EC2 Restore IAM Permissions
To perform EC2 restore operations, IAM roles and IAM users specified in the restore settings must be granted the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:CopySnapshot", "ec2:CreateKeyPair", "ec2:CreateNetworkInterface", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteKeyPair", "ec2:DeleteNetworkInterface", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeKeyPairs", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:DisassociateAddress", "ec2:GetEbsDefaultKmsKeyId", "ec2:ImportImage", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySnapshotAttribute", "ec2:ModifyVolume", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "events:DeleteRule", "events:DescribeRule", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetContextKeysForPrincipalPolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:ListAccountAliases", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy", "kms:CreateGrant", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:ListAliases", "kms:ListKeys", "kms:ReEncryptFrom", "kms:ReEncryptTo", "s3:GetBucketLocation", "servicequotas:ListServiceQuotas" ], "Resource": "*", "Effect": "Allow" } ] } |
Permissions Required to Deploy Worker Instances in Production Account
If you plan to instruct Veeam Backup for AWS to deploy worker instances in production accounts, IAM roles specified in the restore settings must be granted the following additional permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateKeyPair", "ec2:DeleteKeyPair", "ec2:DescribeAccountAttributes", "ec2:DescribeKeyPairs", "iam:GetRole", "iam:ListInstanceProfilesForRole", "iam:PassRole", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage", "ssm:GetCommandInvocation", "ssm:GetParameter", "ssm:SendCommand" ], "Resource": "*", "Effect": "Allow" } ] } |