EFS Backup IAM Role Permissions

In this article

    Veeam Backup for AWS uses EFS Backup Policy IAM roles to perform the following operations:

    • To enumerate resources added to a backup policy.
    • To create EFS backups of file systems protected by the policy.
    • To create backup copies, and so on.

    To perform these operations, IAM roles must meet the following requirements:

    1. The AWS Backup service must have permissions to assume an IAM role.

    To allow the AWS Backup service to assume the role, configure trusted relationships for the role and add the following statement to the trusted policy. To learn how to configure trusted relationships, see Appendix B. Creating IAM Roles.

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Effect": "Allow",

         "Action": "sts:AssumeRole",

         "Principal": {

           "Service": "backup.amazonaws.com"

         }

       }

     ]

    }

    1. The IAM role must have the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "iam:ListAccountAliases",

                   "iam: iam:SimulatePrincipalPolicy",

                   "iam:GetContextKeysForPrincipalPolicy",

                   "iam:GetRole",

                   "iam:ListAccountAliases",

                   "sqs:DeleteMessage",

                   "sqs:ListQueues",

                   "events:DescribeRule",

                   "sns:ListSubscriptionsByTopic",

                   "sns:DeleteTopic",

                   "sqs:ReceiveMessage",

                   "events:PutRule",

                   "sns:CreateTopic",

                   "sns:ListTopics",

                   "sns:Unsubscribe",

                   "sns:SetTopicAttributes",

                   "events:PutTargets",

                   "events:DeleteRule",

                   "sqs:DeleteQueue",

                   "sns:Subscribe",

                   "events:RemoveTargets",

                   "sqs:CreateQueue",

                   "events:ListTargetsByRule",

                   "sqs:SetQueueAttributes",

                   "backup:StopBackupJob",

                   "backup:TagResource",

                   "backup:ListTags",

                   "backup:StartBackupJob",

                   "backup:DescribeCopyJob",

                   "backup:DescribeBackupJob",

                   "backup:DeleteRecoveryPoint",

                   "backup:CopyIntoBackupVault",

                   "backup:ListBackupVaults",

                   "backup:ListRecoveryPointsByBackupVault",

                   "backup:StartCopyJob",

                   "backup:CopyFromBackupVault",

                   "elasticfilesystem:DescribeMountTargets",

                   "elasticfilesystem:ListTagsForResource",

                   "elasticfilesystem:DescribeAccessPoints",

                   "elasticfilesystem:DescribeTags",

                   "elasticfilesystem:Backup",

                   "elasticfilesystem:DescribeFileSystems",

                   "elasticfilesystem:DescribeMountTargetSecurityGroups",

                   "elasticfilesystem:DescribeFileSystemPolicy",

                   "elasticfilesystem:DescribeLifecycleConfiguration",

                   "elasticfilesystem:DescribeBackupPolicy",

                   "backup:UntagResource",

                   "backup:DescribeRecoveryPoint",

                   "ec2:DescribeRegions",

                   "iam:PassRole",

                   "ec2:DescribeAvailabilityZones"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }