Indexing IAM Role Permissions

In this article

    When performing EFS indexing operations, Veeam Backup for AWS launches worker instances in the same AWS account where file systems processed by backup policies belong. To communicate with these instances, Veeam Backup for AWS attaches to the instances Indexing IAM roles whose permissions are further used to access the file systems and create their indexes. To learn how EFS indexing works, see EFS Backup.

    By default,  Veeam Backup for AWS selects the most appropriate network settings of AWS Regions in production accounts to launch worker instances. However, you can add worker configurations to specify network settings for each region in which worker instances will be deployed. When creating new worker configurations, Veeam Backup for AWS uses Worker Configuration IAM roles to list network settings available in AWS Regions of production AWS accounts. To learn how to add worker configurations for indexing operations, see Adding Configurations for Production Accounts.

    Indexing IAM Role Permissions

    To allow Veeam Backup for AWS to create indexes of the backed up EFS file systems, IAM roles specified in the EFS backup policy settings must be included at list in one instance profile and must meet the following requirements:

    1. The AWS Backup service must be granted permissions to assume the IAM roles.

    To allow the AWS Backup service to assume an IAM role, configure trusted relationships for the role and add the following statement to the trusted policy.

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Effect": "Allow",

         "Action": "sts:AssumeRole",

         "Principal": {

           "Service": "ec2.amazonaws.com"

         }

       }

     ]

    }

    To learn how to configure trusted relationships, see Appendix A. Creating IAM Roles in AWS.

    1. The IAM roles must be granted the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "ec2messages:AcknowledgeMessage",

                   "ec2messages:DeleteMessage",

                   "ec2messages:FailMessage",

                   "ec2messages:GetEndpoint",

                   "ec2messages:GetMessages",

                   "ec2messages:SendReply",

                   "iam:GetContextKeysForPrincipalPolicy",

                   "iam:SimulatePrincipalPolicy",

                   "ssm:DescribeAssociation",

                   "ssm:DescribeDocument",

                   "ssm:GetDeployablePatchSnapshotForInstance",

                   "ssm:GetDocument",

                   "ssm:GetManifest",

                   "ssm:GetParameter",

                   "ssm:GetParameters",

                   "ssm:ListAssociations",

                   "ssm:ListInstanceAssociations",

                   "ssm:PutComplianceItems",

                   "ssm:PutConfigurePackageResult",

                   "ssm:PutInventory",

                   "ssm:UpdateAssociationStatus",

                   "ssm:UpdateInstanceAssociationStatus",

                   "ssm:UpdateInstanceInformation",

                   "ssmmessages:CreateControlChannel",

                   "ssmmessages:CreateDataChannel",

                   "ssmmessages:OpenControlChannel",

                   "ssmmessages:OpenDataChannel",

                   "sts:AssumeRole"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }

    Worker Configuration IAM Role Permissions

    If you add specific worker configurations that will be used for EFS indexing operations, consider that IAM roles specified in the worker configuration settings must be granted the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "ec2:DescribeAvailabilityZones",

                   "ec2:DescribeVpcs",

                   "ec2:DescribeRegions",

                   "ec2:DescribeAccountAttributes",

                   "ec2:DescribeSubnets",

                   "ec2:DescribeSecurityGroups",

                   "iam:GetContextKeysForPrincipalPolicy",

                   "iam:SimulatePrincipalPolicy"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }