Repository IAM Role Permissions

In this article

    To allow Veeam Backup for AWS to create backup repositories in an Amazon S3 bucket and to access the repository when performing backup and restore operations, IAM roles specified in the repository settings must be granted the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Effect": "Allow",

               "Action": [

                   "s3:PutObject",

                   "s3:GetObject",

                   "s3:DeleteObject",

                   "s3:RestoreObject"

               ],

               "Resource": "arn:aws:s3:::<yourbucketname>/*"

           },

           {

               "Effect": "Allow",

               "Action": [

                   "s3:ListBucket",

                   "s3:GetBucketLocation"

               ],

               "Resource": "arn:aws:s3:::<yourbucketname>"

           },

           {

               "Effect": "Allow",

               "Action": [

                   "ec2:DescribeRegions",

                   "iam:GetContextKeysForPrincipalPolicy",

                   "iam:SimulatePrincipalPolicy",

                   "s3:ListAllMyBuckets"

               ],

               "Resource": "*"

           }

       ]

    }

    To encrypt data stored in backup repositories using AWS KMS keys, IAM roles used to create the backup repositories must be granted the following permissions:

    {

               "Effect": "Allow",

               "Action": [

                   "kms:Decrypt",

                   "kms:DescribeKey",

                   "kms:Encrypt",

                   "kms:ListAliases",

                   "kms:ListKeys"

               ],

               "Resource": "*"

    }

     

    Important

    If you plan to use KMS key encryption for backup repositories, consider the following:

    • The key policy of an AWS KMS key that will be used to encrypt a repository must allow the IAM role specified in the repository settings access to the key.
    • AWS manged keys cannot be used to encrypt repositories due to AWS limitations.