IAM Permissions Changelog

This section describes the latest changes in IAM permissions required for Veeam Backup for AWS to perform operations.

When you update Veeam Backup for AWS version 6.a to version 7.0, consider that additional permissions must be granted to the IAM roles:

  • For Veeam Backup for AWS to be able to use the Standard accelerated mode when performing restore from backups stored in repositories of the S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive storage class, IAM roles specified in the repository settings must meet the following requirements:
  1. The Amazon S3 Batch Operations service must be granted permissions to assume the IAM roles.

To allow the AWS service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "Service": "batchoperations.s3.amazonaws.com"

     }

   }

 ]

}

To learn how to modify role trust policies, see AWS Documentation.

  1. The IAM roles must be granted the following permissions:

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": [

       "s3:CreateJob",

       "s3:DescribeJob",

       "iam:PassRole"

     ],

     "Resource": "*"

   }

 ]

}

If you plan to enable the private network deployment functionality, the IAM roles must be granted the following additional permission:

"ec2:DescribeVpcEndpoints"

"ec2:DescribeSnapshotAttribute"

You can update the roles manually using the AWS Management Console or instruct Veeam Backup for AWS to do it, as described in section Updating IAM Roles.