Full List of IAM Permissions

In this article

    An IAM role that will be able to perform all operations in Veeam Backup for AWS (the Default Backup Restore IAM role) must have the following permissions:

    Important

    For an IAM role to be assigned specified permissions, the permissions must be added to IAM policies attached to the IAM role. To learn how to create IAM policies, see Appendix A. Creating IAM Policies. Note that the size of one IAM policy cannot exceed 10240 characters.

    {

    "iam:ListAccountAliases",

    "sqs:DeleteMessage",

    "ec2:AttachVolume",

    "iam:CreateInstanceProfile",

    "ssm:SendCommand",

    "ec2:DeleteSnapshot",

    "ec2:CreateKeyPair",

    "ec2:DescribeInstanceAttribute",

    "sqs:ReceiveMessage",

    "iam:RemoveRoleFromInstanceProfile",

    "iam:CreateRole",

    "iam:AttachRolePolicy",

    "iam:PutRolePolicy",

    "iam:AddRoleToInstanceProfile",

    "ec2:DeleteVolume",

    "iam:ListInstanceProfilesForRole",

    "iam:PassRole",

    "iam:DetachRolePolicy",

    "ec2:ModifySnapshotAttribute",

    "iam:ListAttachedRolePolicies",

    "iam:DeleteRolePolicy",

    "ec2:DescribeVolumes",

    "ec2:CreateSnapshot",

    "ec2:ModifyInstanceAttribute",

    "ec2:DescribeKeyPairs",

    "iam:ListRolePolicies",

    "servicequotas:ListServiceQuotas",

    "ec2:DetachVolume",

    "iam:DeleteInstanceProfile",

    "sqs:ListQueues",

    "ec2:TerminateInstances",

    "iam:GetInstanceProfile",

    "ec2:CreateTags",

    "sqs:SendMessage",

    "ec2:RunInstances",

    "iam:DeleteRole",

    "ec2:CreateVolume",

    "ssm:GetCommandInvocation",

    "ec2:DescribeImages",

    "sqs:DeleteQueue",

    "sqs:CreateQueue",

    "ec2:DeleteKeyPair",

    "ec2:DescribeAccountAttributes",

    "ec2:DescribeSecurityGroups",

    "ec2:DescribeSubnets",

    "ec2:DescribeInstances",

    "ec2:DescribeSnapshots",

    "ec2:StopInstances",

    "ec2:StartInstances",

    "iam:GetRole",

    "ec2:CopySnapshot",

    "ebs:ListSnapshotBlocks",

    "ebs:ListChangedBlocks",

    "ec2:DescribeVpcs",

    "ec2:DescribeRegions",

    "ec2:DescribeVpcEndpoints",

    "ec2:DescribeRouteTables",

    "ec2:DescribeAvailabilityZones",

    "kinesis:DeleteStream",

    "kinesis:CreateStream",

    "kinesis:DescribeStream",

    "kms:ListKeys",

    "kms:ListAliases",

    "kms:GetKeyPolicy",

    "kms:ReEncryptTo",

    "kms:DescribeKey",

    "kms:ReEncryptFrom",

    "ec2:GetEbsDefaultKmsKeyId",

    "kms:CreateGrant",

    "events:DescribeRule",

    "sns:ListSubscriptionsByTopic",

    "sns:DeleteTopic",

    "events:PutRule",

    "sns:CreateTopic",

    "sns:ListTopics",

    "sns:Unsubscribe",

    "sns:SetTopicAttributes",

    "events:PutTargets",

    "events:DeleteRule",

    "sns:Subscribe",

    "events:RemoveTargets",

    "events:ListTargetsByRule",

    "sqs:SetQueueAttributes",

    "ec2:DeleteTags",

    "ec2:CreateSnapshots",

    "ec2:DescribeConversionTasks",

    "ec2:DescribeVolumeAttribute",

    "ec2:DescribeTags",

    "ec2:DescribeInstanceTypes",

    "ec2:DescribeLaunchTemplates",

    "rds:AddTagsToResource",

    "rds:ListTagsForResource",

    "rds:DescribeDBSnapshots",

    "rds:CreateDBSnapshot",

    "rds:DescribeDBInstances",

    "rds:DeleteDBSnapshot",

    "rds:ModifyDBSnapshotAttribute",

    "rds:RemoveTagsFromResource",

    "rds:CopyDBSnapshot",

    "ec2:DescribeAddresses",

    "ec2:DescribeDhcpOptions",

    "ec2:DescribeVpcAttribute",

    "ec2:DescribeInternetGateways",

    "elasticloadbalancing:DescribeLoadBalancers",

    "ram:GetResourceShares",

    "ec2:DescribeNetworkInterfaces",

    "ec2:DescribeManagedPrefixLists",

    "ec2:DescribeNetworkAcls",

    "ec2:DescribeClientVpnEndpoints",

    "ec2:DescribeEgressOnlyInternetGateways",

    "ec2:GetManagedPrefixListEntries",

    "ec2:DescribeVpnConnections",

    "ec2:DescribeVpcPeeringConnections",

    "ec2:DescribeNatGateways",

    "ec2:DescribeVpcEndpointServiceConfigurations",

    "ec2:DescribeCustomerGateways",

    "ram:ListResources",

    "ram:ListPrincipals",

    "elasticloadbalancing:DescribeTargetGroups",

    "ec2:DescribeVpnGateways",

    "ec2:DescribeTransitGatewayAttachments",

    "ec2:DescribeTransitGatewayMulticastDomains",

    "ec2:DescribeTransitGatewayPeeringAttachments",

    "ec2:DescribeTransitGatewayRouteTables",

    "ec2:DescribeTransitGateways",

    "ec2:DescribeTransitGatewayVpcAttachments",

    "ec2:GetTransitGatewayRouteTableAssociations",

    "elasticloadbalancing:DescribeListeners",

    "elasticloadbalancing:DescribeTags",

    "elasticloadbalancing:DescribeTargetHealth",

    "ram:ListResourceSharePermissions",

    "ec2:SearchTransitGatewayRoutes",

    "ec2:GetTransitGatewayRouteTablePropagations",

    "ec2:DescribeClientVpnAuthorizationRules",

    "ec2:DescribeClientVpnRoutes",

    "ec2:DescribeClientVpnTargetNetworks",

    "ec2:GetTransitGatewayPrefixListReferences",

    "backup:StopBackupJob",

    "backup:TagResource",

    "backup:ListTags",

    "backup:StartBackupJob",

    "backup:DescribeCopyJob",

    "backup:DescribeBackupJob",

    "backup:DeleteRecoveryPoint",

    "backup:CopyIntoBackupVault",

    "backup:ListBackupVaults",

    "backup:ListRecoveryPointsByBackupVault",

    "backup:StartCopyJob",

    "backup:CopyFromBackupVault",

    "elasticfilesystem:DescribeMountTargets",

    "elasticfilesystem:ListTagsForResource",

    "elasticfilesystem:DescribeAccessPoints",

    "elasticfilesystem:DescribeTags",

    "elasticfilesystem:Backup",

    "elasticfilesystem:DescribeFileSystems",

    "elasticfilesystem:DescribeMountTargetSecurityGroups",

    "elasticfilesystem:DescribeFileSystemPolicy",

    "elasticfilesystem:DescribeLifecycleConfiguration",

    "elasticfilesystem:DescribeBackupPolicy",

    "backup:UntagResource",

    "backup:DescribeRecoveryPoint",

    "ec2:DescribeInstanceStatus",

    "rds:DescribeDBSubnetGroups",

    "rds:DescribeDBEngineVersions",

    "rds:DescribeDBParameterGroups",

    "iam:CreateServiceLinkedRole",

    "rds:RestoreDBInstanceFromDBSnapshot",

    "rds:DescribeOrderableDBInstanceOptions",

    "rds:ModifyDBInstance",

    "rds:DescribeOptionGroups",

    "rds:DeleteDBInstance",

    "ec2:AuthorizeSecurityGroupIngress",

    "ec2:CreateVpc",

    "ec2:AttachInternetGateway",

    "ec2:CreateInternetGateway",

    "ec2:RevokeSecurityGroupEgress",

    "ec2:ModifyVpcAttribute",

    "ec2:DeleteInternetGateway",

    "ec2:DeleteNetworkAcl",

    "ec2:AuthorizeSecurityGroupEgress",

    "ec2:DetachInternetGateway",

    "ec2:RevokeSecurityGroupIngress",

    "ec2:CreateNetworkInterface",

    "ec2:DeleteVpc",

    "ec2:CreateNetworkAclEntry",

    "ec2:DeleteNetworkAclEntry",

    "ec2:DisassociateAddress",

    "ec2:ModifyManagedPrefixList",

    "ec2:AssociateAddress",

    "ec2:ModifyVpcEndpointServiceConfiguration",

    "elasticloadbalancing:ModifyTargetGroup",

    "lambda:ListFunctions",

    "ec2:ModifyVpcEndpoint",

    "ec2:ModifyVpcPeeringConnectionOptions",

    "ec2:ModifyTransitGatewayVpcAttachment",

    "ec2:ModifyTransitGateway",

    "ram:UntagResource",

    "ram:TagResource",

    "ram:DisassociateResourceShare",

    "ec2:AssociateVpcCidrBlock",

    "ec2:AssociateDhcpOptions",

    "ram:AssociateResourceShare",

    "ec2:GetTransitGatewayMulticastDomainAssociations",

    "ec2:AssociateTransitGatewayRouteTable",

    "ec2:AttachVpnGateway",

    "ec2:CreateCustomerGateway",

    "ec2:CreateEgressOnlyInternetGateway",

    "ec2:CreateManagedPrefixList",

    "ec2:CreateRouteTable",

    "ec2:CreateSubnet",

    "ec2:CreateTransitGateway",

    "ec2:CreateTransitGatewayMulticastDomain",

    "ec2:CreateTransitGatewayRouteTable",

    "ec2:CreateTransitGatewayVpcAttachment",

    "ec2:CreateVpcEndpoint",

    "ec2:CreateVpcPeeringConnection",

    "ec2:CreateVpnConnection",

    "ec2:CreateVpnGateway",

    "ec2:AcceptVpcEndpointConnections",

    "ec2:RejectVpcEndpointConnections",

    "ec2:CreateTransitGatewayRoute",

    "ec2:EnableTransitGatewayRouteTablePropagation",

    "ec2:DisableTransitGatewayRouteTablePropagation",

    "ec2:DeleteTransitGatewayRoute",

    "ec2:DeleteTransitGatewayRouteTable",

    "ec2:AllocateAddress",

    "ec2:AssociateClientVpnTargetNetwork",

    "ec2:AssociateRouteTable",

    "ec2:AssociateSubnetCidrBlock",

    "ec2:AssociateTransitGatewayMulticastDomain",

    "ec2:AuthorizeClientVpnIngress",

    "ec2:CreateClientVpnEndpoint",

    "ec2:CreateClientVpnRoute",

    "ec2:CreateNetworkAcl",

    "ec2:CreateRoute",

    "ec2:CreateTransitGatewayPeeringAttachment",

    "ec2:CreateVpcEndpointServiceConfiguration",

    "ec2:DeleteClientVpnEndpoint",

    "ec2:DeleteClientVpnRoute",

    "ec2:DeleteCustomerGateway",

    "ec2:DeleteNatGateway",

    "ec2:DeleteNetworkInterface",

    "ec2:DeleteRoute",

    "ec2:DeleteRouteTable",

    "ec2:DeleteSubnet",

    "ec2:DeleteTransitGateway",

    "ec2:DeleteTransitGatewayMulticastDomain",

    "ec2:DeleteTransitGatewayPeeringAttachment",

    "ec2:DeleteTransitGatewayVpcAttachment",

    "ec2:DeleteVpcEndpointServiceConfigurations",

    "ec2:DeleteVpcPeeringConnection",

    "ec2:DeleteVpnConnection",

    "ec2:DeleteVpnGateway",

    "ec2:DetachVpnGateway",

    "ec2:DisableVgwRoutePropagation",

    "ec2:DisassociateClientVpnTargetNetwork",

    "ec2:DisassociateRouteTable",

    "ec2:DisassociateTransitGatewayMulticastDomain",

    "ec2:DisassociateTransitGatewayRouteTable",

    "ec2:EnableVgwRoutePropagation",

    "ec2:ModifyClientVpnEndpoint",

    "ec2:ModifyNetworkInterfaceAttribute",

    "ec2:ModifySubnetAttribute",

    "ec2:ModifyVpnConnection",

    "ec2:ReleaseAddress",

    "ec2:ReplaceNetworkAclAssociation",

    "ec2:ReplaceRouteTableAssociation",

    "ec2:RevokeClientVpnIngress",

    "elasticloadbalancing:DeleteLoadBalancer",

    "elasticloadbalancing:DeleteTargetGroup",

    "elasticloadbalancing:CreateTargetGroup",

    "elasticloadbalancing:RegisterTargets",

    "elasticloadbalancing:DeregisterTargets",

    "elasticloadbalancing:CreateListener",

    "elasticloadbalancing:DeleteListener",

    "elasticloadbalancing:CreateLoadBalancer",

    "elasticloadbalancing:SetSecurityGroups",

    "elasticloadbalancing:SetSubnets",

    "elasticloadbalancing:RemoveTags",

    "elasticloadbalancing:AddTags",

    "ram:CreateResourceShare",

    "ram:DeleteResourceShare",

    "ec2:CreateDefaultVpc",

    "ec2:CreateDefaultSubnet",

    "ec2:CreateNatGateway",

    "ec2:CreateSecurityGroup",

    "ec2:DeleteSecurityGroup",

    "ec2:CreateDhcpOptions",

    "ec2:DeleteDhcpOptions",

    "ec2:DeleteEgressOnlyInternetGateway",

    "ec2:DeleteManagedPrefixList",

    "ec2:DeleteVpcEndpoints",

    "ec2:DeleteTransitGatewayPrefixListReference",

    "ec2:CreateTransitGatewayPrefixListReference",

    "s3:ListAllMyBuckets",

    "s3:ListBucket",

    "s3:GetBucketLocation",

    "s3:PutObject",

    "ram:GetResourceShareAssociations",

    "elasticfilesystem:DeleteAccessPoint",

    "elasticfilesystem:UntagResource",

    "elasticfilesystem:CreateFileSystem",

    "kms:GenerateDataKeyWithoutPlaintext",

    "backup:StartRestoreJob",

    "elasticfilesystem:PutLifecycleConfiguration",

    "elasticfilesystem:DeleteMountTarget",

    "elasticfilesystem:CreateAccessPoint",

    "elasticfilesystem:PutFileSystemPolicy",

    "elasticfilesystem:Restore",

    "backup:DeleteBackupVault",

    "backup:DescribeRestoreJob",

    "backup:CreateBackupVault",

    "backup-storage:MountCapsule",

    "elasticfilesystem:TagResource",

    "elasticfilesystem:CreateMountTarget",

    "elasticfilesystem:PutBackupPolicy",

    "elasticfilesystem:DeleteFileSystem",

    "elasticfilesystem:UpdateFileSystem",

    "ssm:DescribeInstanceInformation",

    "iam:ListInstanceProfiles",

    "s3:GetObject",

    "s3:DeleteObject",

    "kms:Encrypt",

    "kms:Decrypt"

    }