Repository IAM Role Permissions

In this article

    To allow Veeam Backup for AWS to create a backup repository in an Amazon S3 bucket and to access the repository when performing backup and restore operations, the Repository IAM role specified in the repository settings must have the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Effect": "Allow",

               "Action": [

                   "s3:PutObject",

                   "s3:GetObject",

                   "s3:DeleteObject",

                   "s3:RestoreObject"

               ],

               "Resource": "arn:aws:s3:::<yourbucketname>/*"

           },

           {

               "Effect": "Allow",

               "Action": [

                   "s3:ListBucket",

                   "s3:GetBucketLocation"

               ],

               "Resource": "arn:aws:s3:::<yourbucketname>"

           },

           {

               "Effect": "Allow",

               "Action": [

                   "s3:ListAllMyBuckets",

                   "ec2:DescribeRegions"

               ],

               "Resource": "*"

           }

       ]

    }

    To encrypt data stored in a backup repository using an AWS KMS key, the IAM role used to create the backup repository must be assigned the following permissions:

    {

               "Effect": "Allow",

               "Action": [

                   "kms:ListKeys",

                   "kms:Decrypt",

                   "kms:Encrypt",

                   "kms:ListAliases",

                   "kms:DescribeKey"

               ],

               "Resource": "*"

    }