EC2 Backup IAM Role Permissions
Veeam Backup for AWS uses EC2 Backup IAM roles to perform the following operations:
- To enumerate resources added to a backup session.
- To create cloud-native snapshots of EC2 instances.
- To create snapshot replicas, and so on.
Note |
The same scope of permissions is required for IAM roles used to perform backup operations automatically as described in section Creating EC2 Backup Policies, and IAM roles used to perform backup operations manually as described in section Creating EC2 Snapshots Manually. |
To perform these operations, IAM roles specified in the EC2 backup settings must be granted the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", "ec2:CopySnapshot", "ec2:CreateSnapshot", "ec2:CreateSnapshots", "ec2:CreateTags", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeConversionTasks", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:GetEbsDefaultKmsKeyId", "ec2:ModifySnapshotAttribute", "events:DeleteRule", "events:DescribeRule", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:GetContextKeysForPrincipalPolicy", "iam:ListAccountAliases", "iam:ListInstanceProfiles", "iam:SimulatePrincipalPolicy", "kms:CreateGrant", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:ListAliases", "kms:ListKeys", "kms:ReEncryptFrom", "kms:ReEncryptTo", "servicequotas:ListServiceQuotas", "sns:CreateTopic", "sns:DeleteTopic", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Unsubscribe", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SetQueueAttributes", "ssm:DescribeInstanceInformation", "ssm:GetCommandInvocation", "ssm:SendCommand" ], "Resource": "*", "Effect": "Allow" } ] } |
Permissions Required to Deploy Worker Instances in Production Account
[Applies only to IAM roles specified in the backup policy settings] If you plan to instruct Veeam Backup for AWS to deploy worker instances in production accounts, IAM roles specified in the backup policy settings must be granted the following additional permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AttachVolume", "ec2:CreateKeyPair", "ec2:CreateVolume", "ec2:DeleteKeyPair", "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", "ec2:RunInstances", "ec2:TerminateInstances", "iam:GetRole", "iam:ListInstanceProfilesForRole", "iam:PassRole", "sqs:SendMessage", "ssm:GetParameter" ], "Resource": "*", "Effect": "Allow" } ] } |