Worker IAM Role Permissions
You can instruct Veeam Backup for AWS to launch worker instances in production accounts in the following cases:
- When performing image-level backup, entire instance and volume-level restore operations for EC2 instances.
To do that, enable worker deployment in production accounts in backup policy settings, instance restore settings or volume-level restore settings, and specify IAM roles that will be attached to the worker instances to allow Veeam Backup for AWS to communicate with these instances.
- When performing image-level backup and database restore operations for RDS resources.
To do that, specify IAM roles that will be attached to the worker instances to allow Veeam Backup for AWS to communicate with these instances in backup policy settings and database restore settings.
Backup and Restore Permissions
IAM roles require the following permissions to deploy worker instances in production accounts:
IAM role permissions specified in backup policy settings
|
IAM role permissions specified for restore operations
|
To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.
Communication Requirements and Permissions
IAM roles require the following permissions to communicate with worker instances in production accounts:
- The IAM roles must be included at least in one instance profile. For more information on instance profiles, see AWS Documentation.
- The backup appliance must be granted permissions to assume the IAM roles.
To allow the backup appliance to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "<Role ARN>" } } ] } |
Where <Role ARN> is the ARN either of the Impersonation IAM role attached to the backup appliance or of an AWS account to which the backup appliance belongs.
To learn how to configure trust relationships for a role and how to find the ARN of the Impersonation IAM role, see Before You Begin.
- The Amazon EC2 service must be granted permissions to assume the IAM roles.
To allow the Amazon EC2 service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" } } ] } |
To learn how to configure trust relationships, see Before You Begin.
- The IAM roles must be granted the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:SendReply", "iam:GetContextKeysForPrincipalPolicy", "iam:GetRole", "iam:ListInstanceProfilesForRole", "iam:SimulatePrincipalPolicy", "sqs:DeleteMessage", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage", "ssm:DescribeAssociation", "ssm:DescribeDocument", "ssm:GetDeployablePatchSnapshotForInstance", "ssm:GetDocument", "ssm:GetManifest", "ssm:GetParameter", "ssm:GetParameters", "ssm:ListAssociations", "ssm:ListInstanceAssociations", "ssm:PutComplianceItems", "ssm:PutConfigurePackageResult", "ssm:PutInventory", "ssm:UpdateAssociationStatus", "ssm:UpdateInstanceAssociationStatus", "ssm:UpdateInstanceInformation", "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*", "Effect": "Allow" } ] } |
To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.