Challenge
Backup Policy IAM role is used to run backup operations which include:
- enumerating of the resources
- taking EBS snapshots of selected EC2 instances volumes
- rehydrating of snapshots back to volumes
- attaching volumes to the worker instance
- and so on - see permissions below
Solution
There are two types of deployments where this role is required to perform the backup: backup inside production or isolated from production backup.
The isolated from production deployment is delivering exceptional level of protection when the whole production environment is lost. Veeam is recommending this type of the deployment as the most reliable one.
Isolated from production backup deployment
For this type of the deployment a second "Backup account" is required. Please create one using AWS web site. Veeam Backup for AWS Management appliance should be deployed in the Backup Account.
To allow Veeam Backup appliance to perform all required for backup operations inside of the Production Account, a Backup Policy Role should be created in the Production Account. This role should be made available for usage from the Backup Account. Please proceed through the following steps to create such role:
1. Please use the following JSON text to create IAM Policy by following instructions from How to create IAM Policy article
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CopySnapshot",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:CreateTags",
"ec2:DeleteSnapshot",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:ModifySnapshotAttribute",
"events:DeleteRule",
"events:DescribeRule",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:UpdateAssumeRolePolicy",
"s3:GetBucketLocation",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:SetQueueAttributes",
"sts:AssumeRole",
"sts:GetCallerIdentity"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
2. Navigate to Roles.
3. Choose "Create role".
4. Select type of trusted entity "Another AWS Service".
5. In the "Account ID" enter the ID of your second Backup Account (you can obtain this number if you login in AWS console of the Backup Account and select "My account" in top right menu).
6. Select the checkbox "Require external ID" and enter a pass phrase to raise level of security for the role.
7. Press "Next: Permissions" button.
8. Enter the name of the policy selected on step 1 in "filter policies" edit box.
9. Select the policy with ticking on the checkbox in the first column.
10. Press "Next: Tags" button.
11. Enter tagging info if desired and press "Next: Review" button.
12. Give a name to the IAM Role - you will be using this name in the Veeam Backup for AWS UI (e.g. vb4aws_pol2role).
13. Press "Create role" button.
14. After successful creation of the role you will be able to see it in the list of all available roles.
Backup inside production deployment
NOTE: this type of deployment (since it is not very secure) is recommended for test, demo and small environments only!
1. Please use the following JSON text to create IAM Policy by following instructions from How to create IAM Policy article
These permissions will allow backup service to perform required for backup operations:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CopySnapshot",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:CreateTags",
"ec2:DeleteSnapshot",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:ModifySnapshotAttribute",
"events:DeleteRule",
"events:DescribeRule",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:UpdateAssumeRolePolicy",
"s3:GetBucketLocation",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:SetQueueAttributes",
"sts:AssumeRole",
"sts:GetCallerIdentity"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
2. Navigate to Roles.3. Choose "Create role".
4. Select type of trusted entity "AWS Service".
5. Choose "EC2" in "Choose the service that will use this role".
6. Press "Next: Permissions" button.
7. Enter the name of the policy selected on step 1 in "filter policies" edit box.
8. Select the policy with ticking on the checkbox in the first column.
9. Press "Next: Tags" button.
10. Enter tagging info if desired and press "Next: Review" button.
11. Give a name to the IAM Role - you will be using this name in the Veeam Backup for AWS UI (e.g. vb4aws_pol2role).
12. Press "Create role" button.
13. After successful creation of the role you will be able to see it in the list of all available roles.