Veeam Backup for AWS 9
User Guide
Archive
Version 8.0 Version 7.0
Related documents
Search

Step 3. Specify IAM Roles

At the IAM Roles step of the wizard, do the following:

  1. From the Organization rescan IAM role drop-down list, select an IAM role whose permissions will be used to collect information on the AWS Organization. The selected role must belong to the AWS account that is used to manage the AWS Organization — you must create the role in AWS beforehand either using a CloudFormation template or a JSON policy document.

For an IAM role to be displayed in the list of available roles, it must be added to Veeam Backup for AWS with the Organization rescan role selected, as described in section Adding IAM Roles. If you have not added the IAM role to the Veeam Backup for AWS beforehand, you can do it without closing the Add Organization wizard. To do that, click Add and complete the Add IAM Role wizard.

Important

It is recommended that you check whether the selected IAM role has all the permissions required to perform rescan operations. If some permissions of the IAM role are missing, Veeam Backup for AWS will fail to collect information on the organization and some of your data may end up unprotected. For more information on the required permissions, see Organization Rescan IAM Permissions.

To run the IAM role permission check, click Check Permissions. Veeam Backup for AWS will display the Permission check window where you can track the progress and view the results of the performed check. If some permissions of the IAM role are missing, the check will complete with errors, and the list of permissions that must be granted to the IAM role will be displayed in the Missing Permissions column. Note that you can grant the missing permissions using the AWS Management Console only, as described in Appendix B. Creating IAM Policies in AWS.

  1. In the Backup and restore IAM role name field, enter the name (as specified in AWS) of an IAM role whose permissions will be used to access AWS services and resources, and to perform backup and restore operations. The role must belong to each AWS account within the AWS Organization — you must create the role in AWS beforehand either using a CloudFormation template or a JSON policy document.
  2. In the Production worker IAM role name field, enter the name (as specified in AWS) of an IAM role whose permissions will be used to communicate with workers deployed in production accounts to index EFS file systems, and to perform operations with EC2 and RDS resources. The role must belong to each AWS account within the AWS Organization — you must create the role in AWS beforehand either using a CloudFormation template or a JSON policy document.

If you do not enter a Production worker IAM role name, Veeam Backup for AWS will use permissions of the Backup and restore IAM role both to deploy worker instances in production accounts and to communicate with these instances. In this case, it is recommended that you to make sure that the Backup and restore IAM role has additional permissions listed in section Worker Deployment Options.

Tip

If you have not created the necessary IAM role in AWS beforehand, you can do it without closing the Add Organization wizard. To do that, click Create Template and complete the Create IAM Roles Template wizard as described in section Creating IAM Roles Template for AWS Organization.

Adding AWS Organization

Page updated 3/28/2025

Page content applies to build 9.0.0.304

View all results across Veeam
Back to document search