EC2 Backup IAM Role Permissions
Veeam Backup for AWS uses EC2 Backup Policy IAM roles to perform the following operations:
- To enumerate resources added to a backup policy.
- To create cloud-native snapshots of EC2 instances protected by the policy.
- To create EBS volumes and attaching the volumes to worker instances when performing image-level backup.
- To create snapshot replicas, and so on.
To perform these operations, IAM roles specified in the backup policy settings must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", "ec2:CreateSnapshot", "ec2:CreateSnapshots", "ec2:CreateTags", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DescribeAvailabilityZones", "ec2:DescribeConversionTasks", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeRegions", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:GetEbsDefaultKmsKeyId", "ec2:ModifySnapshotAttribute", "events:DeleteRule", "events:DescribeRule", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:GetContextKeysForPrincipalPolicy", "iam:ListAccountAliases", "iam:ListInstanceProfiles", "iam:SimulatePrincipalPolicy", "kms:CreateGrant", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:ListAliases", "kms:ListKeys", "kms:ReEncryptFrom", "kms:ReEncryptTo", "servicequotas:ListServiceQuotas", "sns:CreateTopic", "sns:DeleteTopic", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Unsubscribe", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SetQueueAttributes", "ssm:DescribeInstanceInformation", "ssm:GetCommandInvocation", "ssm:SendCommand" ], "Resource": "*", "Effect": "Allow" } ] } |