IAM Permissions Changelog
This section describes the latest changes in IAM permissions required for Veeam Backup for AWS to perform operations.
When you update Veeam Backup for AWS version 8 to version 9, consider that additional permissions must be granted to the following IAM roles:
- For Veeam Backup for AWS to be able to back up EFS file systems, the IAM roles specified in the organization settings or in the EFS backup policy settings must be granted the following additional permission:
- For Veeam Backup for AWS to be able to back up EC2 instances, the IAM roles specified in the organization settings or in the EC2 backup policy settings must be granted the following additional permission:
- For Veeam Backup for AWS to be able to deploy worker instances in production accounts when performing EC2 file-level recovery operations, the FLR worker role must be granted the following additional permission:
- For Veeam Backup for AWS to be able to deploy worker instances in production accounts when performing backup and restore operations, the worker deployment role must be granted the following additional permission:
- The "kms:GenerateDataKey*" permission has been replaced by the "kms:GenerateDataKey" permission in the Redshift Cluster Restore IAM Permissions list.
You can update the roles manually using the AWS Management Console or instruct Veeam Backup for AWS to do it, as described in section Updating IAM Roles.
Important |
Veeam Backup for AWS version 9 comes with 2 major features — the ability to protect resources within AWS Organizations and to protect Redshift Serverless namespaces. For the list of permissions required to collect information on AWS Organizations, see Organization Rescan IAM Permissions. For the list of permissions required to perform backup and restore operations with Redshift Serverless namespaces, see sections Redshift Serverless Backup IAM Role Permissions and Redshift Serverless Restore IAM Permissions. |
