Backup and Restore IAM Role Permissions

In this article

    You can instruct Veeam Backup for AWS to launch worker instances in production accounts when performing image-level backup and restore operations for EC2 instances. To do that, enable worker deployment in the production account in the backup policy settings or in the restore settings, and specify an IAM role that will be attached to the worker instances and used by Veeam Backup for AWS to communicate with these instances.

    Important

    If you instruct Veeam Backup for AWS to deploy worker instances in production accounts, you must assign additional permissions to IAM roles used to perform backup or restore operations. For more information on the required permissions, see sections EC2 Backup IAM Role Permissions and EC2 Restore IAM Permissions.

    IAM Role Permissions

    To allow Veeam Backup for AWS to attach IAM roles to worker instances and further to communicate with these instances, IAM roles specified in the EC2 backup policy settings and the restore settings must meet the following requirements:

    1. The IAM roles must be included at least in one instance profile.  For more information on instance profiles, see AWS Documentation.
    2. The backup appliance must be granted permissions to assume the IAM roles.

    To allow the backup appliance to assume an IAM role, configure trusted relationships for the role and add the following statement to the trusted policy.

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Effect": "Allow",

         "Action": "sts:AssumeRole",

         "Principal": {

           "AWS": "<Role ARN>"

         }

       }

     ]

    }

    Where <Role ARN> is the ARN either of the Impersonation IAM role attached to the backup appliance or of an AWS account to which the backup appliance belongs. For more information on the Impersonation IAM role, see Required IAM Permissions. To learn how to configure trust relationships for a role and to find the Impersonation IAM role ARN, see Appendix A. Creating IAM Roles in AWS.

    1. The Amazon EC2 service must be granted permissions to assume the IAM roles.

    To allow the Amazon EC2 service to assume an IAM role, configure trusted relationships for the role and add the following statement to the trusted policy.

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Effect": "Allow",

         "Action": "sts:AssumeRole",

         "Principal": {

           "Service": "ec2.amazonaws.com"

         }

       }

     ]

    }

    To learn how to configure trusted relationships, see Appendix A. Creating IAM Roles in AWS.

    1. The IAM roles must be granted the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "ec2messages:AcknowledgeMessage",

                   "ec2messages:DeleteMessage",

                   "ec2messages:FailMessage",

                   "ec2messages:GetEndpoint",

                   "ec2messages:GetMessages",

                   "ec2messages:SendReply",

                   "sqs:DeleteMessage",

                   "sqs:ListQueues",

                   "sqs:ReceiveMessage",

                   "sqs:SendMessage",

                   "ssm:DescribeAssociation",

                   "ssm:DescribeDocument",

                   "ssm:GetDeployablePatchSnapshotForInstance",

                   "ssm:GetDocument",

                   "ssm:GetManifest",

                   "ssm:GetParameter",

                   "ssm:GetParameters",

                   "ssm:ListAssociations",

                   "ssm:ListInstanceAssociations",

                   "ssm:PutComplianceItems",

                   "ssm:PutConfigurePackageResult",

                   "ssm:PutInventory",

                   "ssm:UpdateAssociationStatus",

                   "ssm:UpdateInstanceAssociationStatus",

                   "ssm:UpdateInstanceInformation",

                   "ssmmessages:CreateControlChannel",

                   "ssmmessages:CreateDataChannel",

                   "ssmmessages:OpenControlChannel",

                   "ssmmessages:OpenDataChannel"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }