Amazon S3 Storage Permissions

Note

Make sure the account you are using has access to Amazon S3 buckets and folders.

Veeam Backup for Microsoft 365 supports Amazon S3 Standard and Amazon S3 Standard-Infrequent Access storage classes as a target for backup and backup copy jobs. Veeam Backup for Microsoft 365 supports all Amazon S3 Glacier storage classes only as a target for backup copy jobs. For more information about supported Amazon S3 storage classes, see Supported Amazon S3 Storage Classes.

The following are required permissions to use supported Amazon S3 object storage as a target for backup and backup copy jobs:

For EC2 instance

{
"ec2:CreateTags",
"ec2:DescribeInstances",

"ec2:StartInstances",

"ec2:RunInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ec2:CreateKeyPair",

"ec2:DeleteKeyPair",

"ec2:DescribeVpcs",

"ec2:CreateVpc",

"ec2:DeleteVpc",

"ec2:DescribeSubnets",

"ec2:CreateSubnet",

"ec2:DeleteSubnet",

"ec2:DescribeRouteTables",

"ec2:CreateRouteTable",

"ec2:DeleteRouteTable",

"ec2:CreateRoute",

"ec2:DeleteRoute",

"ec2:DescribeInternetGateways",

"ec2:CreateInternetGateway",

"ec2:AttachInternetGateway",

"ec2:DeleteInternetGateway",

"ec2:DescribeSecurityGroups",

"ec2:CreateSecurityGroup",

"ec2:DeleteSecurityGroup",

"ec2:DescribeConversionTasks",

"ec2:DescribeInstanceTypes",

"ec2:AuthorizeSecurityGroupIngress",

"ssm:GetParameter"
}

For Amazon S3 object storage

{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"

}

For a bucket

{
"s3:ListBucket",

"s3:ListBucketMultipartUploads",

"s3:GetBucketObjectLockConfiguration",

"s3:GetBucketVersioning",

"s3:ListBucketVersions"
}

For an object

{
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",

"s3:ListMultipartUploadParts",

"s3:RestoreObject",

"s3:GetObjectVersion",

"s3:GetObjectRetention",

"s3:PutObjectRetention",

"s3:DeleteObjectVersion"
}

For examples, see this Veeam KB article. For more information on permissions, see this Amazon article.