Redshift Serverless Backup IAM Role Permissions

Veeam Backup for AWS uses Redshift Serverless Backup IAM roles to perform the following operations:

To enumerate resources added to a backup policy.
To create backups of Redshift Serverless namespaces.

To perform these operations, IAM roles specified in the organization settings or in the Redshift Serverless backup policy settings must meet the following requirements:

The backup appliance must be granted permissions to assume the IAM roles. For more information on the requirements for adding IAM roles, see Before You Begin.

The IAM roles must be granted the following permissions:

IAM roles specified in the backup policy settings:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:DescribeAvailabilityZones",

"ec2:DescribeRegions",

"redshift-serverless:CreateSnapshot",

"redshift-serverless:DeleteSnapshot",

"redshift-serverless:GetSnapshot",

"redshift-serverless:ListNamespaces",

"redshift-serverless:ListWorkgroups",

"redshift-serverless:ListTagsForResource",

"redshift-serverless:ListSnapshots",

"redshift-serverless:TagResource",

"iam:GetContextKeysForPrincipalPolicy",

"iam:SimulatePrincipalPolicy",

"iam:ListAccountAliases",

"kms:DescribeKey",

"events:DeleteRule",

"events:DescribeRule",

"events:ListTargetsByRule",

"events:PutRule",

"events:PutTargets",

"events:RemoveTargets",

"sns:CreateTopic",

"sns:DeleteTopic",

"sns:ListSubscriptionsByTopic",

"sns:ListTopics",

"sns:SetTopicAttributes",

"sns:Subscribe",

"sns:Unsubscribe",

"sqs:CreateQueue",

"sqs:DeleteMessage",

"sqs:DeleteQueue",

"sqs:ListQueues",

"sqs:ReceiveMessage",

"sqs:SetQueueAttributes"

"Resource": "*"

}

]

}

IAM roles used to perform backup operations manually as described in section Creating Redshift Backups Manually:

{