Repository IAM Role Permissions
To allow Veeam Backup for AWS to create backup repositories in an Amazon S3 bucket and to access the repository when performing backup and restore operations, IAM roles specified in the repository settings must be granted the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:RestoreObject" ], "Resource": "arn:aws:s3:::<yourbucketname>/*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::<yourbucketname>" }, { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "iam:GetContextKeysForPrincipalPolicy", "iam:SimulatePrincipalPolicy", "s3:ListAllMyBuckets" ], "Resource": "*" } ] } |
To encrypt data stored in backup repositories using AWS KMS keys, IAM roles used to create the backup repositories must be granted the following permissions:
{ "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" } |
Important |
If you plan to use KMS key encryption for backup repositories, consider the following:
|