Indexing Worker IAM Role Permissions

When performing EFS indexing operations, Veeam Backup for AWS launches worker instances in the same AWS account to which file systems processed by backup policies belong — production account. That is why Veeam Backup for AWS requires the following IAM role permissions to deploy worker instances when performing EFS indexing operations.

Backup and Restore Permissions

IAM roles require the following permissions to deploy worker instances in production accounts:

To allow the AWS Backup service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "Service": "backup.amazonaws.com"

     }

   }

 ]

}

To learn how to modify role trust policies, see AWS Documentation.

  • The IAM roles must be granted the following permissions:

Indexing Worker IAM Role PermissionsIAM role permissions specified in backup policy settings

{

   "Version": "2012-10-17",

   "Statement": [

     {

           "Effect": "Allow",

           "Action": [

               "backup:CopyFromBackupVault",

               "backup:CopyIntoBackupVault",

               "backup:DeleteRecoveryPoint",

               "backup:DescribeBackupJob",

               "backup:DescribeCopyJob",

               "backup:DescribeRecoveryPoint",

               "backup:ListBackupVaults",

               "backup:ListRecoveryPointsByBackupVault",

               "backup:ListTags",

               "backup:StartBackupJob",

               "backup:StartCopyJob",

               "backup:StopBackupJob",

               "backup:TagResource",

               "backup:UntagResource",

               "ec2:CreateKeyPair",

               "ec2:DeleteKeyPair",

               "ec2:DescribeAvailabilityZones",

               "ec2:DescribeImages",

               "ec2:DescribeInstances",

               "ec2:DescribeInternetGateways",

               "ec2:DescribeKeyPairs",

               "ec2:DescribeNetworkInterfaceAttribute",

               "ec2:DescribeRegions",

               "ec2:DescribeRouteTables",

               "ec2:DescribeSecurityGroups",

               "ec2:DescribeSubnets",

               "ec2:DescribeVpcEndpoints",

               "ec2:DescribeVpcs",

               "ec2:RunInstances",

               "elasticfilesystem:Backup",

               "elasticfilesystem:DescribeAccessPoints",

               "elasticfilesystem:DescribeBackupPolicy",

               "elasticfilesystem:DescribeFileSystemPolicy",

               "elasticfilesystem:DescribeFileSystems",

               "elasticfilesystem:DescribeLifecycleConfiguration",

               "elasticfilesystem:DescribeMountTargets",

               "elasticfilesystem:DescribeMountTargetSecurityGroups",

               "elasticfilesystem:DescribeTags",

               "elasticfilesystem:ListTagsForResource",

               "events:DeleteRule",

               "events:DescribeRule",

               "events:ListTargetsByRule",

               "events:PutRule",

               "events:PutTargets",

               "events:RemoveTargets",

               "iam:GetInstanceProfile",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:GetRole",

               "iam:ListAccountAliases",

               "iam:ListInstanceProfilesForRole",

               "iam:PassRole",

               "iam:SimulatePrincipalPolicy",

               "sns:CreateTopic",

               "sns:DeleteTopic",

               "sns:ListSubscriptionsByTopic",

               "sns:ListTopics",

               "sns:SetTopicAttributes",

               "sns:Subscribe",

               "sns:Unsubscribe",

               "sqs:CreateQueue",

               "sqs:DeleteMessage",

               "sqs:DeleteQueue",

               "sqs:ListQueues",

               "sqs:ReceiveMessage",

               "sqs:SetQueueAttributes",

               "ssm:GetCommandInvocation",

               "ssm:GetParameter",

               "ssm:SendCommand"

           ],

           "Resource": "*"

       },

 

       {

           "Effect": "Allow",

           "Action": [

               "ec2:TerminateInstances",

               "ec2:StartInstances"

           ],

           "Resource": "*",

           "Condition": {

               "StringEquals": {

                   "ec2:ResourceTag/EfsIndexWorker": "EfsIndexWorker"

               }

           }

       },

 

       {

           "Effect": "Allow",

           "Action": "ec2:CreateTags",

           "Resource": "*",

           "Condition": {

               "StringEquals": {

                   "ec2:CreateAction": "RunInstances",

                   "aws:RequestTag/EfsIndexWorker": "EfsIndexWorker"

               }

           }

       }

 

   ]

}

Indexing Worker IAM Role PermissionsIAM role permissions specified for manual backup operations

{

   "Version": "2012-10-17",

   "Statement": [

               {

           "Effect": "Allow",

           "Action": [

               "backup:CopyFromBackupVault",

               "backup:CopyIntoBackupVault",

               "backup:CreateBackupVault",

               "backup:DeleteBackupVault",

               "backup:DeleteRecoveryPoint",

               "backup:DescribeBackupJob",

               "backup:DescribeCopyJob",

               "backup:DescribeRecoveryPoint",

               "backup:ListBackupVaults",

               "backup:ListTags",

               "backup:StartBackupJob",

               "backup:StartCopyJob",

               "backup:StopBackupJob",

               "backup:TagResource",

               "backup:UntagResource",

               "backup-storage:MountCapsule",

               "ec2:DescribeAvailabilityZones",

               "ec2:DescribeNetworkInterfaceAttribute",

               "ec2:DescribeRegions",

               "elasticfilesystem:Backup",

               "elasticfilesystem:DescribeAccessPoints",

               "elasticfilesystem:DescribeBackupPolicy",

               "elasticfilesystem:DescribeFileSystemPolicy",

               "elasticfilesystem:DescribeFileSystems",

               "elasticfilesystem:DescribeLifecycleConfiguration",

               "elasticfilesystem:DescribeMountTargets",

               "elasticfilesystem:DescribeMountTargetSecurityGroups",

               "elasticfilesystem:DescribeTags",

               "elasticfilesystem:ListTagsForResource",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:GetRole",

               "iam:PassRole",

               "iam:SimulatePrincipalPolicy",

               "kms:DescribeKey"

           ],

           "Resource": "*"

       },

       {

           "Effect": "Allow",

           "Action": [

               "ec2:TerminateInstances",

               "ec2:StartInstances"

           ],

           "Resource": "*",

           "Condition": {

               "StringEquals": {

                   "ec2:ResourceTag/EfsIndexWorker": "EfsIndexWorker"

               }

           }

       },

       {

           "Effect": "Allow",

           "Action": "ec2:CreateTags",

           "Resource": "*",

           "Condition": {

               "StringEquals": {

                   "ec2:CreateAction": "RunInstances",

                   "aws:RequestTag/EfsIndexWorker": "EfsIndexWorker"

               }

           }

       }

   ]

}

For more information, see Creating EFS Backups Manually.

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.

Communication Requirements and Permissions

IAM roles require the following permissions to communicate with worker instances in production accounts:

  • The backup appliance must be granted permissions to assume the IAM roles.

To allow the backup appliance to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "AWS": "<Role ARN>"

     }

   }

 ]

}

Where <Role ARN> is the ARN either of the Impersonation IAM role attached to the backup appliance or of an AWS account to which the backup appliance belongs.

To learn how to configure trust relationships for a role and how to find the ARN of the Impersonation IAM role, see Before You Begin.

  • The Amazon EC2 service must be granted permissions to assume the IAM roles.

To allow the Amazon EC2 service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "Service": "ec2.amazonaws.com"

     }

   }

 ]

}

To learn how to configure trust relationships, see Before You Begin.

  • The IAM roles must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Action": [

               "ec2messages:AcknowledgeMessage",

               "ec2messages:DeleteMessage",

               "ec2messages:FailMessage",

               "ec2messages:GetEndpoint",

               "ec2messages:GetMessages",

               "ec2messages:SendReply",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:GetRole",

               "iam:ListAccountAliases",

               "iam:ListInstanceProfilesForRole",

               "iam:SimulatePrincipalPolicy",

               "ssm:DescribeAssociation",

               "ssm:DescribeDocument",

               "ssm:GetDeployablePatchSnapshotForInstance",

               "ssm:GetDocument",

               "ssm:GetManifest",

               "ssm:GetParameter",

               "ssm:GetParameters",

               "ssm:ListAssociations",

               "ssm:ListInstanceAssociations",

               "ssm:PutComplianceItems",

               "ssm:PutConfigurePackageResult",

               "ssm:PutInventory",

               "ssm:UpdateAssociationStatus",

               "ssm:UpdateInstanceAssociationStatus",

               "ssm:UpdateInstanceInformation",

               "ssmmessages:CreateControlChannel",

               "ssmmessages:CreateDataChannel",

               "ssmmessages:OpenControlChannel",

               "ssmmessages:OpenDataChannel",

               "sts:AssumeRole"

           ],

                     "Resource": "*",

                     "Effect": "Allow"

         }

   ]

}

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.