IAM Permissions Changelog
This section describes the latest changes in IAM permissions required for Veeam Backup for AWS to perform operations.
When you update Veeam Backup for AWS version 7.0 to version 8.0, consider that additional permissions must be granted to the following IAM roles:
- For Veeam Backup for AWS to be able to deploy worker instances in the backup account when performing backup and restore operations, the worker deployment role (service IAM role) must be granted the following additional permission:
"sqs:SetQueueAttributes" |
- For Veeam Backup for AWS to be able to back up EC2 instances with instance profiles attached, the IAM role specified in the backup policy settings must be granted the following additional permission:
"iam:GetInstanceProfile" |
- For Veeam Backup for AWS to be able to restore EC2 instances with instance profiles attached and deploy worker instances in production accounts, the IAM role specified in the restore settings must be granted the following additional permissions:
"ec2:AssociateIamInstanceProfile", "iam:GetInstanceProfile", "iam:ListInstanceProfiles", "servicequotas:ListServiceQuotas", "sqs:SetQueueAttributes" |
- For Veeam Backup for AWS to be able to perform EC2 file-level recovery operations and deploy worker instances in production accounts, the IAM role specified in the restore settings must be granted the following additional permissions:
"servicequotas:ListServiceQuotas", "sqs:SetQueueAttributes" |
- For Veeam Backup for AWS to be able to perform RDS backup, the IAM role specified in the backup policy settings must be granted the following additional permissions:
"ec2:DescribeVpcs", "servicequotas:ListServiceQuotas" |
- For Veeam Backup for AWS to be able to perform RDS database restore operations, the IAM role specified in the restore settings must be granted the following additional permissions:
"ec2:DescribeVpcs", "servicequotas:ListServiceQuotas", "sqs:SetQueueAttributes" |
- For Veeam Backup for AWS to be able to back up EFS file systems, the IAM role specified in the backup policy settings must be granted the following additional permission:
"sqs:SendMessage", "servicequotas:ListServiceQuotas" |
Also, the IAM role that is attached to worker instances and specified in the backup policy settings must be granted the following additional permissions:
"sqs:DeleteMessage", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage" |
The following permission has been removed from the Worker Deployment Role Permissions in Production Accounts list:
"sts:AssumeRole" |
- For Veeam Backup for AWS to be able to perform DynamoDB backup, the IAM role specified in the backup policy settings must be granted the following additional permission:
"ec2:DescribeAvailabilityZones" |
You can update the roles manually using the AWS Management Console or instruct Veeam Backup for AWS to do it, as described in section Updating IAM Roles.
Important |
Veeam Backup for AWS version 8.0 comes with 2 major features — the ability to protect Redshift clusters and FSx file systems. For the list of permissions required to perform backup and restore operations with these workloads, see sections Redshift Backup IAM Role Permissions, FSx Backup IAM Role Permissions, Redshift Restore IAM Permissions and FSx Restore IAM Permissions. |