Full List of IAM Permissions

If you want Veeam Backup for AWS to use a single IAM role to perform all restore and backup operations, you can use the Default Backup Restore IAM role created during Veeam Backup for AWS installation or a custom IAM role that must meet the following requirements:

The IAM role must be included at least in one instance profile. For more information on instance profiles, see AWS Documentation.

The backup appliance must be granted permissions to assume the IAM roles. For more information on the requirements for adding IAM roles, see Before You Begin.
The Amazon EC2, Amazon S3 Batch Operations and Amazon Backup services must be granted permissions to assume the IAM roles.

To allow an Amazon service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"Service": [

"backup.amazonaws.com",

"batchoperations.s3.amazonaws.com",

"ec2.amazonaws.com"

]

"Action": "sts:AssumeRole"

}

]

}

To learn how to modify role trust policies, see AWS Documentation.

The IAM roles must be granted the following permissions:

Important

Since the size of a managed IAM policy added to an IAM role cannot exceed 6.144 characters, it is recommended that you create 3 IAM policies that will cover all the required permissions. For more information on IAM character limits, see AWS Documentation.

Permissions, part 1

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"backup:CopyFromBackupVault",

"backup:CopyIntoBackupVault",

"backup:CreateBackupVault",

"backup:DeleteBackupVault",

"backup:DeleteRecoveryPoint",

"backup:DescribeBackupJob",

"backup:DescribeBackupVault",

"backup:DescribeCopyJob",

"backup:DescribeRecoveryPoint",

"backup:DescribeRegionSettings",

"backup:DescribeRestoreJob",

"backup:ListBackupVaults",

"backup:ListRecoveryPointsByBackupVault",

"backup:ListTags",

"backup:StartBackupJob",

"backup:StartCopyJob",

"backup:StartRestoreJob",

"backup:StopBackupJob",

"backup:TagResource",

"backup:UntagResource",

"backup:UpdateRegionSettings",

"backup-storage:MountCapsule",

"ds:DescribeDirectories",

"dynamodb:DeleteTable",

"dynamodb:DescribeContinuousBackups",

"dynamodb:DescribeTable",

"dynamodb:DescribeTimeToLive",

"dynamodb:ListTables",

"dynamodb:ListTagsOfResource",

"dynamodb:RestoreTableFromAwsBackup",

"dynamodb:StartAwsBackupJob",

"dynamodb:TagResource",

"dynamodb:UpdateContinuousBackups",

"dynamodb:UpdateTable",

"dynamodb:UpdateTimeToLive",

"ebs:ListChangedBlocks",

"ebs:ListSnapshotBlocks",

"ec2:AcceptVpcEndpointConnections",

"ec2:AllocateAddress",

"ec2:AssignPrivateIpAddresses",

"ec2:AssociateAddress",

"ec2:AssociateClientVpnTargetNetwork",

"ec2:AssociateDhcpOptions",

"ec2:AssociateIamInstanceProfile",

"ec2:AssociateRouteTable",

"ec2:AssociateSubnetCidrBlock",

"ec2:AssociateTransitGatewayMulticastDomain",

"ec2:AssociateTransitGatewayRouteTable",

"ec2:AssociateVpcCidrBlock",

"ec2:AttachInternetGateway",

"ec2:AttachNetworkInterface",

"ec2:AttachVolume",

"ec2:AttachVpnGateway",

"ec2:AuthorizeClientVpnIngress",

"ec2:AuthorizeSecurityGroupEgress",

"ec2:AuthorizeSecurityGroupIngress",

"ec2:CopySnapshot",

"ec2:CreateClientVpnEndpoint",

"ec2:CreateClientVpnRoute",

"ec2:CreateCustomerGateway",

"ec2:CreateDefaultSubnet",

"ec2:CreateDefaultVpc",

"ec2:CreateDhcpOptions",

"ec2:CreateEgressOnlyInternetGateway",

"ec2:CreateInternetGateway",

"ec2:CreateKeyPair",

"ec2:CreateManagedPrefixList",

"ec2:CreateNatGateway",

"ec2:CreateNetworkAcl",

"ec2:CreateNetworkAclEntry",

"ec2:CreateNetworkInterface",

"ec2:CreateRoute",

"ec2:CreateRouteTable",

"ec2:CreateSecurityGroup",

"ec2:CreateSnapshot",

"ec2:CreateSnapshots",

"ec2:CreateSubnet",

"ec2:CreateTags",

"ec2:CreateTransitGateway",

"ec2:CreateTransitGatewayMulticastDomain",

"ec2:CreateTransitGatewayPeeringAttachment",

"ec2:CreateTransitGatewayPrefixListReference",

"ec2:CreateTransitGatewayRoute",

"ec2:CreateTransitGatewayRouteTable",

"ec2:CreateTransitGatewayVpcAttachment",

"ec2:CreateVolume",

"ec2:CreateVpc",

"ec2:CreateVpcEndpoint",

"ec2:CreateVpcEndpointServiceConfiguration",

"ec2:CreateVpcPeeringConnection",

"ec2:CreateVpnConnection",

"ec2:CreateVpnGateway",

"ec2:DeleteClientVpnEndpoint",

"ec2:DeleteClientVpnRoute",

"ec2:DeleteCustomerGateway",

"ec2:DeleteDhcpOptions",

"ec2:DeleteEgressOnlyInternetGateway",

"ec2:DeleteInternetGateway",

"ec2:DeleteKeyPair",

"ec2:DeleteManagedPrefixList",

"ec2:DeleteNatGateway",

"ec2:DeleteNetworkAcl",

"ec2:DeleteNetworkAclEntry",

"ec2:DeleteNetworkInterface",

"ec2:DeleteRoute",

"ec2:DeleteRouteTable",

"ec2:DeleteSecurityGroup",

"ec2:DeleteSnapshot",

"ec2:DeleteSubnet",

"ec2:DeleteTags",

"ec2:DeleteTransitGateway",

"ec2:DeleteTransitGatewayMulticastDomain",

"ec2:DeleteTransitGatewayPeeringAttachment",

"ec2:DeleteTransitGatewayPrefixListReference",

"ec2:DeleteTransitGatewayRoute",

"ec2:DeleteTransitGatewayRouteTable",

"ec2:DeleteTransitGatewayVpcAttachment",

"ec2:DeleteVolume",

"ec2:DeleteVpc",

"ec2:DeleteVpcEndpoints",

"ec2:DeleteVpcEndpointServiceConfigurations",

"ec2:DeleteVpcPeeringConnection",

"ec2:DeleteVpnConnection",

"ec2:DeleteVpnGateway",

"ec2:DescribeAccountAttributes",

"ec2:DescribeAddresses",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeClientVpnAuthorizationRules",

"ec2:DescribeClientVpnEndpoints",

"ec2:DescribeClientVpnRoutes",

"ec2:DescribeClientVpnTargetNetworks",

"ec2:DescribeConversionTasks",

"ec2:DescribeCustomerGateways",

"ec2:DescribeDhcpOptions",

"ec2:DescribeEgressOnlyInternetGateways",

"ec2:DescribeImages",

"ec2:DescribeInstanceAttribute",

"ec2:DescribeInstances",

"ec2:DescribeInstanceStatus",

"ec2:DescribeInstanceTypes",

"ec2:DescribeInternetGateways",

"ec2:DescribeKeyPairs",

"ec2:DescribeManagedPrefixLists",

"ec2:DescribeNatGateways",

"ec2:DescribeNetworkAcls",

"ec2:DescribeNetworkInterfaceAttribute",

"ec2:DescribeNetworkInterfaces",

"ec2:DescribeRegions",

"ec2:DescribeRouteTables",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSnapshotAttribute",

"ec2:DescribeSnapshots",

"ec2:DescribeSubnets",

"ec2:DescribeTags",

"ec2:DescribeTransitGatewayAttachments",

"ec2:DescribeTransitGatewayMulticastDomains",

"ec2:DescribeTransitGatewayPeeringAttachments",

"ec2:DescribeTransitGatewayRouteTables",

"ec2:DescribeTransitGateways",

"ec2:DescribeTransitGatewayVpcAttachments",

"ec2:DescribeVolumeAttribute",

"ec2:DescribeVolumes",

"ec2:DescribeVpcAttribute",

"ec2:DescribeVpcEndpoints",

"ec2:DescribeVpcEndpointServiceConfigurations",

"ec2:DescribeVpcPeeringConnections",

"ec2:DescribeVpcs",

"ec2:DescribeVpnConnections",

"ec2:DescribeVpnGateways",

"ec2:DetachInternetGateway",

"ec2:DetachVolume",

"ec2:DetachVpnGateway",

"ec2:DisableTransitGatewayRouteTablePropagation",

"ec2:DisableVgwRoutePropagation",

"ec2:DisassociateAddress",

"ec2:DisassociateClientVpnTargetNetwork",

"ec2:DisassociateRouteTable",

"ec2:DisassociateTransitGatewayMulticastDomain",

"ec2:DisassociateTransitGatewayRouteTable",

"ec2:EnableTransitGatewayRouteTablePropagation",

"ec2:EnableVgwRoutePropagation",

"ec2:GetEbsDefaultKmsKeyId",

"ec2:GetManagedPrefixListEntries",

"ec2:GetTransitGatewayMulticastDomainAssociations",

"ec2:GetTransitGatewayPrefixListReferences",

"ec2:GetTransitGatewayRouteTableAssociations",

"ec2:GetTransitGatewayRouteTablePropagations"

"Resource": "*"

}

]

}

Permissions, part 2

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:ModifyClientVpnEndpoint",

"ec2:ModifyInstanceAttribute",

"ec2:ModifyManagedPrefixList",

"ec2:ModifyNetworkInterfaceAttribute",

"ec2:ModifySnapshotAttribute",

"ec2:ModifySubnetAttribute",

"ec2:ModifyTransitGateway",

"ec2:ModifyTransitGatewayVpcAttachment",

"ec2:ModifyVolume",

"ec2:ModifyVpcAttribute",

"ec2:ModifyVpcEndpoint",

"ec2:ModifyVpcEndpointServiceConfiguration",

"ec2:ModifyVpcPeeringConnectionOptions",

"ec2:ModifyVpnConnection",

"ec2:RejectVpcEndpointConnections",

"ec2:ReleaseAddress",

"ec2:ReplaceNetworkAclAssociation",

"ec2:ReplaceRouteTableAssociation",

"ec2:RevokeClientVpnIngress",

"ec2:RevokeSecurityGroupEgress",

"ec2:RevokeSecurityGroupIngress",

"ec2:RunInstances",

"ec2:SearchTransitGatewayRoutes",

"ec2:StartInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ec2messages:AcknowledgeMessage",

"ec2messages:DeleteMessage",

"ec2messages:FailMessage",

"ec2messages:GetEndpoint",

"ec2messages:GetMessages",

"ec2messages:SendReply",

"elasticfilesystem:Backup",

"elasticfilesystem:CreateAccessPoint",

"elasticfilesystem:CreateFileSystem",

"elasticfilesystem:CreateMountTarget",

"elasticfilesystem:DeleteAccessPoint",

"elasticfilesystem:DeleteFileSystem",

"elasticfilesystem:DeleteMountTarget",

"elasticfilesystem:DescribeAccessPoints",

"elasticfilesystem:DescribeBackupPolicy",

"elasticfilesystem:DescribeFileSystemPolicy",

"elasticfilesystem:DescribeFileSystems",

"elasticfilesystem:DescribeLifecycleConfiguration",

"elasticfilesystem:DescribeMountTargets",

"elasticfilesystem:DescribeMountTargetSecurityGroups",

"elasticfilesystem:DescribeReplicationConfigurations",

"elasticfilesystem:DescribeTags",

"elasticfilesystem:ListTagsForResource",

"elasticfilesystem:PutBackupPolicy",

"elasticfilesystem:PutFileSystemPolicy",

"elasticfilesystem:PutLifecycleConfiguration",

"elasticfilesystem:Restore",

"elasticfilesystem:TagResource",

"elasticfilesystem:UntagResource",

"elasticfilesystem:UpdateFileSystem",

"elasticloadbalancing:AddTags",

"elasticloadbalancing:CreateListener",

"elasticloadbalancing:CreateLoadBalancer",

"elasticloadbalancing:CreateTargetGroup",

"elasticloadbalancing:DeleteListener",

"elasticloadbalancing:DeleteLoadBalancer",

"elasticloadbalancing:DeleteTargetGroup",

"elasticloadbalancing:DeregisterTargets",

"elasticloadbalancing:DescribeListeners",

"elasticloadbalancing:DescribeLoadBalancers",

"elasticloadbalancing:DescribeTags",

"elasticloadbalancing:DescribeTargetGroups",

"elasticloadbalancing:DescribeTargetHealth",

"elasticloadbalancing:ModifyTargetGroup",

"elasticloadbalancing:RegisterTargets",

"elasticloadbalancing:RemoveTags",

"elasticloadbalancing:SetSecurityGroups",

"elasticloadbalancing:SetSubnets",

"events:DeleteRule",

"events:DescribeRule",

"events:ListTargetsByRule",

"events:PutRule",

"events:PutTargets",

"events:RemoveTargets",

"fsx:CopyBackup",

"fsx:CreateBackup",

"fsx:CreateFileSystemFromBackup",

"fsx:DeleteFileSystem",

"fsx:DescribeBackups",

"fsx:DescribeDataRepositoryAssociations",

"fsx:DescribeFileSystems",

"fsx:ListTagsForResource",

"fsx:TagResource",

"fsx:UntagResource",

"iam:AddRoleToInstanceProfile",

"iam:AttachRolePolicy",

"iam:CreateInstanceProfile",

"iam:CreateRole",

"iam:CreateServiceLinkedRole",

"iam:DeleteInstanceProfile",

"iam:DeleteRole",

"iam:DeleteRolePolicy",

"iam:DetachRolePolicy",

"iam:GetContextKeysForPrincipalPolicy",

"iam:GetInstanceProfile",

"iam:GetRole",

"iam:ListAccountAliases",

"iam:ListAttachedRolePolicies",

"iam:ListInstanceProfiles",

"iam:ListInstanceProfilesForRole",

"iam:ListRolePolicies",

"iam:ListRoles",

"iam:PassRole",

"iam:PutRolePolicy",

"iam:RemoveRoleFromInstanceProfile",

"iam:SimulatePrincipalPolicy",

"kinesis:CreateStream",

"kinesis:DeleteStream",

"kinesis:DescribeStream",

"kinesis:PutRecord",

"kms:CreateGrant",

"kms:Decrypt",

"kms:DescribeKey",

"kms:Encrypt",

"kms:GenerateDataKey",

"kms:GenerateDataKeyWithoutPlaintext",

"kms:GetKeyPolicy",

"kms:ListAliases",

"kms:ListKeys",

"kms:ReEncryptFrom",

"kms:ReEncryptTo",

"lambda:ListFunctions",

"organizations:DescribeAccount",

"organizations:DescribeOrganization",

"organizations:DescribeOrganizationalUnit",

"organizations:ListChildren",

"organizations:ListRoots",

"ram:AssociateResourceShare",

"ram:CreateResourceShare",

"ram:DeleteResourceShare",

"ram:DisassociateResourceShare",

"ram:GetResourceShareAssociations",

"ram:GetResourceShares",

"ram:ListPrincipals",

"ram:ListResources",

"ram:ListResourceSharePermissions",

"ram:TagResource",

"ram:UntagResource",

"rds:AddTagsToResource",

"rds:CopyDBClusterSnapshot",

"rds:CopyDBSnapshot",

"rds:CreateDBClusterSnapshot",

"rds:CreateDbInstance",

"rds:CreateDBSnapshot",

"rds:CreateTenantDatabase",

"rds:DeleteDbCluster",

"rds:DeleteDBClusterSnapshot",

"rds:DeleteDBInstance",

"rds:DeleteDBSnapshot",

"rds:DescribeAccountAttributes",

"rds:DescribeDbClusterParameterGroups",

"rds:DescribeDbClusterParameters",

"rds:DescribeDBClusters",

"rds:DescribeDBClusterSnapshots",

"rds:DescribeDBEngineVersions",

"rds:DescribeDBInstances",

"rds:DescribeDBParameterGroups",

"rds:DescribeDBSnapshots",

"rds:DescribeDBSubnetGroups",

"rds:DescribeOptionGroups",

"rds:DescribeOrderableDbInstanceOptions",

"rds:ListTagsForResource",

"rds:ModifyDbCluster",

"rds:ModifyDBClusterSnapshotAttribute",

"rds:ModifyDBInstance",

"rds:ModifyDBSnapshotAttribute",

"rds:RemoveTagsFromResource",

"rds:RestoreDbClusterFromSnapshot",

"rds:RestoreDBInstanceFromDBSnapshot"

"Resource": "*"

}

]

}

Permissions, part 3

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"redshift:CreateClusterSnapshot",

"redshift:CreateTags",

"redshift:DeleteCluster",

"redshift:DeleteClusterSnapshot",

"redshift:DeleteTags",

"redshift:DescribeClusterParameterGroups",

"redshift:DescribeClusters",

"redshift:DescribeClusterSnapshots",

"redshift:DescribeClusterSubnetGroups",

"redshift:DescribeNodeConfigurationOptions",

"redshift:DescribeTags",

"redshift:ModifyCluster",

"redshift:RestoreFromClusterSnapshot",

"redshift-serverless:CreateNamespace",

"redshift-serverless:CreateSnapshot",

"redshift-serverless:CreateWorkgroup",

"redshift-serverless:DeleteNamespace",

"redshift-serverless:DeleteSnapshot",

"redshift-serverless:DeleteWorkgroup",

"redshift-serverless:GetNamespace",

"redshift-serverless:GetSnapshot",

"redshift-serverless:GetWorkgroup",

"redshift-serverless:ListNamespaces",

"redshift-serverless:ListSnapshots",

"redshift-serverless:ListTagsForResource",

"redshift-serverless:ListWorkgroups",

"redshift-serverless:RestoreFromSnapshot",

"redshift-serverless:TagResource",

"s3:CreateBucket",

"s3:CreateJob",

"s3:DeleteBucket",

"s3:DeleteObject",

"s3:DeleteObjectVersion",

"s3:DescribeJob",

"s3:GetBucketLocation",

"s3:GetBucketObjectLockConfiguration",

"s3:GetBucketVersioning",

"s3:GetObject",

"s3:GetObjectRetention",

"s3:GetObjectVersion",

"s3:ListAllMyBuckets",

"s3:ListBucket",

"s3:ListBucketVersions",

"s3:PutBucketPolicy",

"s3:PutObject",

"s3:PutObjectRetention",

"s3:RestoreObject",

"secretsmanager:CreateSecret",

"secretsmanager:DescribeSecret",

"secretsmanager:RotateSecret",

"secretsmanager:TagResource",

"servicequotas:ListServiceQuotas",

"sns:CreateTopic",

"sns:DeleteTopic",

"sns:ListSubscriptionsByTopic",

"sns:ListTopics",

"sns:SetTopicAttributes",

"sns:Subscribe",

"sns:Unsubscribe",

"sqs:CreateQueue",

"sqs:DeleteMessage",

"sqs:DeleteQueue",

"sqs:ListQueues",

"sqs:ReceiveMessage",

"sqs:SendMessage",

"sqs:SetQueueAttributes",

"ssm:DescribeAssociation",

"ssm:DescribeDocument",

"ssm:DescribeInstanceInformation",

"ssm:GetCommandInvocation",

"ssm:GetDeployablePatchSnapshotForInstance",

"ssm:GetDocument",

"ssm:GetManifest",

"ssm:GetParameter",

"ssm:GetParameters",

"ssm:ListAssociations",

"ssm:ListInstanceAssociations",

"ssm:PutComplianceItems",

"ssm:PutConfigurePackageResult",

"ssm:PutInventory",

"ssm:SendCommand",

"ssm:UpdateAssociationStatus",

"ssm:UpdateInstanceAssociationStatus",

"ssm:UpdateInstanceInformation",

"ssmmessages:CreateControlChannel",

"ssmmessages:CreateDataChannel",

"ssmmessages:OpenControlChannel",

"ssmmessages:OpenDataChannel"

"Resource": "*"

}

]

}

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.