Amazon S3 Storage Permissions

The following permissions are required to a user account that you use to access Amazon S3 buckets and folders and to use Amazon S3 object storage as a target for backup and backup copy jobs.

Amazon S3 Storage Permissions Note

Make sure the account you are using has access to Amazon S3 buckets and folders.

For EC2 instance:

{
"ec2:CreateTags",
"ec2:DescribeInstances",

"ec2:StartInstances",

"ec2:RunInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ec2:CreateKeyPair",

"ec2:DeleteKeyPair",

"ec2:DescribeVpcs",

"ec2:CreateVpc",

"ec2:DeleteVpc",

"ec2:DescribeSubnets",

"ec2:CreateSubnet",

"ec2:DeleteSubnet",

"ec2:DescribeRouteTables",

"ec2:CreateRouteTable",

"ec2:DeleteRouteTable",

"ec2:CreateRoute",

"ec2:DeleteRoute",

"ec2:DescribeInternetGateways",

"ec2:CreateInternetGateway",

"ec2:AttachInternetGateway",

"ec2:DeleteInternetGateway",

"ec2:DescribeSecurityGroups",

"ec2:CreateSecurityGroup",

"ec2:DeleteSecurityGroup",

"ec2:DescribeConversionTasks",

"ec2:DescribeInstanceTypes",

"ec2:AuthorizeSecurityGroupIngress",

"ssm:GetParameter"
}

For Amazon S3 object storage:

{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"

}

For a bucket:

{
"s3:ListBucket",

"s3:ListBucketMultipartUploads",

"s3:GetBucketObjectLockConfiguration",

"s3:GetBucketVersioning",

"s3:ListBucketVersions"
}

For an object:

{
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",

"s3:ListMultipartUploadParts",

"s3:RestoreObject",

"s3:GetObjectVersion",

"s3:GetObjectRetention",

"s3:PutObjectRetention",

"s3:DeleteObjectVersion"
}

For examples, see this Veeam KB article. For more information on permissions, see this Amazon article.

For information about supported Amazon S3 storage classes, see Supported Amazon S3 Storage Classes.