Worker Deployment Role Permissions in Production Accounts

Important

When you instruct Veeam Backup for AWS to deploy worker instances in production accounts to perform RDS and EC2 backup and restore operations, as well as EFS indexing operations, Veeam Backup for AWS uses the permissions of IAM roles specified for backup and restore operations. That is why you must assign to these IAM roles additional permissions listed in sections RDS Backup IAM Role Permissions, EC2 Backup IAM Role Permissions, EC2 Restore IAM Permissions, RDS Database Restore IAM Permissions and EFS Backup IAM Role Permissions.

Veeam Backup for AWS uses IAM roles that are attached to worker instances deployed in production accounts, which are further used by Veeam Backup for AWS to communicate with these instances to perform the following operations:

To create indexes of the backed up EFS file systems.
To perform image-level backup and restore operations with PostgreSQL DB instances.
To perform image-level backup, entire instance and volume-level restore operations with EC2 instances.

To perform these operations, IAM roles specified in the EFS backup policy settings, RDS backup policy settings, EC2 backup policy settings, EC2 entire instance restore, EC2 volume-level restore and RDS database restore settings must meet the following requirements:

The IAM roles must be included at least in one instance profile. For more information on instance profiles, see AWS Documentation.

The backup appliance must be granted permissions to assume the IAM roles. For more information on the requirements for adding IAM roles, see Before You Begin.

The Amazon EC2 service must be granted permissions to assume the IAM roles.

To allow the Amazon EC2 service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "sts:AssumeRole",

"Principal": {

"Service": "ec2.amazonaws.com"

}

]

}

To learn how to modify role trust policies, see AWS Documentation.

The IAM roles must be granted the following permissions:

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"ec2messages:AcknowledgeMessage",

"ec2messages:DeleteMessage",

"ec2messages:FailMessage",

"ec2messages:GetEndpoint",

"ec2messages:GetMessages",

"ec2messages:SendReply",

"iam:GetContextKeysForPrincipalPolicy",

"iam:GetRole",

"iam:ListInstanceProfilesForRole",

"iam:SimulatePrincipalPolicy",

"sqs:DeleteMessage",

"sqs:ListQueues",

"sqs:ReceiveMessage",

"sqs:SendMessage",

"ssm:DescribeAssociation",

"ssm:DescribeDocument",

"ssm:GetDeployablePatchSnapshotForInstance",

"ssm:GetDocument",

"ssm:GetManifest",

"ssm:GetParameter",

"ssm:GetParameters",

"ssm:ListAssociations",

"ssm:ListInstanceAssociations",

"ssm:PutComplianceItems",

"ssm:PutConfigurePackageResult",

"ssm:PutInventory",

"ssm:UpdateAssociationStatus",

"ssm:UpdateInstanceAssociationStatus",

"ssm:UpdateInstanceInformation",

"ssmmessages:CreateControlChannel",

"ssmmessages:CreateDataChannel",

"ssmmessages:OpenControlChannel",

"ssmmessages:OpenDataChannel"

"Resource": "*",

"Effect": "Allow"

}

]

}

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.

Note

Since you do not choose an IAM role for file-level recovery operations, the role that you specify when enabling worker deployment in production accounts in the restore settings is also used by Veeam Backup for AWS to deploy worker instances. That is why this role must be assigned permissions listed in section FLR Worker IAM Role Permissions.