IAM Permissions Changelog

In this article

    This section describes the latest changes in IAM permissions required for Veeam Backup for AWS to perform operations.

    When you update Veeam Backup for AWS version 5 to version 5a, consider that additional permissions must be granted to the IAM roles:

    • For Veeam Backup for AWS to be able to collect and back up network interfaces of EC2 instances, EC2 Backup Policy IAM roles must be granted the following permissions:

    "ec2:DescribeAddresses",

    "ec2:DescribeNetworkInterfaces"

    • For Veeam Backup for AWS to be able to restore network interfaces of EC2 instances, EC2 Restore IAM roles must be granted the following permissions:

    "ec2:AllocateAddress",

    "ec2:AssignPrivateIpAddresses",

    "ec2:AssociateAddress",

    "ec2:AttachNetworkInterface",

    "ec2:CreateNetworkInterface",

    "ec2:DeleteNetworkInterface",

    "ec2:DescribeAddresses",

    "ec2:DisassociateAddress",

    "ec2:ModifyNetworkInterfaceAttribute"

    You can update the roles manually in AWS, or instruct Veeam Backup for AWS to do it as described in section Updating IAM Roles.

    Important

    If you instruct Veeam Backup for AWS to deploy worker instances in production accounts, you must assign additional permissions to IAM roles used to perform backup and restore operations. For more information on the required permissions, see sections EC2 Backup IAM Role Permissions and EC2 Restore IAM Permissions.