EC2 Backup IAM Role Permissions

In this article

    Veeam Backup for AWS uses EC2 Backup Policy IAM roles to perform the following operations:

    • To enumerate resources added to a backup policy.
    • To create cloud-native snapshots of EC2 instances protected by the policy.
    • To create EBS volumes and attaching the volumes to worker instances when performing image-level backup.
    • To create snapshot replicas, and so on.

    To perform these operations, IAM roles specified in the backup policy settings must have the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "ebs:ListChangedBlocks",

                   "ebs:ListSnapshotBlocks",

                   "ec2:CreateSnapshot",

                   "ec2:CreateSnapshots",

                   "ec2:CreateTags",

                   "ec2:DeleteSnapshot",

                   "ec2:DescribeInstanceAttribute",

                   "ec2:DescribeInstanceTypes",

                   "ec2:DeleteTags",

                   "ec2:DescribeAvailabilityZones",

                   "ec2:DescribeConversionTasks",

                   "ec2:DescribeImages",

                   "ec2:DescribeInstances",

                   "ec2:DescribeRegions",

                   "ec2:DescribeTags",

                   "ec2:DescribeSnapshots",

                   "ec2:DescribeSubnets",

                   "ec2:DescribeVolumeAttribute",

                   "ec2:DescribeVolumes",

                   "ec2:GetEbsDefaultKmsKeyId",

                   "ec2:ModifySnapshotAttribute",

                   "events:DeleteRule",

                   "events:DescribeRule",

                   "events:ListTargetsByRule",

                   "events:PutRule",

                   "events:PutTargets",

                   "events:RemoveTargets",

                   "iam:GetContextKeysForPrincipalPolicy",

                   "iam:ListInstanceProfiles",

                   "iam:SimulatePrincipalPolicy",

                   "iam:ListAccountAliases",

                   "kms:CreateGrant",

                   "kms:DescribeKey",

                   "kms:GetKeyPolicy",

                   "kms:ListAliases",

                   "kms:ListKeys",

                   "kms:ReEncryptFrom",

                   "kms:ReEncryptTo",

                   "servicequotas:ListServiceQuotas",

                   "sns:CreateTopic",

                   "sns:DeleteTopic",

                   "sns:ListSubscriptionsByTopic",

                   "sns:ListTopics",

                   "sns:SetTopicAttributes",

                   "sns:Subscribe",

                   "sns:Unsubscribe",

                   "sqs:CreateQueue",

                   "sqs:DeleteMessage",

                   "sqs:DeleteQueue",

                   "sqs:ListQueues",

                   "sqs:ReceiveMessage",

                   "sqs:SetQueueAttributes",

                   "ssm:DescribeInstanceInformation",

                   "ssm:GetCommandInvocation",

                   "ssm:SendCommand"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }