VPC Configuration Backup IAM Role Permissions

In this article

    Veeam Backup for AWS uses VPC Configuration Backup Policy IAM roles to perform the following operations:

    • To enumerate resources added to a backup policy.
    • To create VPC configuration backups of AWS Regions protected by the policy.
    • To create backup copies, and so on.

    To perform these operations, IAM roles specified in the backup policy settings must have the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                  "ec2:DescribeAddresses",

                  "ec2:DescribeInstances",

                  "ec2:DescribeRegions",

                  "ec2:DescribeDhcpOptions",

                  "ec2:DescribeVpcAttribute",

                  "ec2:DescribeInternetGateways",

                  "elasticloadbalancing:DescribeLoadBalancers",

                  "ram:GetResourceShares",

                  "ec2:DescribeNetworkInterfaces",

                  "ec2:DescribeManagedPrefixLists",

                  "ec2:DescribeNetworkAcls",

                  "ec2:DescribeRouteTables",

                  "ec2:DescribeClientVpnEndpoints",

                  "ec2:DescribeEgressOnlyInternetGateways",

                  "ec2:GetManagedPrefixListEntries",

                  "ec2:DescribeVpnConnections",

                  "ec2:DescribeVpcPeeringConnections",

                  "ec2:DescribeNatGateways",

                  "ec2:DescribeVpcEndpointServiceConfigurations",

                  "ec2:DescribeCustomerGateways",

                  "ec2:DescribeSecurityGroups",

                  "ram:ListResources",

                  "ram:ListPrincipals",

                  "ec2:DescribeVpcs",

                  "elasticloadbalancing:DescribeTargetGroups",

                  "ec2:DescribeVpcEndpoints",

                  "ec2:DescribeSubnets",

                  "ec2:DescribeVpnGateways",

                  "iam:ListAccountAliases",

                  "ec2:DescribeTransitGatewayAttachments",

                  "ec2:DescribeTransitGatewayMulticastDomains",

                  "ec2:DescribeTransitGatewayPeeringAttachments",

                  "ec2:DescribeTransitGatewayRouteTables",

                  "ec2:DescribeTransitGateways",

                  "ec2:DescribeTransitGatewayVpcAttachments",

                  "ec2:GetTransitGatewayRouteTableAssociations",

                  "elasticloadbalancing:DescribeListeners",

                  "elasticloadbalancing:DescribeTags",

                  "elasticloadbalancing:DescribeTargetHealth",

                  "ram:ListResourceSharePermissions",

                  "ec2:SearchTransitGatewayRoutes",

                  "ec2:GetTransitGatewayRouteTablePropagations",

                  "ec2:DescribeClientVpnAuthorizationRules",

                  "ec2:DescribeClientVpnEndpoints",

                  "ec2:DescribeClientVpnRoutes",

                  "ec2:DescribeClientVpnTargetNetworks",

                  "ec2:GetTransitGatewayPrefixListReferences"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }