EFS Backup IAM Role Permissions

Veeam Backup for AWS uses EFS Backup IAM roles to perform the following operations:

  • To enumerate resources added to a backup session.
  • To create backups of EFS file systems.
  • To create backup copies, and so on.

To perform these operations, IAM roles specified in the EFS backup settings must meet the following requirements:

  1. The backup appliance must be granted permissions to assume the IAM roles. For more information on the requirements for adding IAM roles, see Before You Begin.
  2. The AWS Backup service must be granted permissions to assume the IAM roles.

To allow the AWS Backup service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "Service": "backup.amazonaws.com"

     }

   }

 ]

}

To learn how to modify role trust policies, see AWS Documentation.

  1. The IAM roles must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Effect": "Allow",

           "Action": [

               "backup:CopyFromBackupVault",

               "backup:CopyIntoBackupVault",

               "backup:DeleteRecoveryPoint",

               "backup:DescribeBackupJob",

               "backup:DescribeCopyJob",

               "backup:DescribeRecoveryPoint",

               "backup:ListBackupVaults",

               "backup:ListRecoveryPointsByBackupVault",

               "backup:ListTags",

               "backup:StartBackupJob",

               "backup:StartCopyJob",

               "backup:StopBackupJob",

               "backup:TagResource",

               "backup:UntagResource",

               "ec2:CreateKeyPair",

               "ec2:DeleteKeyPair",

               "ec2:DescribeAvailabilityZones",

               "ec2:DescribeImages",

               "ec2:DescribeInstances",

               "ec2:DescribeInternetGateways",

               "ec2:DescribeKeyPairs",

               "ec2:DescribeNetworkInterfaceAttribute",

               "ec2:DescribeRegions",

               "ec2:DescribeRouteTables",

               "ec2:DescribeSecurityGroups",

               "ec2:DescribeSubnets",

               "ec2:DescribeVpcEndpoints",

               "ec2:DescribeVpcs",

               "elasticfilesystem:Backup",

               "elasticfilesystem:DescribeAccessPoints",

               "elasticfilesystem:DescribeBackupPolicy",

               "elasticfilesystem:DescribeFileSystemPolicy",

               "elasticfilesystem:DescribeFileSystems",

               "elasticfilesystem:DescribeLifecycleConfiguration",

               "elasticfilesystem:DescribeMountTargetSecurityGroups",

               "elasticfilesystem:DescribeMountTargets",

               "elasticfilesystem:DescribeTags",

               "elasticfilesystem:ListTagsForResource",

               "events:DeleteRule",

               "events:DescribeRule",

               "events:ListTargetsByRule",

               "events:PutRule",

               "events:PutTargets",

               "events:RemoveTargets",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:GetInstanceProfile",

               "iam:GetRole",

               "iam:ListAccountAliases",

               "iam:ListInstanceProfilesForRole",

               "iam:PassRole",

               "iam:SimulatePrincipalPolicy",

               "sns:CreateTopic",

               "sns:DeleteTopic",

               "sns:ListSubscriptionsByTopic",

               "sns:ListTopics",

               "sns:SetTopicAttributes",

               "sns:Subscribe",

               "sns:Unsubscribe",

               "sqs:CreateQueue",

               "sqs:DeleteMessage",

               "sqs:DeleteQueue",

               "sqs:ListQueues",

               "sqs:ReceiveMessage",

               "sqs:SetQueueAttributes",

               "ssm:GetCommandInvocation",

               "ssm:GetParameter",

               "ssm:SendCommand"

           ],

           "Resource": "*"

       }

   ]

}

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Effect": "Allow",

           "Action": [

               "backup-storage:MountCapsule",

               "backup:CopyFromBackupVault",

               "backup:CopyIntoBackupVault",

               "backup:CreateBackupVault",

               "backup:DeleteBackupVault",

               "backup:DeleteRecoveryPoint",

               "backup:DescribeBackupJob",

               "backup:DescribeCopyJob",

               "backup:DescribeRecoveryPoint",

               "backup:ListBackupVaults",

               "backup:ListTags",

               "backup:StartBackupJob",

               "backup:StartCopyJob",

               "backup:StopBackupJob",

               "backup:TagResource",

               "backup:UntagResource",

               "ec2:DescribeAvailabilityZones",

               "ec2:DescribeNetworkInterfaceAttribute",

               "ec2:DescribeRegions",

               "elasticfilesystem:Backup",

               "elasticfilesystem:DescribeAccessPoints",

               "elasticfilesystem:DescribeBackupPolicy",

               "elasticfilesystem:DescribeFileSystemPolicy",

               "elasticfilesystem:DescribeFileSystems",

               "elasticfilesystem:DescribeLifecycleConfiguration",

               "elasticfilesystem:DescribeMountTargetSecurityGroups",

               "elasticfilesystem:DescribeMountTargets",

               "elasticfilesystem:DescribeTags",

               "elasticfilesystem:ListTagsForResource",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:GetRole",

               "iam:PassRole",

               "iam:SimulatePrincipalPolicy",

               "kms:DescribeKey"

           ],

           "Resource": "*"

       }

   ]

}

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.

Permissions Required to Deploy Worker Instances in Production Account

[Applies only to IAM roles specified in the backup policy settings] If you plan to instruct Veeam Backup for AWS to perform indexing of the processed file systems, IAM roles specified in the backup policy settings must be granted the following additional permissions to deploy worker instances in production accounts:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Effect": "Allow",

           "Action": [

               "ec2:TerminateInstances",

               "ec2:StartInstances"

           ],

           "Resource": "*",

           "Condition": {

               "StringEquals": {

                   "ec2:ResourceTag/EfsIndexWorker": "EfsIndexWorker"

               }

           }

       },

       {

           "Effect": "Allow",

           "Action": "ec2:CreateTags",

           "Resource": "*",

           "Condition": {

               "StringEquals": {

                   "ec2:CreateAction": "RunInstances",

                   "aws:RequestTag/EfsIndexWorker": "EfsIndexWorker"

               }

           }

       },

       {

           "Effect": "Allow",

           "Action": "ec2:RunInstances",

           "Resource": "*"

       }

   ]

}