Plug-In Permissions

To perform backup and restore operations, accounts that AWS Plug-in for Veeam Backup & Replication uses to perform data protection and disaster recovery operations must be granted the following permissions.

Veeam Backup & Replication User Account Permissions

A user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Veeam Backup & Replication User Guide, section Installing and Using Veeam Backup & Replication.

Veeam Backup for AWS User Account Permissions

A user account that Veeam Backup & Replication will use to authenticate against the backup appliance and get access to the appliance functionality must be assigned the Portal Administrator role. For more information on user roles, see Managing User Accounts.

Note

When you deploy a backup appliance from the Veeam Backup & Replication console, Veeam Backup & Replication will automatically create the necessary user account that will be assigned all the required permissions.

AWS IAM User Permissions

AWS Plug-in for Veeam Backup & Replication requires the following IAM identities:

An IAM user whose permissions are used to create, connect and manage backup appliances. To be able to perform these operations, the specified IAM user must have the following set of permissions:

Plug-In Permissions Full list of permissions

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"cloudwatch:DeleteAlarms",

"cloudwatch:PutMetricAlarm",

"dlm:CreateLifecyclePolicy",

"dlm:DeleteLifecyclePolicy",

"ec2:AllocateAddress",

"ec2:AssociateAddress",

"ec2:AttachInternetGateway",

"ec2:AttachVolume",

"ec2:AuthorizeSecurityGroupIngress",

"ec2:CreateSnapshot",

"ec2:CreateInternetGateway",

"ec2:CreateRoute",

"ec2:CreateSecurityGroup",

"ec2:CreateSubnet",

"ec2:CreateVolume",

"ec2:CreateKeyPair",

"ec2:CreateTags",

"ec2:CreateVpc",

"ec2:DeleteVolume",

"ec2:DeleteSubnet",

"ec2:DeleteSecurityGroup",

"ec2:DetachInternetGateway",

"ec2:DeleteInternetGateway",

"ec2:DeleteVpc",

"ec2:DescribeRouteTables",

"ec2:DetachVolume",

"ec2:DeleteVolume",

"ec2:DescribeVolumes",

"ec2:DescribeSnapshots",

"ec2:DeleteSnapshot",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeAddresses",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeInstanceAttribute",

"ec2:DescribeVolumeAttribute",

"ec2:ModifyInstanceAttribute",

"ec2:DescribeRegions",

"ec2:DescribeInstanceTypes",

"ec2:DescribeInternetGateways",

"ec2:DescribeKeyPairs",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSubnets",

"ec2:DescribeVpcs",

"ec2:DescribeIamInstanceProfileAssociations",

"ec2:DisassociateAddress",

"ec2:RunInstances",

"ec2:StopInstances",

"ec2:StartInstances",

"ec2:ModifyVpcAttribute",

"ec2:ReleaseAddress",

"ec2:TerminateInstances",

"iam:AddRoleToInstanceProfile",

"iam:AttachRolePolicy",

"iam:CreateInstanceProfile",

"iam:CreatePolicy",

"iam:CreateRole",

"iam:CreatePolicyVersion",

"iam:CreateServiceLinkedRole",

"iam:DeleteInstanceProfile",

"iam:DeleteRolePolicy",

"iam:DeleteRole",

"iam:DeletePolicy",

"iam:DeletePolicyVersion",

"iam:DetachRolePolicy",

"iam:GetInstanceProfile",

"iam:GetPolicy",

"iam:GetRole",

"iam:GetPolicyVersion",

"iam:GetAccountSummary",

"iam:ListAttachedRolePolicies",

"iam:ListPolicyVersions",

"iam:ListInstanceProfilesForRole",

"iam:ListRolePolicies",

"iam:PassRole",

"iam:PutRolePolicy",

"iam:SimulatePrincipalPolicy",

"iam:UpdateAssumeRolePolicy",

"kms:Decrypt",

"kms:DescribeKey",

"kms:Encrypt",

"kms:ListAliases",

"kms:ListKeys",

"s3:CreateBucket",

"s3:DeleteObject",

"s3:DeleteObjectVersion",

"s3:GetBucketLocation",

"s3:GetObject",

"s3:GetObjectRetention",

"s3:GetObjectVersion",

"s3:GetBucketObjectLockConfiguration",

"s3:GetBucketVersioning",

"s3:ListAllMyBuckets",

"s3:ListBucketVersions",

"s3:ListBucket",

"s3:PutObject",

"s3:PutObjectRetention",

"ssm:GetCommandInvocation",

"ssm:SendCommand",

"sts:GetCallerIdentity",

"servicequotas:ListServiceQuotas"

"Resource": "*"

}

]

}

Plug-In Permissions List of permissions to deploy a backup appliance

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"cloudwatch:PutMetricAlarm",

"cloudwatch:DeleteAlarms",

"dlm:CreateLifecyclePolicy",

"dlm:DeleteLifecyclePolicy",

"ec2:AllocateAddress",

"ec2:AssociateAddress",

"ec2:AttachVolume",

"ec2:AttachInternetGateway",

"ec2:AuthorizeSecurityGroupIngress",

"ec2:CreateSnapshot",

"ec2:CreateKeyPair",

"ec2:CreateTags",

"ec2:CreateVpc",

"ec2:CreateVolume",

"ec2:CreateInternetGateway",

"ec2:CreateRoute",

"ec2:CreateSecurityGroup",

"ec2:CreateInternetGateway",

"ec2:CreateSubnet",

"ec2:DeleteSnapshot",

"ec2:DescribeInstanceAttribute",

"ec2:DetachVolume",

"ec2:DescribeSnapshots",

"ec2:DescribeRouteTables",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeAddresses",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeRegions",

"ec2:DescribeInstanceTypes",

"ec2:DescribeInternetGateways",

"ec2:DescribeKeyPairs",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSubnets",

"ec2:DescribeVpcs",

"ec2:DescribeVolumes",

"ec2:DescribeIamInstanceProfileAssociations",

"ec2:DeleteVolume",

"ec2:DeleteSubnet",

"ec2:DeleteSecurityGroup",

"ec2:DetachInternetGateway",

"ec2:DeleteInternetGateway",

"ec2:DeleteVpc",

"ec2:RunInstances",

"ec2:DisassociateAddress",

"ec2:ReleaseAddress",

"ec2:ModifyVpcAttribute",

"ec2:TerminateInstances",

"ec2:StopInstances",

"ec2:StartInstances",

"iam:AddRoleToInstanceProfile",

"iam:AttachRolePolicy",

"iam:CreateInstanceProfile",

"iam:CreatePolicy",

"iam:CreatePolicyVersion",

"iam:CreateRole",

"iam:CreateTags",

"iam:CreateServiceLinkedRole",

"iam:DeleteInstanceProfile",

"iam:DeleteRolePolicy",

"iam:DeleteRole",

"iam:DeletePolicy",

"iam:DeletePolicyVersion",

"iam:DetachRolePolicy",

"iam:GetInstanceProfile",

"iam:GetPolicy",

"iam:GetRole",

"iam:GetAccountSummary",

"iam:GetPolicyVersion",

"iam:PassRole",

"iam:PutRolePolicy",

"iam:SimulatePrincipalPolicy",

"iam:ListAttachedRolePolicies",

"iam:ListPolicyVersions",

"iam:RemoveRoleFromInstanceProfile",

"iam:UpdateAssumeRolePolicy",

"ssm:GetCommandInvocation",

"ssm:SendCommand",

"sts:GetCallerIdentity",

"servicequotas:ListServiceQuotas"

"Resource": "*"

}

]

}

Plug-In Permissions List of permissions to connect a backup appliance

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:AttachVolume",

"ec2:CreateSnapshot",

"ec2:CreateVolume",

"ec2:DescribeAddresses",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeInstances",

"ec2:DescribeRegions",

"ec2:DescribeVolumes",

"ec2:DescribeSnapshots",

"ec2:DescribeIamInstanceProfileAssociations",

"ec2:DescribeInstanceAttribute",

"ec2:DescribeImages",

"ec2:DescribeVolumeAttribute",

"ec2:DeleteSnapshot",

"ec2:DetachVolume",

"ec2:DeleteVolume",

"ec2:ModifyInstanceAttribute",

"ec2:RunInstances",

"ec2:StopInstances",

"ec2:StartInstances",

"ec2:TerminateInstances",

"iam:AddRoleToInstanceProfile",

"iam:AttachRolePolicy",

"iam:CreateInstanceProfile",

"iam:CreatePolicy",

"iam:CreatePolicyVersion",

"iam:GetAccountSummary",

"iam:GetPolicy",

"iam:GetPolicyVersion",

"iam:GetRole",

"iam:GetInstanceProfile",

"iam:ListAttachedRolePolicies",

"iam:ListInstanceProfilesForRole",

"iam:ListRolePolicies",

"iam:PutRolePolicy",

"iam:SimulatePrincipalPolicy",

"iam:ListPolicyVersions",

"iam:UpdateAssumeRolePolicy",

"sts:GetCallerIdentity"

"Resource": "*"

}

]

}

List of permissions to add a repository

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:DescribeRegions",

"ec2:DescribeAddresses",

"ec2:DescribeInstances",

"iam:GetRole",

"iam:SimulatePrincipalPolicy",

"s3:CreateBucket",

"s3:DeleteObject",

"s3:DeleteObjectVersion",

"s3:GetBucketLocation",

"s3:GetBucketVersioning",

"s3:GetBucketObjectLockConfiguration",

"s3:GetObject",

"s3:GetObjectVersion",

"s3:GetObjectRetention",

"s3:ListBucket",

"s3:ListAllMyBuckets",

"s3:ListBucketVersions",

"s3:PutBucketVersioning",

"s3:PutBucketObjectLockConfiguration",

"s3:PutObjectRetention",

"s3:PutObject"

"Resource": "*"

}

]

}

List of permissions to encrypt repositories using AWS KMS keys

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"kms:Decrypt",

"kms:DescribeKey",

"kms:Encrypt",

"kms:ListAliases",

"kms:ListKeys"

"Resource": "*"

}

]

}

List of permissions to upgrade backup appliance to version 7.0

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"iam:GetRole",

"iam:SimulatePrincipalPolicy",

"ec2:AttachVolume",

"ec2:CreateVolume",

"ec2:CreateSnapshot",

"ec2:DescribeAddresses",

"ec2:DescribeInstances",

"ec2:DescribeVolumes",

"ec2:DescribeSnapshots",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeRegions",

"ec2:DetachVolume",

"ec2:DeleteVolume",

"ec2:DescribeVolumeAttribute",

"ec2:DeleteSnapshot",

"ec2:DescribeInstanceAttribute",

"ec2:DescribeImages",

"ec2:ModifyInstanceAttribute",

"ec2:RunInstances",

"ec2:StartInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ec2:RunInstances",

"sts:GetCallerIdentity"

"Resource": "*"

}

]

}

Note

Veeam Backup & Replication does not check permissions of permissions the Default Backup Restore IAM role created on the backup appliance during upgrade to version 7.0. To update permissions of the role, add the necessary permissions listed below to the IAM policy.

List of permissions to upgrade the Default Backup Restore IAM role

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"iam:AttachUserPolicy",

"iam:AddRoleToInstanceProfile",

"iam:CreatePolicyVersion",

"iam:CreateInstanceProfile",

"iam:GetAccountSummary",

"iam:GetInstanceProfile",

"iam:GetPolicyVersion",

"iam:ListAttachedRolePolicies",

"iam:ListPolicyVersions",

"iam:ListInstanceProfilesForRole",

"iam:ListRolePolicies",

"iam:PutRolePolicy",

"iam:UpdateAssumeRolePolicy"

"Resource": "*"

}

]

}

Important

Note that the following permissions are only required to remove created resources during appliance deployment: ec2:DeleteSubnet, ec2:DeleteSecurityGroup, ec2:DetachInternetGateway, ec2:DeleteInternetGateway, ec2:DeleteVpc. If for any security reasons you do not want these permissions to be added, you will need to remove the resources manually in the AWS Management Console in case of a deployment failure or the removal of backup appliances from the backup infrastructure.

IAM roles whose permissions are used to perform data protection and disaster recovery operations with AWS resources.

When you deploy a new backup appliance, the Default Backup Restore IAM role is automatically created and added to the appliance. The Default Backup Restore IAM role is assigned all permissions required to perform data protection and disaster recovery operations in the same AWS account where the backup appliance resides. For more information on the Default Backup Restore IAM role permissions, see Full List of IAM Permissions. However, you can create additional IAM roles with granular permissions and add them to the appliance as described in section Managing IAM Roles.

IAM users whose one-time access keys are specified to access standard backup repositories where the image-level backups are stored must have permissions described in the Using Amazon S3 Object Storage section in the Veeam Backup & Replication User Guide if plan to copy image-level backups or to restore guest OS files from image-level backups. To learn how to specify one-time access keys of IAM users, see sections Connecting to Existing Appliance and Creating New Repositories.
IAM users whose one-time access keys are used to automatically grant missing permissions to IAM users and roles must have the following permissions:

"iam:AttachRolePolicy",

"iam:CreatePolicy"

Veeam Backup & Replication neither saves nor stores these one-time access keys in the configuration database.

Virtualization Servers and Hosts Service Account Permissions

If you plan to copy backups to on-premises backup repositories, to perform restore to VMware vSphere and Microsoft Hyper-V environments, or to perform other tasks related to virtualization servers and hosts, you must check whether the service account specified for these servers and hosts has the required permissions described in the Veeam Backup & Replication User Guide for VMware vSphere and Veeam Backup & Replication User Guide for Microsoft Hyper-V, section Using Virtualization Servers and Hosts.

Microsoft Azure Account Permissions

An Azure AD application that you plan to use to restore EC2 instances to Microsoft Azure must have permissions described in the Veeam Backup & Replication User Guide, section Permissions.

Google Cloud Service Account Permissions

A service account that you plan to use to restore EC2 instances to Google Cloud must have permissions described in the Veeam Backup & Replication User Guide, section Google Compute Engine IAM User Permissions.