Granular AWS Account Permissions for Connection to and Upgrading of Veeam Backup for AWS Appliance
| KB ID: | 4140 |
| Product: | Veeam Backup for AWS | 5.0 Veeam Backup & Replication | 11 |
| Published: | 2021-04-14 |
| Last Modified: | 2022-07-13 |
Objective
This article documents the granular permissions needed for connecting to an existing Veeam Backup for AWS appliance.
Alternatively, cumulative permissions are listed in the Integration with Veeam Backup for AWS Guide.
Version Requirement
This article is intended for use with 'AWS Plug-in for Veeam Backup & Replication' version 11.0.3.xxx or later.
Solution
Connect
To connect to an existing Veeam Backup for AWS appliance, use an AWS account with the following profile:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutObject",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}Connect and Upgrade
To connect to an existing Veeam Backup for AWS appliance and be able to upgrade the appliance, use an AWS account with the following profile:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeVolumes",
"ec2:CreateSnapshot",
"ec2:DescribeSnapshots",
"ec2:DeleteSnapshot",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:CreateVolume",
"ec2:AttachVolume",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:GetAccountSummary",
"iam:SimulatePrincipalPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:GetPolicyVersion",
"iam:CreatePolicyVersion",
"iam:GetRole",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutObject",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}
Click here to send feedback regarding this KB, or suggest content for a new KB.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.