Service IAM Role Permissions
To allow Veeam Backup for AWS to launch worker instances to perform backup and restore operations, the Service IAM role specified in the worker instance settings must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", "ec2:AttachVolume", "ec2:CopySnapshot", "ec2:CreateKeyPair", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteKeyPair", "ec2:DeleteSnapshot", "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:GetEbsDefaultKmsKeyId", "ec2:ModifyInstanceAttribute", "ec2:ModifySnapshotAttribute", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreateRole", "iam:DeleteInstanceProfile", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "kinesis:CreateStream", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:PutRecord", "kms:CreateGrant", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:GetKeyPolicy", "kms:ListAliases", "kms:ListKeys", "kms:ReEncryptFrom", "kms:ReEncryptTo", "servicequotas:ListServiceQuotas", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage", "ssm:GetCommandInvocation", "ssm:SendCommand" ], "Resource": "*" } ] } |