Enabling Worker Deployment in Production Account

[This step applies only if you restore EC2 instances from image-level backups using either the IAM role or the Organization account option]

By default, the backup appliance deploys worker instances used to perform restore operations in the backup account. However, you can instruct Veeam Backup & Replication to deploy worker instances in a production account — that is, an account to which the EC2 instances will be restored. To do that, click Configure.

Depending on the option that you select for the restore operation, the following will happen:

• If you select the IAM role option, you will be able to choose an IAM role that will be attached to the worker instances and used by the backup appliance to communicate with these instances. The role you choose must belong to the same account to which the IAM role specified for the restore operation belongs, and must be assigned the permissions listed in section Worker Deployment Role Permissions in Production Accounts.

For an IAM role to be displayed in the list of available roles, it must be added to the backup appliance as described in section Adding IAM Roles.

• If you have selected the Organization option, Veeam Backup for AWS will automatically choose the role that will be attached to the worker instances and used by Veeam Backup for AWS to communicate with these instances, depending on the roles specified in the settings of the selected organization identity — either the Production worker IAM role, or the Backup and restore IAM role.

For Veeam Backup for AWS to be able to choose an IAM role automatically, it must be created in all AWS accounts included in the selected organization identity and added to Veeam Backup for AWS, as described in section Adding AWS Organizations (step 3).

In both cases, you will have to assign additional permissions to the IAM role that will be used to perform the restore operation. For more information on the required permissions, see EC2 Restore IAM Permissions.