Step 4. Specify IAM Role Permissions
At the Permissions step of the wizard, you can define specific operations that Veeam Backup for AWS will be able to perform using the permissions of the created IAM role. Depending on the option that you have selected at the Type step of the wizard, Veeam Backup for AWS will do either of the following:
- If you have selected the IAM role from current account or the IAM role from another account option, Veeam Backup for AWS will become able to filter IAM roles and check their permissions in backup and restore settings — but it will not assign any permissions to the role.
In this case, you can grant the permissions to the role manually using the AWS Management Console or instruct Veeam Backup for AWS to do it, as described in section Checking IAM Role Permissions.
- If you have selected the Create new IAM role option, Veeam Backup for AWS will become able to filter IAM roles and check their permissions in backup and restore settings — and will also assign the specified permissions to the role.
- If you have selected the Create template option, Veeam Backup for AWS will add the specified permissions to the created CloudFormation template or JSON policy document.
To specify permissions granularly, do the following:
- In the Specify IAM role permissions section, set the Specify granular permissions toggle to On.
- In the Veeam management roles section, choose actions that will be performed using the IAM role:
- Worker deployment role — will be used to deploy worker instances in the backup account. If you choose this action for an IAM role, you will be able to select it when adding worker configurations.
- Production worker role — will be used to communicate with worker instances in production accounts. If you choose this action for an IAM role, you will be able to select it when enabling indexing for EFS policies, creating EC2 backup policies, creating RDS backup policies, performing entire EC2 instance restore, performing EC2 volume-level restore or performing RDS database restore.
- Repository role — will be used to create new repositories in Amazon S3 buckets and to further access the repositories during data protection and disaster recovery operations. If you choose this action for an IAM role, you will be able to select it when configuring repository settings.
Important |
For Veeam Backup for AWS to perform the selected actions using the IAM role, it must be assigned the permissions listed in sections Worker Deployment Role Permissions in Backup Account, Worker Deployment Role Permissions in Production Accounts and Repository IAM Permissions. |
- In the Workload permissions section, choose resources that will be protected using the IAM role, and operations that will be performed with these resources:
- Backup — Veeam Backup for AWS will protect EC2, Redshift, DynamoDB, EFS, FSx and VPC resources. If you select this operation for an IAM role, you will be able to select it in the EC2 backup, Redshift backup, DynamoDB backup, EFS backup, FSx backup and VPC configuration backup settings.
Note that the list of permissions for this role will also contain additional permissions required to deploy worker instances in production accounts during EFS indexing and EC2 backup operations.
- Replication — Veeam Backup for AWS will replicate cloud-native snapshots of EC2 and RDS resources. If you select this operation for an IAM role, you will be able to select it in the EC2 backup and RDS backup settings.
- Snapshot — Veeam Backup for AWS will create cloud-native snapshots of RDS resources. If you select this operation for an IAM role, you will be able to select it in the RDS backup settings.
Note that the list of permissions for this role will also contain additional permissions required to deploy worker instances in production accounts during RDS backup operations.
- Restore — Veeam Backup for AWS will restore EC2, RDS, Redshift, DynamoDB, EFS, FSx and VPC resources. If you select this operation for an IAM role, you will be able to select it when performing entire EC2 instance restore, EC2 volume-level restore, EC2 file-level recovery, RDS restore, Redshift restore, DynamoDB restore, EFS restore, FSx restore, entire VPC configuration restore and selected VPC items restore.
Note that the list of permissions for this role will also contain additional permissions required to deploy worker instances in production accounts during EC2 and RDS restore operations.
Important |
For Veeam Backup for AWS to perform the selected operations using the IAM role, it must be assigned the permissions listed in sections Backup IAM Permissions and Restore IAM Permissions. |
Note that if you do not specify any management roles and resource permissions for the IAM role at this step, all the listed actions and resource operations will be selected for the role automatically.
