcpOptions", "ec2:AssociateIamInstanceProfile", "ec2:AssociateRouteTable", "ec2:AssociateSubnetCidrBlock", "ec2:AssociateTransitGatewayMulticastDomain", "ec2:AssociateTransitGatewayRouteTable", "ec2:AssociateVpcCidrBlock", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:AttachVpnGateway", "ec2:AuthorizeClientVpnIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CopySnapshot", "ec2:CreateClientVpnEndpoint", "ec2:CreateClientVpnRoute", "ec2:CreateCustomerGateway", "ec2:CreateDefaultSubnet", "ec2:CreateDefaultVpc", "ec2:CreateDhcpOptions", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateInternetGateway", "ec2:CreateKeyPair", "ec2:CreateManagedPrefixList", "ec2:CreateNatGateway", "ec2:CreateNetworkAcl", "ec2:CreateNetworkAclEntry", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateSnapshots", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateTransitGateway", "ec2:CreateTransitGatewayMulticastDomain", "ec2:CreateTransitGatewayPeeringAttachment", "ec2:CreateTransitGatewayPrefixListReference", "ec2:CreateTransitGatewayRoute", "ec2:CreateTransitGatewayRouteTable", "ec2:CreateTransitGatewayVpcAttachment", "ec2:CreateVolume", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:CreateVpcEndpointServiceConfiguration", "ec2:CreateVpcPeeringConnection", "ec2:CreateVpnConnection", "ec2:CreateVpnGateway", "ec2:DeleteClientVpnEndpoint", "ec2:DeleteClientVpnRoute", "ec2:DeleteCustomerGateway", "ec2:DeleteDhcpOptions", "ec2:DeleteEgressOnlyInternetGateway", "ec2:DeleteInternetGateway", "ec2:DeleteKeyPair", "ec2:DeleteManagedPrefixList", "ec2:DeleteNatGateway", "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteTransitGateway", "ec2:DeleteTransitGatewayMulticastDomain", "ec2:DeleteTransitGatewayPeeringAttachment", "ec2:DeleteTransitGatewayPrefixListReference", "ec2:DeleteTransitGatewayRoute", "ec2:DeleteTransitGatewayRouteTable", "ec2:DeleteTransitGatewayVpcAttachment", "ec2:DeleteVolume", "ec2:DeleteVpc", "ec2:DeleteVpcEndpointServiceConfigurations", "ec2:DeleteVpcEndpoints", "ec2:DeleteVpcPeeringConnection", "ec2:DeleteVpnConnection", "ec2:DeleteVpnGateway", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeClientVpnAuthorizationRules", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeClientVpnRoutes", "ec2:DescribeClientVpnTargetNetworks", "ec2:DescribeConversionTasks", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayMulticastDomains", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeTransitGateways", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:DetachInternetGateway", "ec2:DetachVolume", "ec2:DetachVpnGateway", "ec2:DisableTransitGatewayRouteTablePropagation", "ec2:DisableVgwRoutePropagation", "ec2:DisassociateAddress", "ec2:DisassociateClientVpnTargetNetwork", "ec2:DisassociateRouteTable", "ec2:DisassociateTransitGatewayMulticastDomain", "ec2:DisassociateTransitGatewayRouteTable", "ec2:EnableTransitGatewayRouteTablePropagation", "ec2:EnableVgwRoutePropagation", "ec2:GetEbsDefaultKmsKeyId", "ec2:GetManagedPrefixListEntries", "ec2:GetTransitGatewayMulticastDomainAssociations", "ec2:GetTransitGatewayPrefixListReferences", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:GetTransitGatewayRouteTablePropagations" ], "Resource": "*" } ] } |
Permissions, part 2
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:ModifyClientVpnEndpoint", "ec2:ModifyInstanceAttribute", "ec2:ModifyManagedPrefixList", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySnapshotAttribute", "ec2:ModifySubnetAttribute", "ec2:ModifyTransitGateway", "ec2:ModifyTransitGatewayVpcAttachment", "ec2:ModifyVolume", "ec2:ModifyVpcAttribute", "ec2:ModifyVpcEndpoint", "ec2:ModifyVpcEndpointServiceConfiguration", "ec2:ModifyVpcPeeringConnectionOptions", "ec2:ModifyVpnConnection", "ec2:RejectVpcEndpointConnections", "ec2:ReleaseAddress", "ec2:ReplaceNetworkAclAssociation", "ec2:ReplaceRouteTableAssociation", "ec2:RevokeClientVpnIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:SearchTransitGatewayRoutes", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:SendReply", "elasticfilesystem:Backup", "elasticfilesystem:CreateAccessPoint", "elasticfilesystem:CreateFileSystem", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteAccessPoint", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeLifecycleConfiguration", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeReplicationConfigurations", "elasticfilesystem:DescribeTags", "elasticfilesystem:ListTagsForResource", "elasticfilesystem:PutBackupPolicy", "elasticfilesystem:PutFileSystemPolicy", "elasticfilesystem:PutLifecycleConfiguration", "elasticfilesystem:Restore", "elasticfilesystem:TagResource", "elasticfilesystem:UntagResource", "elasticfilesystem:UpdateFileSystem", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RemoveTags", "elasticloadbalancing:SetSecurityGroups", "elasticloadbalancing:SetSubnets", "events:DeleteRule", "events:DescribeRule", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "fsx:CopyBackup", "fsx:CreateBackup", "fsx:CreateFileSystemFromBackup", "fsx:DescribeBackups", "fsx:DescribeDataRepositoryAssociations", "fsx:DescribeFileSystems", "fsx:DeleteFileSystem", "fsx:ListTagsForResource", "fsx:TagResource", "fsx:UntagResource", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeleteInstanceProfile", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetContextKeysForPrincipalPolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:ListAccountAliases", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListRoles", "iam:ListRolePolicies", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy", "kinesis:CreateStream", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:PutRecord", "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:GenerateDataKey*", "kms:GenerateDataKeyWithoutPlaintext", "kms:GetKeyPolicy", "kms:ListAliases", "kms:ListKeys", "kms:ReEncryptFrom", "kms:ReEncryptTo", "lambda:ListFunctions", "ram:AssociateResourceShare", "ram:CreateResourceShare", "ram:DeleteResourceShare", "ram:DisassociateResourceShare", "ram:GetResourceShareAssociations", "ram:GetResourceShares", "ram:ListPrincipals", "ram:ListResourceSharePermissions", "ram:ListResources", "ram:TagResource", "ram:UntagResource", "redshift:CreateClusterSnapshot", "redshift:CreateTags", "redshift:DeleteCluster", "redshift:DeleteClusterSnapshot", "redshift:DeleteTags", "redshift:DescribeClusterParameterGroups", "redshift:DescribeClusters", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeNodeConfigurationOptions", "redshift:DescribeTags", "redshift:ModifyCluster", "redshift:RestoreFromClusterSnapshot", "rds:AddTagsToResource", "rds:CopyDBClusterSnapshot", "rds:CopyDBSnapshot", "rds:CreateDBClusterSnapshot", "rds:CreateDBSnapshot", "rds:CreateDbInstance", "rds:CreateTenantDatabase", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBInstance", "rds:DeleteDBSnapshot", "rds:DeleteDbCluster", "rds:DescribeAccountAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeDbClusterParameterGroups", "rds:DescribeDbClusterParameters", "rds:DescribeOptionGroups", "rds:DescribeOrderableDbInstanceOptions", "rds:ListTagsForResource", "rds:ModifyDBClusterSnapshotAttribute", "rds:ModifyDBInstance", "rds:ModifyDBSnapshotAttribute", "rds:ModifyDbCluster", "rds:RemoveTagsFromResource", "rds:RestoreDBInstanceFromDBSnapshot", "rds:RestoreDbClusterFromSnapshot", "s3:CreateJob", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:DescribeJob", "s3:GetBucketLocation", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketVersioning", "s3:GetObject", "s3:GetObjectRetention", "s3:GetObjectVersion", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:PutObjectRetention", "s3:RestoreObject" ], "Resource": "*" } ] } |
Permissions, part 3
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:DescribeSecret", "secretsmanager:TagResource", "servicequotas:ListServiceQuotas", "sns:CreateTopic", "sns:DeleteTopic", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Unsubscribe", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage", "sqs:SetQueueAttributes", "ssm:DescribeAssociation", "ssm:DescribeDocument", "ssm:DescribeInstanceInformation", "ssm:GetCommandInvocation", "ssm:GetDeployablePatchSnapshotForInstance", "ssm:GetDocument", "ssm:GetManifest", "ssm:GetParameter", "ssm:GetParameters", "ssm:ListAssociations", "ssm:ListInstanceAssociations", "ssm:PutComplianceItems", "ssm:PutConfigurePackageResult", "ssm:PutInventory", "ssm:SendCommand", "ssm:UpdateAssociationStatus", "ssm:UpdateInstanceAssociationStatus", "ssm:UpdateInstanceInformation", "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" } ] } |
To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.