Repository IAM Role Permissions

To allow Veeam Backup for AWS to create backup repositories in an Amazon S3 bucket and to access the repository when performing backup and restore operations, IAM roles specified in the repository settings must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Effect": "Allow",

           "Action": [

               "s3:PutObject",

               "s3:GetObject",

               "s3:DeleteObject",

               "s3:RestoreObject"

           ],

           "Resource": "arn:aws:s3:::<yourbucketname>/*"

       },

       {

           "Effect": "Allow",

           "Action": [

               "s3:ListBucket",

               "s3:GetBucketLocation"

           ],

           "Resource": "arn:aws:s3:::<yourbucketname>"

       },

       {

           "Effect": "Allow",

           "Action": [

               "ec2:DescribeRegions",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:SimulatePrincipalPolicy",

               "s3:ListAllMyBuckets"

           ],

           "Resource": "*"

       }

   ]

}

To encrypt data stored in backup repositories using AWS KMS keys, IAM roles used to create the backup repositories must be granted the following permissions:

{

           "Effect": "Allow",

           "Action": [

               "kms:Decrypt",

               "kms:DescribeKey",

               "kms:Encrypt",

               "kms:ListAliases",

               "kms:ListKeys"

           ],

           "Resource": "*"

}

 

Important

If you plan to use KMS key encryption for backup repositories, consider the following:

  • The key policy of an AWS KMS key that will be used to encrypt a repository must allow the IAM role specified in the repository settings access to the key.
  • AWS managed keys cannot be used to encrypt repositories due to AWS limitations.