Backup Policy IAM Role

KB ID:
3032
Product:
Veeam Backup for AWS
Version:
1.0
Published:
Last Modified:
2020-01-02

Challenge

Backup Policy IAM role is used to run backup operations which include:

  • enumerating of the resources 
  • taking EBS snapshots of selected EC2 instances volumes
  • rehydrating of snapshots back to volumes
  • attaching volumes to the worker instance
  • and so on - see permissions below

Solution

There are two types of deployments where this role is required to perform the backup: backup inside production or isolated from production backup.
The isolated from production deployment is delivering exceptional level of protection when the whole production environment is lost. Veeam is recommending this type of the deployment as the most reliable one.


Isolated from production backup deployment


For this type of the deployment a second "Backup account" is required. Please create one using AWS web site. Veeam Backup for AWS Management appliance should be deployed in the Backup Account.
To allow Veeam Backup appliance to perform all required for backup operations inside of the Production Account, a Backup Policy Role should be created in the Production Account. This role should be made available for usage from the Backup Account. Please proceed through the following steps to create such role:

1. Please use the following JSON text to create IAM Policy by following instructions from How to create IAM Policy article 
    These permissions will allow backup service to perform required for backup operations:
{
	"Version": "2012-10-17",
		"Statement": [
		{
			"Action": [
				"ec2:CopySnapshot",
				"ec2:CreateSnapshot",
				"ec2:CreateSnapshots",
				"ec2:CreateTags",
				"ec2:DeleteSnapshot",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeImages",
				"ec2:DescribeInstances",
				"ec2:DescribeSnapshots",
				"ec2:DescribeSubnets",
				"ec2:DescribeTags",
				"ec2:DescribeVolumes",
				"ec2:ModifySnapshotAttribute",
				"events:DeleteRule",
				"events:DescribeRule",
				"events:ListTargetsByRule",
				"events:PutRule",
				"events:PutTargets",
				"events:RemoveTargets",
				"iam:GetRole",
				"iam:ListAttachedRolePolicies",
				"iam:ListInstanceProfilesForRole",
				"iam:ListRolePolicies",
				"iam:ListRoleTags",
				"iam:UpdateAssumeRolePolicy",
				"s3:GetBucketLocation",
				"sns:CreateTopic",
				"sns:DeleteTopic",
				"sns:ListSubscriptionsByTopic",
				"sns:ListTopics",
				"sns:SetTopicAttributes",
				"sns:Subscribe",
				"sns:Unsubscribe",
				"sqs:CreateQueue",
				"sqs:DeleteQueue",
				"sqs:SetQueueAttributes",
				"sts:AssumeRole",
				"sts:GetCallerIdentity"
				],
				"Resource": "*",
				"Effect": "Allow"
		}
	]
}

2. Navigate to Roles.
3. Choose "Create role".
4. Select type of trusted entity "Another AWS Service".
5. In the "Account ID" enter the ID of your second Backup Account (you can obtain this number if you login in AWS console of the Backup Account and select "My account" in top right menu).
6. Select the checkbox "Require external ID" and enter a pass phrase to raise level of security for the role.
7. Press "Next: Permissions" button.
8. Enter the name of the policy selected on step 1 in "filter policies" edit box.
9. Select the policy with ticking on the checkbox in the first column.
10. Press "Next: Tags" button.
11. Enter tagging info if desired and press "Next: Review" button.
12. Give a name to the IAM Role - you will be using this name in the Veeam Backup for AWS UI (e.g. vb4aws_pol2role).
13. Press "Create role" button.
14. After successful creation of the role you will be able to see it in the list of all available roles.


Backup inside production deployment 


NOTE: this type of deployment (since it is not very secure) is recommended for test, demo and small environments only!

1. Please use the following JSON text to create IAM Policy by following instructions from How to create IAM Policy article 
    These permissions will allow backup service to perform required for backup operations:
{
	"Version": "2012-10-17",
		"Statement": [
		{
			"Action": [
				"ec2:CopySnapshot",
				"ec2:CreateSnapshot",
				"ec2:CreateSnapshots",
				"ec2:CreateTags",
				"ec2:DeleteSnapshot",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeImages",
				"ec2:DescribeInstances",
				"ec2:DescribeSnapshots",
				"ec2:DescribeSubnets",
				"ec2:DescribeTags",
				"ec2:DescribeVolumes",
				"ec2:ModifySnapshotAttribute",
				"events:DeleteRule",
				"events:DescribeRule",
				"events:ListTargetsByRule",
				"events:PutRule",
				"events:PutTargets",
				"events:RemoveTargets",
				"iam:GetRole",
				"iam:ListAttachedRolePolicies",
				"iam:ListInstanceProfilesForRole",
				"iam:ListRolePolicies",
				"iam:ListRoleTags",
				"iam:UpdateAssumeRolePolicy",
				"s3:GetBucketLocation",
				"sns:CreateTopic",
				"sns:DeleteTopic",
				"sns:ListSubscriptionsByTopic",
				"sns:ListTopics",
				"sns:SetTopicAttributes",
				"sns:Subscribe",
				"sns:Unsubscribe",
				"sqs:CreateQueue",
				"sqs:DeleteQueue",
				"sqs:SetQueueAttributes",
				"sts:AssumeRole",
				"sts:GetCallerIdentity"
				],
				"Resource": "*",
				"Effect": "Allow"
		}
	]
}
2. Navigate to Roles.
3. Choose "Create role".
4. Select type of trusted entity "AWS Service".
5. Choose "EC2" in "Choose the service that will use this role".
6. Press "Next: Permissions" button.
7. Enter the name of the policy selected on step 1 in "filter policies" edit box.
8. Select the policy with ticking on the checkbox in the first column.
9. Press "Next: Tags" button.
10. Enter tagging info if desired and press "Next: Review" button.
11. Give a name to the IAM Role - you will be using this name in the Veeam Backup for AWS UI (e.g. vb4aws_pol2role).
12. Press "Create role" button.
13. After successful creation of the role you will be able to see it in the list of all available roles.

Rate the quality of this KB article: 
4.5 out of 5 based on 1 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text:

Submit