Before You Begin

Before you start file-level restore, check the following prerequisites:

• To recover files and folders of an EC2 instance from a backup that is stored in the archive backup repository, you must retrieve the archived data manually before you begin the file-level recovery operation. For more information on data retrieval, see Retrieving Data From Archive.

• The 443 port must be open on worker instances to allow inbound network access from the machine from which you plan to open the file-level recovery browser. To enable access for a worker instance, update the security group specified in worker instance settings to add an inbound rule. It is recommended that you run a file-level restore test before you start file-level restore operations in a specific AWS Region. For more information, see Testing Configurations for FLR.

• If you plan to perform file-level restore to the original location, make sure that:

• The IAM role attached to the source EC2 instance has permissions to communicate with the SSM.
• If the source EC2 instance and backup appliance reside in the same AWS account, the IAM role attached to the source EC2 instance has the following permissions: sqs:ListQueues, sqs:GetQueueUrl, kinesis:List*, kinesis:Describe*, kinesis:Get*, sqs:GetQueueAttributes, sqs:ListDeadLetterSourceQueues.
• If the source EC2 instance and backup appliance reside in different AWS accounts, the IAM role attached to the source EC2 instance has permissions to assume the following role: arn:aws:iam::<service-account-id>:role/veeam_rto_<original-instance-id>, where the <service-account-id> is an AWS ID of the trusted AWS account, <original-instance-id> is an AWS ID of the source EC2 instance.
• If the source EC2 instance is operating in a private network, make sure the com.amazonaws.<region>.sts interface endpoint is created for the subnet to which the instance is connected.