{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:SendCommand", "ssm:GetCommandInvocation", "sqs:ListQueues", "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:DeleteQueue", "ec2:DescribeRegions", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:DescribeSubnets", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:RunInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeKeyPairs", "ec2:CreateKeyPair", "ec2:DeleteKeyPair", "ec2:DescribeVolumes", "ec2:CreateVolume", "ec2:AttachVolume", "ec2:DetachVolume", "ec2:DeleteVolume", "ec2:DescribeSnapshots", "ec2:CreateSnapshot", "ec2:CreateSnapshots", "ec2:DeleteSnapshot", "ec2:ModifySnapshotAttribute", "ec2:CreateTags", "ec2:DescribeImages", "iam:CreateRole", "iam:DeleteRole", "iam:CreateInstanceProfile", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:PassRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:ListRolePolicies", "iam:DeleteInstanceProfile", "iam:GetRole", "iam:GetInstanceProfile", "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", "kms:ListKeys", "kms:ListAliases", "kms:GetKeyPolicy", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:DescribeKey", "ec2:GetEbsDefaultKmsKeyId", "kms:CreateGrant", "servicequotas:ListServiceQuotas", "ec2:DescribeTags", "ec2:DescribeInstanceStatus", "ec2:StartInstances", "sqs:SendMessage", "sts:GetSessionToken", "ebs:ListChangedBlocks", "ebs:ListSnapshotBlocks", "ec2:DescribeVolumeAttribute", "iam:GetContextKeysForPrincipalPolicy", "iam:SimulatePrincipalPolicy" ], "Resource": "*" } ] }The following role configuration steps will vary depending on in which account the created Worker IAM role will be located in relation to your Veeam Backup for AWS service.
Alternatively, you can use create role wizard with Service role checked in configuration.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks",
"ec2:AttachVolume",
"ec2:CopySnapshot",
"ec2:CreateKeyPair",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:GetEbsDefaultkmsKeyId",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:SimulatePrincipalPolicy",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:ListAliases",
"kms:ListKeys",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"servicequotas:ListServiceQuotas",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"ssm:GetCommandInvocation",
"ssm:SendCommand",
],
"Resource": "*"
}
]
}
Alternatively, you can use create role wizard with Service role checked in the configuration.