Adding AWS Regions Manually
To add an AWS Region to the VPC Backup policy, or to choose another IAM role for collecting VPC configuration data, do the following:
- In the Additional regions section, click Add.
- In the Configure account settings window, from the IAM role drop-down list, select an IAM role whose permissions Veeam Backup for AWS will use to perform Amazon VPC configuration backup. In the Account field, the ID of the AWS account in which the IAM role was created will be displayed. The specified IAM role must be assigned the permissions listed in section VPC Configuration Backup IAM Role Permissions.
For an IAM role to be displayed in the IAM role list, it must be added to Veeam Backup for AWS with the Amazon VPC Backup operation selected as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the VPC Configuration Backup wizard. To do that, click Add and complete the Add IAM Role wizard.
- In the Regions section, select the necessary AWS Regions from the Available Regions list on the left, and then click Add.
- To save changes made to the backup policy settings, click Apply.
- To check whether IAM role specified for the selected AWS Regions has all the permissions required to perform Amazon VPC configuration backup, in the Additional regions section, click Check Permissions.
Veeam Backup for AWS will display the AWS Permission Check window where you can view the progress and results of the performed check. If some permissions of the IAM role are missing, the check will complete with errors. You can view the list of permissions that must be granted to IAM roles in the Missing Permissions column. For more information on required permissions, see VPC Configuration Backup IAM Role Permissions.
You can grant the missing permissions to IAM roles in the AWS Management Console or instruct Veeam Backup for AWS to do it. To learn how to grant permissions to IAM roles using the AWS Management Console, see AWS Documentation. To let Veeam Backup for AWS grant the missing permissions:
- In the AWS Permission Check window, click Grant.
- In the Grant Permissions Window, provide one-time access keys of an IAM user that is authorized to update permissions of the IAM role, and then click Apply.
The IAM user whose access keys are used to update the IAM role must have the following permissions:
"iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:GetAccountSummary", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListPolicyVersions", "iam:SimulatePrincipalPolicy", "iam:UpdateAssumeRolePolicy" |
Note |
Veeam Backup for AWS does not store one-time access keys in the configuration database. |
You can add, edit or remove additional AWS Regions from the VPC Backup policy.