Permissions
To perform backup and restore operations, accounts that AWS Plug-in for Veeam Backup & Replication uses to perform data protection and disaster recovery operations must be granted the following permissions.
Veeam Backup & Replication User Account Permissions
A user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Veeam Backup & Replication User Guide, section Installing and Using Veeam Backup & Replication.
Veeam Backup for AWS User Account Permissions
A user account that Veeam Backup & Replication will use to authenticate against the Veeam Backup for AWS appliance and get access to the appliance functionality must be assigned the Portal Administrator role. For more information on user roles, see the Veeam Backup for AWS User Guide, section Managing Permissions.
Note |
When you deploy a Veeam Backup for AWS appliance from the Veeam Backup & Replication console, Veeam Backup & Replication will automatically create the necessary user account that will be assigned all the required permissions. |
AWS Plug-in for Veeam Backup & Replication requires the following IAM identities:
- An IAM user whose permissions are used to create, connect and manage Veeam Backup for AWS appliances. To be able to perform these operations, the specified IAM user must have the following set of permissions:
Full list of Permissions
|
List of Permissions to Deploy a Veeam Backup for AWS Appliance
|
List of Permissions to Connect a Veeam Backup for AWS Appliance
|
List of Permissions to Add a Repository
|
List of Permissions to Encrypt Repositories Using AWS KMS Keys
{ "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" }
|
List of Permissions to Upgrade Veeam Backup for AWS Appliance to Version 6a
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:SimulatePrincipalPolicy", "ec2:AttachVolume", "ec2:CreateVolume", "ec2:CreateSnapshot", "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:DescribeAvailabilityZones", "ec2:DescribeRegions", "ec2:DetachVolume", "ec2:DeleteVolume", "ec2:DescribeVolumeAttribute", "ec2:DeleteSnapshot", "ec2:DescribeInstanceAttribute", "ec2:DescribeImages", "ec2:ModifyInstanceAttribute", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:RunInstances", "sts:GetCallerIdentity" ], "Resource": "*" } ] } |
- IAM roles whose permissions are used to perform data protection and disaster recovery operations with AWS resources.
When you deploy a new Veeam Backup for AWS appliance, the Default Backup Restore IAM role is automatically created and added to the Veeam Backup for AWS appliance. The Default Backup Restore IAM role is assigned all permissions required to perform data protection and disaster recovery operations in the same AWS account where the Veeam Backup for AWS appliance resides. For more information on the Default Backup Restore IAM role permissions, see the Veeam Backup for AWS User Guide, section Full List of IAM Permissions. However, you can create additional IAM roles with granular permissions and add them to the Veeam Backup for AWS appliance as described in the Veeam Backup for AWS User Guide, section Managing IAM Roles.
- IAM users whose one-time access keys are specified to access standard repositories where the image-level backups are stored must have permissions described in the Using Amazon S3 Object Storage section in the Veeam Backup & Replication User Guide if plan to copy image-level backups or to restore guest OS files from image-level backups. To learn how to specify one-time access keys of IAM users, see sections Connecting to Existing Appliance and Creating New Repositories.
- IAM users whose one-time access keys are used to automatically grant missing permissions to IAM users and roles must have the following permissions:
"iam:AttachRolePolicy", "iam:CreatePolicy", |
Veeam Backup & Replication neither saves nor stores these one-time access keys in the configuration database.
Virtualization Servers and Hosts Service Account Permissions
If you plan to copy backups to on-premises backup repositories, to perform restore to VMware vSphere and Microsoft Hyper-V environments, or to perform other tasks related to virtualization servers and hosts, you must check whether the service account specified for these servers and hosts has the required permissions described in the Veeam Backup & Replication User Guide for VMware vSphere and Veeam Backup & Replication User Guide for Microsoft Hyper-V, section Using Virtualization Servers and Hosts.
Microsoft Azure Account Permissions
An Azure AD application that you plan to use to restore EC2 instances to Microsoft Azure must have permissions described in the Veeam Backup & Replication User Guide, section Permissions.
Google Cloud Service Account Permissions
A service account that you plan to use to restore EC2 instances to Google Cloud must have permissions described in the Veeam Backup & Replication User Guide, section Google Compute Engine IAM User Permissions.