IAM Permissions

To perform data protection and disaster recovery operations, Veeam Data Cloud for AWS requires IAM roles whose permissions will be used to access AWS services and resources.

When you add a tenant to Veeam Data Cloud for AWS, the product automatically generates a CloudFormation template that you can then use to create IAM roles in all accounts whose resources you plan to protect. The created IAM roles are assigned all the permissions required to perform operations in the same AWS accounts where the source resources reside. For more information, see Managing Tenants in Veeam Data Cloud for AWS.

Specifically, Veeam Data Cloud for AWS uses IAM role permissions to perform the following operations:

To enumerate resources added to a backup policy.
To create cloud-native snapshots of EC2 instances and RDS resources.
To create image-level backups of EC2 instances and DB instances.
To create cloud-native backups of DynamoDB tables, Redshift clusters, Redshift Serverless namespaces, EFS and FSx file systems.
To create backup repositories in Amazon S3 buckets and to access the repository when performing backup and restore operations.
To restore EC2 instances and RDS resources from cloud-native snapshots.
To restore EC2 instances and DB instances from image-level backups.
To restore DynamoDB tables, Redshift clusters, Redshift Serverless namespaces, EFS and FSx file systems from cloud-native backups.

To perform these operations, the IAM roles are granted the following permissions:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"backup:CopyFromBackupVault",

"backup:CopyIntoBackupVault",

"backup:CreateBackupVault",

"backup:DeleteBackupVault",

"backup:DeleteRecoveryPoint",

"backup:DescribeBackupJob",

"backup:DescribeBackupVault",

"backup:DescribeCopyJob",

"backup:DescribeRecoveryPoint",

"backup:DescribeRegionSettings",

"backup:DescribeRestoreJob",

"backup:ListBackupVaults",

"backup:ListRecoveryPointsByBackupVault",

"backup:ListTags",

"backup:StartBackupJob",

"backup:StartCopyJob",

"backup:StartRestoreJob",

"backup:StopBackupJob",

"backup:TagResource",

"backup:UntagResource",

"backup:UpdateRegionSettings",

"backup-storage:MountCapsule",

"ds:DescribeDirectories",

"dynamodb:DeleteTable",

"dynamodb:DescribeContinuousBackups",

"dynamodb:DescribeTable",

"dynamodb:DescribeTimeToLive",

"dynamodb:ListTables",

"dynamodb:ListTagsOfResource",

"dynamodb:RestoreTableFromAwsBackup",

"dynamodb:StartAwsBackupJob",

"dynamodb:TagResource",

"dynamodb:UpdateContinuousBackups",

"dynamodb:UpdateTable",

"dynamodb:UpdateTimeToLive",

"ebs:GetSnapshotBlock",

"ebs:ListChangedBlocks",

"ebs:ListSnapshotBlocks",

"ec2:AcceptVpcEndpointConnections",

"ec2:AllocateAddress",

"ec2:AssignPrivateIpAddresses",

"ec2:AssociateAddress",

"ec2:AssociateClientVpnTargetNetwork",

"ec2:AssociateDhcpOptions",

"ec2:AssociateIamInstanceProfile",

"ec2:AssociateRouteTable",

"ec2:AssociateSubnetCidrBlock",

"ec2:AssociateTransitGatewayMulticastDomain",

"ec2:AssociateTransitGatewayRouteTable",

"ec2:AssociateVpcCidrBlock",

"ec2:AttachInternetGateway",

"ec2:AttachNetworkInterface",

"ec2:AttachVolume",

"ec2:AttachVpnGateway",

"ec2:AuthorizeClientVpnIngress",

"ec2:AuthorizeSecurityGroupEgress",

"ec2:AuthorizeSecurityGroupIngress",

"ec2:CopySnapshot",

"ec2:CreateClientVpnEndpoint",

"ec2:CreateClientVpnRoute",

"ec2:CreateCustomerGateway",

"ec2:CreateDefaultSubnet",

"ec2:CreateDefaultVpc",

"ec2:CreateDhcpOptions",

"ec2:CreateEgressOnlyInternetGateway",

"ec2:CreateInternetGateway",

"ec2:CreateKeyPair",

"ec2:CreateManagedPrefixList",

"ec2:CreateNatGateway",

"ec2:CreateNetworkAcl",

"ec2:CreateNetworkAclEntry",

"ec2:CreateNetworkInterface",

"ec2:CreateRoute",

"ec2:CreateRouteTable",

"ec2:CreateSecurityGroup",

"ec2:CreateSnapshot",

"ec2:CreateSnapshots",

"ec2:CreateSubnet",

"ec2:CreateTags",

"ec2:CreateTransitGateway",

"ec2:CreateTransitGatewayMulticastDomain",

"ec2:CreateTransitGatewayPeeringAttachment",

"ec2:CreateTransitGatewayPrefixListReference",

"ec2:CreateTransitGatewayRoute",

"ec2:CreateTransitGatewayRouteTable",

"ec2:CreateTransitGatewayVpcAttachment",

"ec2:CreateVolume",

"ec2:CreateVpc",

"ec2:CreateVpcEndpoint",

"ec2:CreateVpcEndpointServiceConfiguration",

"ec2:CreateVpcPeeringConnection",

"ec2:CreateVpnConnection",

"ec2:CreateVpnGateway",

"ec2:DeleteClientVpnEndpoint",

"ec2:DeleteClientVpnRoute",

"ec2:DeleteCustomerGateway",

"ec2:DeleteDhcpOptions",

"ec2:DeleteEgressOnlyInternetGateway",

"ec2:DeleteInternetGateway",

"ec2:DeleteKeyPair",

"ec2:DeleteManagedPrefixList",

"ec2:DeleteNatGateway",

"ec2:DeleteNetworkAcl",

"ec2:DeleteNetworkAclEntry",

"ec2:DeleteNetworkInterface",

"ec2:DeleteRoute",

"ec2:DeleteRouteTable",

"ec2:DeleteSecurityGroup",

"ec2:DeleteSnapshot",

"ec2:DeleteSubnet",

"ec2:DeleteTags",

"ec2:DeleteTransitGateway",

"ec2:DeleteTransitGatewayMulticastDomain",

"ec2:DeleteTransitGatewayPeeringAttachment",

"ec2:DeleteTransitGatewayPrefixListReference",

"ec2:DeleteTransitGatewayRoute",

"ec2:DeleteTransitGatewayRouteTable",

"ec2:DeleteTransitGatewayVpcAttachment",

"ec2:DeleteVolume",

"ec2:DeleteVpc",

"ec2:DeleteVpcEndpoints",

"ec2:DeleteVpcEndpointServiceConfigurations",

"ec2:DeleteVpcPeeringConnection",

"ec2:DeleteVpnConnection",

"ec2:DeleteVpnGateway",

"ec2:DescribeAccountAttributes",

"ec2:DescribeAddresses",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeClientVpnAuthorizationRules",

"ec2:DescribeClientVpnEndpoints",

"ec2:DescribeClientVpnRoutes",

"ec2:DescribeClientVpnTargetNetworks",

"ec2:DescribeConversionTasks",

"ec2:DescribeCustomerGateways",

"ec2:DescribeDhcpOptions",

"ec2:DescribeEgressOnlyInternetGateways",

"ec2:DescribeImages",

"ec2:DescribeInstanceAttribute",

"ec2:DescribeInstances",

"ec2:DescribeInstanceStatus",

"ec2:DescribeInstanceTypes",

"ec2:DescribeInternetGateways",

"ec2:DescribeKeyPairs",

"ec2:DescribeManagedPrefixLists",

"ec2:DescribeNatGateways",

"ec2:DescribeNetworkAcls",

"ec2:DescribeNetworkInterfaceAttribute",

"ec2:DescribeNetworkInterfaces",

"ec2:DescribeRegions",

"ec2:DescribeRouteTables",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSnapshotAttribute",

"ec2:DescribeSnapshots",

"ec2:DescribeSubnets",

"ec2:DescribeTags",

"ec2:DescribeTransitGatewayAttachments",

"ec2:DescribeTransitGatewayMulticastDomains",

"ec2:DescribeTransitGatewayPeeringAttachments",

"ec2:DescribeTransitGatewayRouteTables",

"ec2:DescribeTransitGateways",

"ec2:DescribeTransitGatewayVpcAttachments",

"ec2:DescribeVolumeAttribute",

"ec2:DescribeVolumes",

"ec2:DescribeVpcAttribute",

"ec2:DescribeVpcEndpoints",

"ec2:DescribeVpcEndpointServiceConfigurations",

"ec2:DescribeVpcPeeringConnections",

"ec2:DescribeVpcs",

"ec2:DescribeVpnConnections",

"ec2:DescribeVpnGateways",

"ec2:DetachInternetGateway",

"ec2:DetachVolume",

"ec2:DetachVpnGateway",

"ec2:DisableTransitGatewayRouteTablePropagation",

"ec2:DisableVgwRoutePropagation",

"ec2:DisassociateAddress",

"ec2:DisassociateClientVpnTargetNetwork",

"ec2:DisassociateRouteTable",

"ec2:DisassociateTransitGatewayMulticastDomain",

"ec2:DisassociateTransitGatewayRouteTable",

"ec2:EnableTransitGatewayRouteTablePropagation",

"ec2:EnableVgwRoutePropagation",

"ec2:GetEbsDefaultKmsKeyId",

"ec2:GetManagedPrefixListEntries",

"ec2:GetTransitGatewayMulticastDomainAssociations",

"ec2:GetTransitGatewayPrefixListReferences",

"ec2:GetTransitGatewayRouteTableAssociations",

"ec2:GetTransitGatewayRouteTablePropagations"

"Resource": "*"

}

]

}