EFS Backup IAM Role Permissions

Veeam Backup for AWS uses EFS Backup Policy IAM roles to perform the following operations:

  • To enumerate resources added to a backup policy.
  • To create EFS backups of file systems protected by the policy.
  • To create backup copies, and so on.

To perform these operations, IAM roles specified in the backup policy settings must meet the following requirements:

  1. The AWS Backup service must be granted permissions to assume the IAM roles.

To allow the AWS Backup service to assume an IAM role, configure trusted relationships for the role and add the following statement to the trusted policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "Service": "backup.amazonaws.com"

     }

   }

 ]

}

To learn how to configure trusted relationships, see Appendix A. Creating IAM Roles in AWS.

  1. The IAM roles must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Action": [

               "backup:CopyFromBackupVault",

               "backup:CopyIntoBackupVault",

               "backup:DeleteRecoveryPoint",

               "backup:DescribeBackupJob",

               "backup:DescribeCopyJob",

               "backup:DescribeRecoveryPoint",

               "backup:ListBackupVaults",

               "backup:ListRecoveryPointsByBackupVault",

               "backup:ListTags",

               "backup:StartBackupJob",

               "backup:StartCopyJob",

               "backup:StopBackupJob",

               "backup:TagResource",

               "backup:UntagResource",

               "ec2:CreateKeyPair",

               "ec2:DeleteKeyPair",

               "ec2:DescribeAvailabilityZones",

               "ec2:DescribeImages",

               "ec2:DescribeInstances",

               "ec2:DescribeInternetGateways",

               "ec2:DescribeKeyPairs",

               "ec2:DescribeNetworkInterfaceAttribute",

               "ec2:DescribeRegions",

               "ec2:DescribeRouteTables",

               "ec2:DescribeSecurityGroups",

               "ec2:DescribeSubnets",

               "ec2:DescribeVpcEndpoints",

               "ec2:DescribeVpcs",

               "ec2:RunInstances",

               "elasticfilesystem:Backup",

               "elasticfilesystem:DescribeAccessPoints",

               "elasticfilesystem:DescribeBackupPolicy",

               "elasticfilesystem:DescribeFileSystemPolicy",

               "elasticfilesystem:DescribeFileSystems",

               "elasticfilesystem:DescribeLifecycleConfiguration",

               "elasticfilesystem:DescribeMountTargets",

               "elasticfilesystem:DescribeMountTargetSecurityGroups",

               "elasticfilesystem:DescribeTags",

               "elasticfilesystem:ListTagsForResource",

               "events:DeleteRule",

               "events:DescribeRule",

               "events:ListTargetsByRule",

               "events:PutRule",

               "events:PutTargets",

               "events:RemoveTargets",

               "iam:GetInstanceProfile",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:GetRole",

               "iam:ListAccountAliases",

               "iam:ListInstanceProfilesForRole",

               "iam:PassRole",

               "iam:SimulatePrincipalPolicy",

               "sns:CreateTopic",

               "sns:DeleteTopic",

               "sns:ListSubscriptionsByTopic",

               "sns:ListTopics",

               "sns:SetTopicAttributes",

               "sns:Subscribe",

               "sns:Unsubscribe",

               "sqs:CreateQueue",

               "sqs:DeleteMessage",

               "sqs:DeleteQueue",

               "sqs:ListQueues",

               "sqs:ReceiveMessage",

               "sqs:SetQueueAttributes",

               "ssm:GetCommandInvocation",

               "ssm:GetParameter",

               "ssm:SendCommand"

                   ],

           "Resource": "*",

           "Effect": "Allow"

         },

{

           "Effect": "Allow",

           "Action": [

                   "ec2:TerminateInstances",

                   "ec2:StartInstances"

                   ],

           "Resource": "*",

           "Condition": {

               "StringEquals": {

                           "ec2:ResourceTag/EfsIndexWorker": "EfsIndexWorker"

                            }

                   }

       },

       {

           "Effect": "Allow",

           "Action": "ec2:CreateTags",

           "Resource": "*",

           "Condition": {

               "StringEquals": {

                            "ec2:CreateAction": "RunInstances",

                               "aws:RequestTag/EfsIndexWorker": "EfsIndexWorker"

                             }

                    }

       }

   ]

}