Granular AWS Account Permissions for Adding an S3 Repository
| KB ID: | 4141 |
| Product: | Veeam Backup for AWS | 5.0 Veeam Backup & Replication | 11 |
| Published: | 2021-04-14 |
| Last Modified: | 2022-07-13 |
Objective
This article documents the granular permissions required to add an S3 repository to Veeam Backup for AWS.
Alternatively, you can use cumulative permissions listed in the Integration with Veeam Backup for AWS Guide.
Version Requirement
This article is intended for use with 'AWS Plug-in for Veeam Backup & Replication' version 11.0.3.xxx or later.
Solution
Two identities participate in the creation of an S3 standard or archive repository:
- AWS account that you specify at the Account step of the Add External Repository wizard.
- IAM role created on the Veeam Backup for AWS appliance.
The IAM role must have permissions described in the Repository IAM Role Permissions section in the Veeam Backup for AWS User Guide.
The AWS role must have the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"iam:GetRole",
"iam:SimulatePrincipalPolicy",
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "*"
}
]
}
Click here to send feedback regarding this KB, or suggest content for a new KB.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.