AWS Organizations

Veeam Backup for AWS allows you to protect AWS resources that belong to AWS accounts within AWS Organizations. To ensure flexibility in data protection, you can provide Veeam Backup for AWS full or limited access to account resources across organizational units.

How To Protect Resources of AWS Organizations

To be able to perform data protection operations with AWS resources of an AWS Organization, perform the following steps:

1. Create at least 2 IAM role templates that will help you configure IAM roles whose permissions will be used to perform the following actions:

• Organization rescan IAM role — permissions of this role will be used to collect information on the organization,
• Backup and restore IAM role — permissions of this role will be used to perform backup and restore operations with resources of the organization.
• [Optional] Production worker IAM role — permissions of this role will be used to communicate with worker instances deployed in production accounts.

As soon as you create the templates, Veeam Backup for AWS will export them to your workstation as .CFORM or .JSON files.

2. Create the necessary IAM roles in AWS:

• For templates in the CloudFormation format, upload the files to the CloudFormation service and use these files to create the necessary IAM roles automatically, as described in AWS Documentation.
• For templates in the JSON format, use the files to create IAM policies in the IAM console and attach the policies to the necessary IAM roles manually, as described in Appendix A. Creating IAM Roles in AWS and Appendix B. Creating IAM Policies in AWS.

3. Add the Organization rescan IAM role to Veeam Backup for AWS.
4. Add the AWS Organization to Veeam Backup for AWS. You will be able to choose whether you want to protect resources across the entire organization or across a limited scopes of organizational units.
5. [Optional] Configure worker instance settings to deploy workers while processing EC2 and DB instance data.
6. Create a backup policy and specify the AWS Organization as the data protection scope. You will be able to protect either the entire organization or a limited scope of organizational units.