Veeam Backup for AWS 7.0
User Guide
Related documents
Search

Repository IAM Permissions

To allow Veeam Backup for AWS to create backup repositories in an Amazon S3 bucket and to access the repository when performing backup and restore operations, IAM roles specified in the repository settings must meet the following requirements:

  1. The Amazon S3 Batch Operations service must be granted permissions to assume the IAM roles.

To allow the AWS service to assume an IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "Service": "batchoperations.s3.amazonaws.com"

     }

   }

 ]

}

To learn how to configure trust relationships, see Appendix A. Creating IAM Roles in AWS.

  1. The IAM roles must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Effect": "Allow",

           "Action": [

               "ec2:DescribeRegions",

               "ec2:DescribeVpcEndpoints",

               "iam:GetContextKeysForPrincipalPolicy",

               "iam:SimulatePrincipalPolicy",

               "iam:GetRole",

               "iam:PassRole",

               "iam:ListAccountAliases",

               "kms:ListKeys",

               "kms:ListAliases",

               "kms:DescribeKey",

               "kms:Encrypt",

               "kms:Decrypt",

               "s3:ListAllMyBuckets",

               "s3:CreateJob",

               "s3:DescribeJob",

               "s3:PutObject",

               "s3:GetObject",

               "s3:DeleteObject",

               "s3:RestoreObject",

               "s3:GetObjectRetention",

               "s3:PutObjectRetention",

               "s3:GetObjectVersion",

               "s3:DeleteObjectVersion",

               "s3:ListBucket",

               "s3:ListBucketVersions",

               "s3:GetBucketLocation",

               "s3:GetBucketVersioning",

               "s3:GetBucketObjectLockConfiguration"

           ],

           "Resource": "*"

       }

   ]

}

 

Important

If you plan to use KMS key encryption for backup repositories, consider the following:

  • The key policy of an AWS KMS key that will be used to encrypt a repository must allow the IAM role specified in the repository settings access to the key.
  • AWS managed keys cannot be used to encrypt repositories due to AWS limitations.

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.

View all results across Veeam
Back to document search