Plug-In Permissions
To perform backup and restore operations, accounts that AWS Plug-in for Veeam Backup & Replication uses to perform data protection and disaster recovery operations must be granted the following permissions.
Veeam Backup & Replication User Account Permissions
A user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Veeam Backup & Replication User Guide, section Installing and Using Veeam Backup & Replication.
Veeam Backup for AWS User Account Permissions
A user account that Veeam Backup & Replication will use to authenticate against the backup appliance and get access to the appliance functionality must be assigned the Portal Administrator role. For more information on user roles, see Managing User Accounts.
Note |
When you deploy a backup appliance from the Veeam Backup & Replication console, Veeam Backup & Replication will automatically create the necessary user account that will be assigned all the required permissions. |
AWS Plug-in for Veeam Backup & Replication requires the following IAM identities:
- An IAM user whose permissions are used to create, connect and manage backup appliances. To be able to perform these operations, the specified IAM user must have the following set of permissions:
List of permissions to deploy a new backup appliance
|
Note |
If EBS encryption is enabled for your AWS account, all the newly created volumes will be encrypted using the default KMS key specified in the EC2 console. Therefore, for the IAM user to be able to encrypt the EBS volumes of the appliance, the following conditions must be met:
For more information on EBS encryption, see AWS Documentation. |
List of permissions to connect an existing backup appliance
|
List of permissions to add a repository
|
List of permissions to encrypt repositories using AWS KMS keys
|
List of permissions to upgrade backup appliance to version 8.0
|
Note |
For Veeam Backup & Replication to be able to upgrade permissions of the Default Backup Restore IAM role when upgrading to version 8.0, add the necessary permissions listed below to the IAM policy. |
List of permissions to upgrade the Default Backup Restore IAM role
|
Full list of permissions
|
Important |
Note that the following permissions are only required to remove created resources during appliance deployment in case of deployment failure or removal of the backup appliance from the backup infrastructure: ec2:DeleteSubnet, ec2:DeleteSecurityGroup, ec2:DetachInternetGateway, ec2:DeleteInternetGateway, ec2:DeleteVpc. If you have not added these permissions for security reasons, remove the resources manually using the AWS Management Console as described in AWS Documentation. |
- IAM roles whose permissions are used to perform data protection and disaster recovery operations with AWS resources.
When you deploy a new backup appliance, the Default Backup Restore IAM role is automatically created and added to the appliance. The Default Backup Restore IAM role is assigned all permissions required to perform data protection and disaster recovery operations in the same AWS account where the backup appliance resides. For more information on the Default Backup Restore IAM role permissions, see Full List of IAM Permissions. However, you can create additional IAM roles with granular permissions and add them to the appliance as described in section Managing IAM Roles.
- IAM users whose access keys are specified to access standard backup repositories where the image-level backups are stored must have permissions described in the Using Amazon S3 Object Storage section in the Veeam Backup & Replication User Guide if plan to copy image-level backups or to restore guest OS files from image-level backups. To learn how to specify access keys of IAM users, see sections Connecting to Existing Appliance and Creating New Repositories.
- IAM users whose one-time access keys are used to automatically grant missing permissions to IAM users must have the following permissions:
"iam:AttachUserPolicy", "iam:CreatePolicy" "iam:GetAccountSummary", "iam:GetPolicy", "iam:GetPolicyVersion" "iam:ListPolicyVersions", "iam:ListAttachedUserPolicies" |
Veeam Backup & Replication neither saves nor stores these one-time access keys in the configuration database.
Virtualization Servers and Hosts Service Account Permissions
If you plan to copy backups to on-premises backup repositories, to perform restore to VMware vSphere and Microsoft Hyper-V environments, or to perform other tasks related to virtualization servers and hosts, you must check whether the service account specified for these servers and hosts has the required permissions described in the Veeam Backup & Replication User Guide for VMware vSphere and Veeam Backup & Replication User Guide for Microsoft Hyper-V, section Using Virtualization Servers and Hosts.
Microsoft Azure Account Permissions
An Azure AD application that you plan to use to restore EC2 instances to Microsoft Azure must have permissions described in the Veeam Backup & Replication User Guide, section Permissions.
Google Cloud Service Account Permissions
A service account that you plan to use to restore EC2 instances to Google Cloud must have permissions described in the Veeam Backup & Replication User Guide, section Google Compute Engine IAM User Permissions.