VPC Configuration Backup IAM Role Permissions

Veeam Backup for AWS uses VPC Configuration Backup Policy IAM roles to perform the following operations:

  • To enumerate resources added to a backup policy.
  • To create VPC configuration backups of AWS Regions protected by the policy.
  • To create backup copies, and so on.

To perform these operations, IAM roles specified in the backup policy settings must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Action": [

              "ec2:DescribeAddresses",

              "ec2:DescribeClientVpnAuthorizationRules",

              "ec2:DescribeClientVpnEndpoints",

              "ec2:DescribeClientVpnRoutes",

              "ec2:DescribeClientVpnTargetNetworks",

              "ec2:DescribeCustomerGateways",

              "ec2:DescribeDhcpOptions",

              "ec2:DescribeEgressOnlyInternetGateways",

              "ec2:DescribeInstances",

              "ec2:DescribeInternetGateways",

              "ec2:DescribeManagedPrefixLists",

              "ec2:DescribeNatGateways",

              "ec2:DescribeNetworkAcls",

              "ec2:DescribeNetworkInterfaces",

              "ec2:DescribeRegions",

              "ec2:DescribeRouteTables",

              "ec2:DescribeSecurityGroups",

              "ec2:DescribeSubnets",

              "ec2:DescribeTransitGatewayAttachments",

              "ec2:DescribeTransitGatewayMulticastDomains",

              "ec2:DescribeTransitGatewayPeeringAttachments",

              "ec2:DescribeTransitGatewayRouteTables",

              "ec2:DescribeTransitGateways",

              "ec2:DescribeTransitGatewayVpcAttachments",

              "ec2:DescribeVpcAttribute",

              "ec2:DescribeVpcEndpoints",

              "ec2:DescribeVpcEndpointServiceConfigurations",

              "ec2:DescribeVpcPeeringConnections",

              "ec2:DescribeVpcs",

              "ec2:DescribeVpnConnections",

              "ec2:DescribeVpnGateways",

              "ec2:GetManagedPrefixListEntries",

              "ec2:GetTransitGatewayPrefixListReferences",

              "ec2:GetTransitGatewayRouteTableAssociations",

              "ec2:GetTransitGatewayRouteTablePropagations",

              "ec2:SearchTransitGatewayRoutes",

              "elasticloadbalancing:DescribeListeners",

              "elasticloadbalancing:DescribeLoadBalancers",

              "elasticloadbalancing:DescribeTags",

              "elasticloadbalancing:DescribeTargetGroups",

              "elasticloadbalancing:DescribeTargetHealth",

              "iam:GetContextKeysForPrincipalPolicy",

              "iam:ListAccountAliases",

              "iam:SimulatePrincipalPolicy",

              "ram:GetResourceShares",

              "ram:ListPrincipals",

              "ram:ListResources",

              "ram:ListResourceSharePermissions"

           ],

                     "Resource": "*",

                     "Effect": "Allow"

         }

   ]

}