Step 4. Specify IAM Identity

At the Account step of the wizard, choose whether you want to use an IAM role or one-time access keys of an IAM user to allow Veeam Backup for AWS to perform the restore operation, and whether you want Veeam Backup for AWS to deploy worker instances in the production account — account to which the specified role or user belongs. For information on what permissions the IAM role or IAM user must have to perform restore, see EC2 Restore IAM Permissions.

Important

Make sure that the specified IAM role or one-time access keys belong to an AWS account to which you plan to restore EC2 instances.

Specifying IAM Role

To specify an IAM role for restore:

  1. In the IAM role section, select the IAM role option.
  2. Select the necessary IAM role from the list.

For an IAM role to be displayed in the IAM Role list, it must be added to Veeam Backup for AWS as described in Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the Instance Restore wizard. To add an IAM role, click Add and complete the Add IAM Role wizard.

It is recommended that you check whether the selected IAM role has all the required permissions to perform the operation. If the IAM role permissions are insufficient, the backup policy will fail to complete successfully. To run the IAM role permission check, click Check Permissions. Veeam Backup for AWS will display the Permission check window where you can track the progress and view the results of the check. If the IAM role permissions are insufficient, the check will complete with errors, and the list of permissions that must be granted to the IAM role will be displayed in the Missing Permissions column. You can grant the missing permissions to the IAM role using the AWS Management Console or instruct Veeam Backup for AWS to do it.

Tip

To download the full list of missing permissions as a single JSON policy document that you can use to grant the permissions to the role in the AWS Management Console, click Export Missing Permissions.

 

 

Important

If your organization uses service control policies (SCPs) to manage permissions in its accounts, and some of the permissions required for the operation are forbidden by these SCPs, Veeam Backup for AWS will not be able to perform the operation even if you grant the permissions to the selected IAM role. For more information on SCPs, see AWS Documentation.

To let Veeam Backup for AWS grant the missing permissions:

  1. In the Permission check window, click Grant.
  2. In the Grant permissions window, provide one-time access keys of an IAM user that is authorized to update permissions of IAM roles, and then click Apply.

The IAM user must have the following permissions:

"iam:AttachRolePolicy",

"iam:CreatePolicy",

"iam:CreatePolicyVersion",

"iam:CreateRole",

"iam:GetAccountSummary",

"iam:GetPolicy",

"iam:GetPolicyVersion",

"iam:GetRole",

"iam:ListAttachedRolePolicies",

"iam:ListPolicyVersions",

"iam:UpdateAssumeRolePolicy"

Note

Veeam Backup for AWS does not store one-time access keys in the configuration database.

  1. To make sure that the missing permissions have been successfully granted, click Recheck.

Restoring Entire EC2 Instance

Specifying One-Time Access Keys

To specify one-time access keys for restore:

  1. In the IAM role section, select the Temporary access keys option.
  2. Use the Access key and Secret key fields to provide the access key ID and the secret access key.

Note

Veeam Backup for AWS does not store one-time access keys in the configuration database.

Restoring Entire EC2 Instance

Enabling Worker Deployment in Production Account

[This step applies only if you restore EC2 instances from image-level backups and have selected to use an IAM role to perform the restore operation]

To instruct Veeam Backup for AWS to deploy worker instances used for the restore operation, do the following:

  1. In the Worker deployment section, set the Deploy workers in production account toggle to On.
  2. From the IAM role drop-down list, select an IAM role that will be attached to the launched worker instances and used by Veeam Backup for AWS to communicate with them. For more information on permission required for the specified IAM role, see Backup and Restore IAM Role Permissions.

For an IAM role to be displayed in the list, it must belong to the same account to which the IAM role selected In the IAM role section belongs, and must be added to Veeam Backup for AWS beforehand as described in section Adding IAM Roles.

Note

By default, Veeam Backup for AWS launches worker instances in the Backup account. For more information, see Managing Worker Configurations.

Restoring Entire EC2 Instance