Challenge
Restore of an EC2 Instance in Veeam Backup for AWS requires certain privileges:- Create EBS Volume
- Attach EBS volume to EC2 Instance
- Start EC2 Instance
- and so on - see permissions below
To perform Instance Restore operation the proper security access should be provided to Veeam Backup for AWS server.
There are two options:
- specify an IAM Role which Veeam Backup for AWS server can switch to for restore operations
- provide access keys from an IAM User
Solution
There are two types of deployments where IAM role is required to perform the restore: backup inside production or isolated from production backup.The isolated from production deployment is delivering exceptional level of protection when the whole production environment is lost. Veeam is recommending this type of the deployment as the most secure one.
Depending on the deployment type IAM Roles should be created in different accounts.
Isolated from production backup deployment
In this type of deployment the Veeam Backup for AWS server is running in dedicated Backup Account.
So the IAM Restore Role should be created in Production Account
1. Please use the following JSON text to create IAM Policy by following instructions from How to create IAM Policy article. These permissions will allow Veeam Backup for AWS service perform operations required for restore:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:ModifySnapshotAttribute",
"ec2:RunInstances",
"ec2:StopInstances",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:UpdateAssumeRolePolicy",
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ListAliases",
"kms:ListKeys",
"servicequotas:ListServiceQuotas",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"ec2:AttachVolume"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
2. Navigate to Roles3. Choose "Create role"
4. Select type of trusted entity "Another AWS Service"
5. In the "Account ID" enter the ID of your Backup Account (you can obtain this number if you login in AWS console of the Backup Account and select "My account" in top right menu)
6. Select the checkbox "Require external ID" and enter a pass phrase to raise level of security for the role
7. Press "Next: Permissions" button
8. Enter the name of the policy selected on step 1 in "filter policies" edit box
9. Select the policy with ticking on the checkbox in the first column
10. Press "Next: Tags" button
11. Enter tagging info if desired and press "Next: Review" button
12. Give a name to the IAM Role - you will be using this name in the Veeam Backup for AWS UI (e.g. vb4aws_restore_role)
13. Press "Create role" button
14. After successful creation of the role you will be able to see it in the list of all available roles
Backup inside Production deployment
NOTE: this type of deployment (since it is not very secure) is recommended for test, demo and small environments only!
1. Please use the following JSON text to create IAM Policy by following instructions from How to create IAM Policy article. These permissions will allow Veeam Backup for AWS service perform operations required for restore:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:ModifySnapshotAttribute",
"ec2:RunInstances",
"ec2:StopInstances",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:UpdateAssumeRolePolicy",
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ListAliases",
"kms:ListKeys",
"servicequotas:ListServiceQuotas",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"ec2:AttachVolume"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
2. Navigate to Roles3. Choose "Create role"
4. Select type of trusted entity "AWS Service"
4. Choose "EC2" in "Choose the service that will use this role"
5. Press "Next: Permissions" button
6. Enter the name of the policy selected on step 1 in "filter policies" edit box
7. Select the policy with ticking on the checkbox in the first column
8. Press "Next: Tags" button
9. Enter tagging info if desired and press "Next: Review" button
10. Give a name to the IAM Role - you will be using this name in the Veeam Backup for AWS UI (e.g. vb4aws_restorerole)
11. Press "Create role" button
12. After successful creation of the role you will be able to see it in the list of all available roles
How to obtain access keys for IAM User to use for Instance Restore operation
If you already have an IAM User account which you would like to use to perform the restore operation please go to section "Acquiring access keys for an IAM User" directly
Creating an IAM User for performing restore
1. Please use the following JSON text to create IAM Policy by following instructions from How to create IAM Policy article. These permissions will allow Veeam Backup for AWS service perform operations required for restore:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:ModifySnapshotAttribute",
"ec2:RunInstances",
"ec2:StopInstances",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:UpdateAssumeRolePolicy",
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ListAliases",
"kms:ListKeys",
"servicequotas:ListServiceQuotas",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"ec2:AttachVolume"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
2. Navigate to Users section of IAM Management3. Press "Add User" button
4. Enter the user name and select Access Type as "AWS Management Console access"
5. Select the password for this user and proceed to next step by clicking "Next: Permissions"
6. Select attach existing policies directly
7. Filter by entering the name of the policy selected on step 1 and select the found item and proceed to next page
8. Enter tagging info if desired and press "Next: Review" button
9. Click on "Create User"
Acquiring access keys for an IAM User
1. Navigate to Users section of IAM Management
2. Click on the User name of the IAM User you would like to use for restore operation
3. Switch to the "Security Credentials" tab
4. Click on "Create Access Key" button
5. In the popup window you will see a pair of access key and security key (hidden under "Show" link)
6. Please copy and paste access and security keys to the Veeam Backup for AWS server UI in the "Account" section of the restore wizard
It is highly recommended to deactivate access keys right after the restore operation is complete. To do that please click on "Make inactive" link for the security key created.