Loading...

Amazon Web Services User Permissions for Backups and Restores

You can assign Amazon user permissions by creating a policy as described in Overview of IAM Policies. You can download the amazon_permission_backup_restore.json file and use it on the AWS command line to apply all of the permissions listed in this topic.

For more information about Amazon permissions, see Amazon Elastic Compute Cloud API Reference or Amazon Simple Storage Service API Reference.

For non-admin users, you must set the following permissions in the Amazon Web Services (AWS) user policy to enable support for backups and restores of Amazon instances or volumes.

  • To perform backup and restore operations using a Virtual Server Agent (VSA) proxy running on an Amazon instance:
    • ec2:AttachNetworkInterface - To attach a network interface to an instance.
    • ec2:AttachVolume - To attach a volume to an instance.
    • ec2:CreateImage - To create an AMI from an instance.
    • ec2:CreateSnapshot - To create snapshots of EBS volumes.
    • ec2:CreateTags - To define tags on instances.
    • ec2:CreateVolume - To create EBS volumes.
    • ec2:CopySnapshot - To copy snapshots.
    • ec2:DeleteSnapshot - To delete snapshots.
    • ec2:DeleteTags - To delete tags.
    • ec2:DeleteVolume - To delete volumes.
    • ec2:DeregisterImage - To deregister AMIs.
    • ec2:DescribeAccountAttributes - To get information about attributes of the AWS account.
    • ec2:DescribeAvailabilityZones - To get information about availability zones.
    • ec2:DescribeImages - To get information about available images, such as AMIs.
    • ec2:DescribeImportImageTasks - To get information about a virtual machine being imported.
    • ec2:DescribeImportSnapshotTasks - To get information about import snapshot tasks.
    • ec2:DescribeInstances - To get information about instances.
    • ec2:DescribeInstanceStatus - To get status information for instances.
    • ec2:DescribeKeyPairs - To get information about the key pairs for the AWS account.
    • ec2:DescribeNetworkInterfaces - To get information about network interfaces.
    • ec2:DescribeRegions - To get information about available regions.
    • ec2:DescribeSecurityGroups - To get information about security groups for the AWS account.
    • ec2:DescribeSnapshots - To get information about snapshots that are available for the account.
    • ec2:DescribeSubnets - To get information about subnets.
    • ec2:DescribeTags - To get information about tags defined on instances.
    • ec2:DescribeVpcs -  To get information about VPCs.
    • ec2:DescribeVolumes - To get information about EBS volumes.
    • ec2:DescribeVolumeStatus - To get status information for volumes.
    • ec2:DetachVolume - To detach volumes from instances.
    • ec2:GetConsoleOutput - To get console information for instances and enable actions such as powering up or shutting down an instance.
    • ec2:ImportImage - To import disk images or EBS snapshots into an AMI.
    • ec2:ImportSnapshot - To import a disk into an EBS snapshot.
    • ec2:RegisterImage - To register AMIs.
    • ec2:RunInstances - To launch instances.
    • ec2:StartInstances - To start instances.
    • ec2:StopInstances - To stop instances.
    • ec2:TerminateInstances - To replace an instance if user selects overwrite option during conversion.
  • Additional IAM Policy permissions:
    • iam:GetAccountAuthorizationDetails - To retrieve information about the users, groups, roles, and policies in your account, including their relationships to one another.
  • Additional S3 permissions:
    • s3:CreateBucket - To create an S3 bucket.
    • s3:DeleteObject - To delete an S3 object.
    • s3:GetBucketLocation - To get region information for buckets.
    • s3:GetObject  - To get the current version of an object.
    • s3:ListAllMyBuckets - To populate the list of buckets for restores.
    • s3:ListBucket - To get information about items in buckets.
    • s3:PutObject - To add objects to buckets.
  • When a cloud library is used as MediaAgent with an Amazon or non-Amazon proxy, the following S3 permissions are needed in addition to those listed above:
    • s3:DeleteObject - To delete an S3 object.
    • s3:GetBucketLocation - To get region information for buckets.
    • s3:GetObject - To get the current version of an object.
    • s3:ListAllMyBuckets - To populate the list of buckets for restores.
    • s3:ListBucket - To get information about items in buckets.
    • s3:PutObject - To add objects to buckets.
  • To perform a full virtual machine restore when a non-AWS proxy is used, the following permissions are required:
    • ec2:CancelImportTask - To cancel an import task.
    • ec2:DescribeImportImageTasks - To get information about a virtual machine being imported.
    • ec2:DescribeImportSnapshotTasks - To get information about import snapshot tasks.
    • ec2:ImportImage - To import disk images or EBS snapshots into an AMI.
    • ec2:ImportSnapshot - To import a disk into an EBS snapshot.