Full List of IAM Permissions

If you want Veeam Backup for AWS to use a single IAM role to perform all restore and backup operations, you can use the Default Backup Restore IAM role created during Veeam Backup for AWS installation or a custom IAM role that must be granted the following permissions:

{

"backup:CopyFromBackupVault",

"backup:CopyIntoBackupVault",

"backup:CreateBackupVault",

"backup:DeleteBackupVault",

"backup:DeleteRecoveryPoint",

"backup:DescribeBackupJob",

"backup:DescribeCopyJob",

"backup:DescribeRecoveryPoint",

"backup:DescribeRestoreJob",

"backup:ListBackupVaults",

"backup:ListRecoveryPointsByBackupVault",

"backup:ListTags",

"backup:StartBackupJob",

"backup:StartCopyJob",

"backup:StartRestoreJob",

"backup:StopBackupJob",

"backup:TagResource",

"backup:UntagResource",

"backup-storage:MountCapsule",

"ebs:ListChangedBlocks",

"ebs:ListSnapshotBlocks",

"ec2:AcceptVpcEndpointConnections",

"ec2:AllocateAddress",

"ec2:AssignPrivateIpAddresses",

"ec2:AssociateAddress",

"ec2:AssociateClientVpnTargetNetwork",

"ec2:AssociateDhcpOptions",

"ec2:AssociateRouteTable",

"ec2:AssociateSubnetCidrBlock",

"ec2:AssociateTransitGatewayMulticastDomain",

"ec2:AssociateTransitGatewayRouteTable",

"ec2:AssociateVpcCidrBlock",

"ec2:AttachInternetGateway",

"ec2:AttachNetworkInterface",

"ec2:AttachVolume",

"ec2:AttachVpnGateway",

"ec2:AuthorizeClientVpnIngress",

"ec2:AuthorizeSecurityGroupEgress",

"ec2:AuthorizeSecurityGroupIngress",

"ec2:CopySnapshot",

"ec2:CreateClientVpnEndpoint",

"ec2:CreateClientVpnRoute",

"ec2:CreateCustomerGateway",

"ec2:CreateDefaultSubnet",

"ec2:CreateDefaultVpc",

"ec2:CreateDhcpOptions",

"ec2:CreateEgressOnlyInternetGateway",

"ec2:CreateInternetGateway",

"ec2:CreateKeyPair",

"ec2:CreateManagedPrefixList",

"ec2:CreateNatGateway",

"ec2:CreateNetworkAcl",

"ec2:CreateNetworkAclEntry",

"ec2:CreateNetworkInterface",

"ec2:CreateRoute",

"ec2:CreateRouteTable",

"ec2:CreateSecurityGroup",

"ec2:CreateSnapshot",

"ec2:CreateSnapshots",

"ec2:CreateSubnet",

"ec2:CreateTags",

"ec2:CreateTransitGateway",

"ec2:CreateTransitGatewayMulticastDomain",

"ec2:CreateTransitGatewayPeeringAttachment",

"ec2:CreateTransitGatewayPrefixListReference",

"ec2:CreateTransitGatewayRoute",

"ec2:CreateTransitGatewayRouteTable",

"ec2:CreateTransitGatewayVpcAttachment",

"ec2:CreateVolume",

"ec2:CreateVpc",

"ec2:CreateVpcEndpoint",

"ec2:CreateVpcEndpointServiceConfiguration",

"ec2:CreateVpcPeeringConnection",

"ec2:CreateVpnConnection",

"ec2:CreateVpnGateway",

"ec2:DeleteClientVpnEndpoint",

"ec2:DeleteClientVpnRoute",

"ec2:DeleteCustomerGateway",

"ec2:DeleteDhcpOptions",

"ec2:DeleteEgressOnlyInternetGateway",

"ec2:DeleteInternetGateway",

"ec2:DeleteKeyPair",

"ec2:DeleteManagedPrefixList",

"ec2:DeleteNatGateway",

"ec2:DeleteNetworkAcl",

"ec2:DeleteNetworkAclEntry",

"ec2:DeleteNetworkInterface",

"ec2:DeleteRoute",

"ec2:DeleteRouteTable",

"ec2:DeleteSecurityGroup",

"ec2:DeleteSnapshot",

"ec2:DeleteSubnet",

"ec2:DeleteTags",

"ec2:DeleteTransitGateway",

"ec2:DeleteTransitGatewayMulticastDomain",

"ec2:DeleteTransitGatewayPeeringAttachment",

"ec2:DeleteTransitGatewayPrefixListReference",

"ec2:DeleteTransitGatewayRoute",

"ec2:DeleteTransitGatewayRouteTable",

"ec2:DeleteTransitGatewayVpcAttachment",

"ec2:DeleteVolume",

"ec2:DeleteVpc",

"ec2:DeleteVpcEndpoints",

"ec2:DeleteVpcEndpointServiceConfigurations",

"ec2:DeleteVpcPeeringConnection",

"ec2:DeleteVpnConnection",

"ec2:DeleteVpnGateway",

"ec2:DescribeAccountAttributes",

"ec2:DescribeAddresses",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeClientVpnAuthorizationRules",

"ec2:DescribeClientVpnEndpoints",

"ec2:DescribeClientVpnRoutes",

"ec2:DescribeClientVpnTargetNetworks",

"ec2:DescribeConversionTasks",

"ec2:DescribeCustomerGateways",

"ec2:DescribeDhcpOptions",

"ec2:DescribeEgressOnlyInternetGateways",

"ec2:DescribeImages",

"ec2:DescribeInstanceAttribute",

"ec2:DescribeInstances",

"ec2:DescribeInstanceStatus",

"ec2:DescribeInstanceTypes",

"ec2:DescribeInternetGateways",

"ec2:DescribeKeyPairs",

"ec2:DescribeLaunchTemplates",

"ec2:DescribeManagedPrefixLists",

"ec2:DescribeNatGateways",

"ec2:DescribeNetworkAcls",

"ec2:DescribeNetworkInterfaceAttribute",

"ec2:DescribeNetworkInterfaces",

"ec2:DescribeRegions",

"ec2:DescribeRouteTables",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSnapshots",

"ec2:DescribeSubnets",

"ec2:DescribeTags",

"ec2:DescribeTransitGatewayAttachments",

"ec2:DescribeTransitGatewayMulticastDomains",

"ec2:DescribeTransitGatewayPeeringAttachments",

"ec2:DescribeTransitGatewayRouteTables",

"ec2:DescribeTransitGateways",

"ec2:DescribeTransitGatewayVpcAttachments",

"ec2:DescribeVolumeAttribute",

"ec2:DescribeVolumes",

"ec2:DescribeVpcAttribute",

"ec2:DescribeVpcEndpoints",

"ec2:DescribeVpcEndpointServiceConfigurations",

"ec2:DescribeVpcPeeringConnections",

"ec2:DescribeVpcs",

"ec2:DescribeVpnConnections",

"ec2:DescribeVpnGateways",

"ec2:DetachInternetGateway",

"ec2:DetachVolume",

"ec2:DetachVpnGateway",

"ec2:DisableTransitGatewayRouteTablePropagation",

"ec2:DisableVgwRoutePropagation",

"ec2:DisassociateAddress",

"ec2:DisassociateClientVpnTargetNetwork",

"ec2:DisassociateRouteTable",

"ec2:DisassociateTransitGatewayMulticastDomain",

"ec2:DisassociateTransitGatewayRouteTable",

"ec2:EnableTransitGatewayRouteTablePropagation",

"ec2:EnableVgwRoutePropagation",

"ec2:GetEbsDefaultKmsKeyId",

"ec2:GetManagedPrefixListEntries",

"ec2:GetTransitGatewayMulticastDomainAssociations",

"ec2:GetTransitGatewayPrefixListReferences",

"ec2:GetTransitGatewayRouteTableAssociations",

"ec2:GetTransitGatewayRouteTablePropagations",

"ec2:ModifyClientVpnEndpoint",

"ec2:ModifyInstanceAttribute",

"ec2:ModifyManagedPrefixList",

"ec2:ModifyNetworkInterfaceAttribute",

"ec2:ModifySnapshotAttribute",

"ec2:ModifySubnetAttribute",

"ec2:ModifyTransitGateway",

"ec2:ModifyTransitGatewayVpcAttachment",

"ec2:ModifyVolume",

"ec2:ModifyVpcAttribute",

"ec2:ModifyVpcEndpoint",

"ec2:ModifyVpcEndpointServiceConfiguration",

"ec2:ModifyVpcPeeringConnectionOptions",

"ec2:ModifyVpnConnection",

"ec2:RejectVpcEndpointConnections",

"ec2:ReleaseAddress",

"ec2:ReplaceNetworkAclAssociation",

"ec2:ReplaceRouteTableAssociation",

"ec2:RevokeClientVpnIngress",

"ec2:RevokeSecurityGroupEgress",

"ec2:RevokeSecurityGroupIngress",

"ec2:RunInstances",

"ec2:SearchTransitGatewayRoutes",

"ec2:StartInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ec2messages:AcknowledgeMessage",

"ec2messages:DeleteMessage",

"ec2messages:FailMessage",

"ec2messages:GetEndpoint",

"ec2messages:GetMessages",

"ec2messages:SendReply",

"elasticfilesystem:Backup",

"elasticfilesystem:CreateAccessPoint",

"elasticfilesystem:CreateFileSystem",

"elasticfilesystem:CreateMountTarget",

"elasticfilesystem:DeleteAccessPoint",

"elasticfilesystem:DeleteFileSystem",

"elasticfilesystem:DeleteMountTarget",

"elasticfilesystem:DescribeAccessPoints",

"elasticfilesystem:DescribeBackupPolicy",

"elasticfilesystem:DescribeFileSystemPolicy",

"elasticfilesystem:DescribeFileSystems",

"elasticfilesystem:DescribeLifecycleConfiguration",

"elasticfilesystem:DescribeMountTargets",

"elasticfilesystem:DescribeMountTargetSecurityGroups",

"elasticfilesystem:DescribeTags",

"elasticfilesystem:ListTagsForResource",

"elasticfilesystem:PutBackupPolicy",

"elasticfilesystem:PutFileSystemPolicy",

"elasticfilesystem:PutLifecycleConfiguration",

"elasticfilesystem:Restore",

"elasticfilesystem:TagResource",

"elasticfilesystem:UntagResource",

"elasticfilesystem:UpdateFileSystem",

"elasticloadbalancing:AddTags",

"elasticloadbalancing:CreateListener",

"elasticloadbalancing:CreateLoadBalancer",

"elasticloadbalancing:CreateTargetGroup",

"elasticloadbalancing:DeleteListener",

"elasticloadbalancing:DeleteLoadBalancer",

"elasticloadbalancing:DeleteTargetGroup",

"elasticloadbalancing:DeregisterTargets",

"elasticloadbalancing:DescribeListeners",

"elasticloadbalancing:DescribeLoadBalancers",

"elasticloadbalancing:DescribeTags",

"elasticloadbalancing:DescribeTargetGroups",

"elasticloadbalancing:DescribeTargetHealth",

"elasticloadbalancing:ModifyTargetGroup",

"elasticloadbalancing:RegisterTargets",

"elasticloadbalancing:RemoveTags",

"elasticloadbalancing:SetSecurityGroups",

"elasticloadbalancing:SetSubnets",

"events:DeleteRule",

"events:DescribeRule",

"events:ListTargetsByRule",

"events:PutRule",

"events:PutTargets",

"events:RemoveTargets",

"iam:AddRoleToInstanceProfile",

"iam:AttachRolePolicy",

"iam:CreateInstanceProfile",

"iam:CreateRole",

"iam:CreateServiceLinkedRole",

"iam:DeleteInstanceProfile",

"iam:DeleteRole",

"iam:DeleteRolePolicy",

"iam:DetachRolePolicy",

"iam:GetAccountSummary",

"iam:GetContextKeysForPrincipalPolicy",

"iam:GetInstanceProfile",

"iam:GetPolicy",

"iam:GetPolicyVersion",

"iam:GetRole",

"iam:ListAccountAliases",

"iam:ListAttachedRolePolicies",

"iam:ListInstanceProfiles",

"iam:ListInstanceProfilesForRole",

"iam:ListRolePolicies",

"iam:PassRole",

"iam:PutRolePolicy",

"iam:RemoveRoleFromInstanceProfile",

"iam:SimulatePrincipalPolicy",

"kinesis:CreateStream",

"kinesis:DeleteStream",

"kinesis:DescribeStream",

"kinesis:PutRecord",

"kms:CreateGrant",

"kms:Decrypt",

"kms:DescribeKey",

"kms:Encrypt",

"kms:GenerateDataKeyWithoutPlaintext",

"kms:GetKeyPolicy",

"kms:ListAliases",

"kms:ListKeys",

"kms:ReEncryptFrom",

"kms:ReEncryptTo",

"lambda:ListFunctions",

"ram:AssociateResourceShare",

"ram:CreateResourceShare",

"ram:DeleteResourceShare",

"ram:DisassociateResourceShare",

"ram:GetResourceShareAssociations",

"ram:GetResourceShares",

"ram:ListPrincipals",

"ram:ListResources",

"ram:ListResourceSharePermissions",

"ram:TagResource",

"ram:UntagResource",

"rds:AddTagsToResource",

"rds:CopyDBClusterSnapshot",

"rds:CopyDBSnapshot",

"rds:CreateDBClusterSnapshot",

"rds:CreateDBInstance",

"rds:CreateDBSnapshot",

"rds:DeleteDBCluster",

"rds:DeleteDBClusterSnapshot",

"rds:DeleteDBInstance",

"rds:DeleteDBSnapshot",

"rds:DescribeAccountAttributes",

"rds:DescribeDBClusterParameterGroups",

"rds:DescribeDBClusterParameters",

"rds:DescribeDBClusters",

"rds:DescribeDBClusterSnapshots",

"rds:DescribeDBEngineVersions",

"rds:DescribeDBInstances",

"rds:DescribeDBParameterGroups",

"rds:DescribeDBSnapshots",

"rds:DescribeDBSubnetGroups",

"rds:DescribeOptionGroups",

"rds:DescribeOrderableDBInstanceOptions",

"rds:ListTagsForResource",

"rds:ModifyDBCluster",

"rds:ModifyDBClusterSnapshotAttribute",

"rds:ModifyDBInstance",

"rds:ModifyDBSnapshotAttribute",

"rds:RemoveTagsFromResource",

"rds:RestoreDBClusterFromSnapshot",

"rds:RestoreDBInstanceFromDBSnapshot",

"s3:DeleteObject",

"s3:GetBucketLocation",

"s3:GetObject",

"s3:ListAllMyBuckets",

"s3:ListBucket",

"s3:PutObject",

"s3:RestoreObject",

"servicequotas:ListServiceQuotas",

"sns:CreateTopic",

"sns:DeleteTopic",

"sns:ListSubscriptionsByTopic",

"sns:ListTopics",

"sns:SetTopicAttributes",

"sns:Subscribe",

"sns:Unsubscribe",

"sqs:CreateQueue",

"sqs:DeleteMessage",

"sqs:DeleteQueue",

"sqs:ListQueues",

"sqs:ReceiveMessage",

"sqs:SendMessage",

"sqs:SetQueueAttributes",

"ssm:DescribeAssociation",

"ssm:DescribeDocument",

"ssm:DescribeInstanceInformation",

"ssm:GetCommandInvocation",

"ssm:GetDeployablePatchSnapshotForInstance",

"ssm:GetDocument",

"ssm:GetManifest",

"ssm:GetParameter",

"ssm:GetParameters",

"ssm:ListAssociations",

"ssm:ListInstanceAssociations",

"ssm:PutComplianceItems",

"ssm:PutConfigurePackageResult",

"ssm:PutInventory",

"ssm:SendCommand",

"ssm:UpdateAssociationStatus",

"ssm:UpdateInstanceAssociationStatus",

"ssm:UpdateInstanceInformation",

"ssmmessages:CreateControlChannel",

"ssmmessages:CreateDataChannel",

"ssmmessages:OpenControlChannel",

"ssmmessages:OpenDataChannel",

"sts:AssumeRole"

}