Veeam Backup for AWS 8.0
User Guide
Related documents
Search

IAM Permissions Changelog

When you update Veeam Backup for AWS version 7.0 to version 8.0, consider that additional permissions must be granted to the IAM roles:

  • For Veeam Backup for AWS to be able to deploy worker instances in the backup account when performing backup and restore operations, the worker deployment role (service IAM role) must be granted the following additional permission:

"sqs:SetQueueAttributes"

  • For Veeam Backup for AWS to be able to back up EC2 instances with instance profiles attached, the IAM role specified in the backup policy settings must be granted the following additional permission:

"iam:GetInstanceProfile"

  • For Veeam Backup for AWS to be able to restore EC2 instances with instance profiles attached and deploy worker instances in production accounts, the IAM role specified in the restore settings must be granted the following additional permissions:

"ec2:AssociateIamInstanceProfile",

"iam:GetInstanceProfile",

"iam:ListInstanceProfiles",

"servicequotas:ListServiceQuotas",

"sqs:SetQueueAttributes"

  • For Veeam Backup for AWS to be able to perform EC2 file-level recovery operations and deploy worker instances in production accounts, the IAM role specified in the restore settings must be granted the following additional permissions:

"servicequotas:ListServiceQuotas",

"sqs:SetQueueAttributes"

  • For Veeam Backup for AWS to be able to perform RDS backup, the IAM role specified in the backup policy settings must be granted the following additional permissions:

"ec2:DescribeVpcs",

"servicequotas:ListServiceQuotas"

  • For Veeam Backup for AWS to be able to perform RDS database restore operations, the IAM role specified in the restore settings must be granted the following additional permissions:

"ec2:DescribeVpcs",

"servicequotas:ListServiceQuotas",

"sqs:SetQueueAttributes"

  • For Veeam Backup for AWS to be able to back up EFS file systems, the IAM role specified in the backup policy settings must be granted the following additional permission:

"sqs:SendMessage",

"servicequotas:ListServiceQuotas"

Also, the IAM role that is attached to worker instances and specified in the backup policy settings must be granted the following additional permissions:

"sqs:DeleteMessage",

"sqs:ListQueues",

"sqs:ReceiveMessage",

"sqs:SendMessage"

The following permission has been removed from the Worker Deployment Role Permissions in Production Accounts list:

"sts:AssumeRole"

  • For Veeam Backup for AWS to be able to perform DynamoDB backup, the IAM role specified in the backup policy settings must be granted the following additional permission:

"ec2:DescribeAvailabilityZones"

You can update the roles manually using the AWS Management Console or instruct Veeam Backup for AWS to do it, as described in section Updating IAM Roles.

View all results across Veeam
Back to document search