Granular AWS Account Permissions for Deployment and Deletion of Veeam Backup for AWS Appliance
| KB ID: | 4139 |
| Product: | Veeam Backup for AWS | 5.0 Veeam Backup & Replication | 11 |
| Published: | 2021-04-14 |
| Last Modified: | 2022-07-13 |
Objective
This article documents the granular permissions needed for deploying a new Veeam Backup for AWS appliance.
Alternatively, cumulative permissions are listed in the Integration with Veeam Backup for AWS Guide.
Version Requirement
This article is intended for use with 'AWS Plug-in for Veeam Backup & Replication' version 11.0.3.xxx or later.
Solution
Deploy
To deploy a new Veeam Backup for AWS appliance, use an AWS account with the following profile:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"dlm:CreateLifecyclePolicy",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSubnet",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:RunInstances",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:GetAccountSummary",
"iam:SimulatePrincipalPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:GetPolicyVersion",
"iam:CreatePolicyVersion",
"ssm:GetCommandInvocation",
"ssm:SendCommand",
"sts:GetCallerIdentity",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
}
]
}Deploy and Delete
To deploy and delete a Veeam Backup for AWS appliance, use an AWS account with the following profile:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"dlm:CreateLifecyclePolicy",
"dlm:DeleteLifecyclePolicy",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSubnet",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVolumes",
"ec2:RunInstances",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress",
"ec2:TerminateInstances",
"ec2:DeleteVolume",
"ec2:DeleteSubnet",
"ec2:DeleteSecurityGroup",
"ec2:DetachInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DeleteVpc",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:GetAccountSummary",
"iam:SimulatePrincipalPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:GetPolicyVersion",
"iam:CreatePolicyVersion",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:DeleteRolePolicy",
"iam:DeleteRole",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:DetachRolePolicy",
"ssm:GetCommandInvocation",
"ssm:SendCommand",
"sts:GetCallerIdentity",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
}
]
}
Click here to send feedback regarding this KB, or suggest content for a new KB.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.