Using Veeam Kasten with AWS EBS

The following permissions are needed by Kasten to operate on EBS, AWS EC2's underlying block storage solution

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CopySnapshot",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:DescribeSnapshotAttribute",
                "ec2:ModifySnapshotAttribute",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeRegions",
                "ec2:DescribeSnapshots",
                "ec2:DescribeTags",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DeleteSnapshot",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/name": "kasten__snapshot*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DeleteSnapshot",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "Kasten: Snapshot*"
                }
            }
        }
    ]
}

The following additional permissions are required to use the EBS Direct API to get changed block data in a Block Mode Export.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ebs:ListSnapshotBlocks",
                "ebs:ListChangedBlocks",
                "ebs:GetSnapshotBlock"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        }
    ]
}

Using Veeam Kasten with AWS S3

While Veeam Kasten can use AWS S3 to migrate applications between different clusters or even clouds, the access permissions should not be specified as a part of the Veeam Kasten install, but instead later as a part of creating Location profiles. The credentials used for the profile should have the following permissions on the needed buckets.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutBucketPolicy",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteBucketPolicy",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET_NAME}",
                "arn:aws:s3:::${BUCKET_NAME}/*"
            ]
        }
    ]
}

Additional permissions are needed for the creation and maintenance of immutable backups in Veeam Kasten.

  • s3:ListBucketVersions

  • s3:GetObjectRetention

  • s3:PutObjectRetention

  • s3:GetBucketObjectLockConfiguration

  • s3:GetBucketVersioning

  • s3:GetObjectVersion

  • s3:DeleteObjectVersion

Using Veeam Kasten with Amazon RDS

The credentials specified as a part of creating Location profiles should have the following permissions for Veeam Kasten to perform Amazon RDS operations.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:CreateDBInstance",
                "rds:DeleteDBInstance",
                "rds:DescribeDBInstances",
                "rds:CreateDBSnapshot",
                "rds:DeleteDBSnapshot",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBSnapshotAttributes",
                "rds:CreateDBCluster",
                "rds:DescribeDBClusters",
                "rds:DeleteDBCluster",                 
                "rds:CreateDBClusterSnapshot",
                "rds:DeleteDBClusterSnapshot",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusterSnapshotAttributes",
                "rds:RestoreDBInstanceFromDBSnapshot",
                "rds:RestoreDBClusterFromSnapshot"
            ],
            "Resource": "*"
        }
    ]
}

Using Veeam Kasten with AWS EFS

Veeam Kasten assumes that the user has successfully provisioned an EFS volume and is using the EFS CSI driver to mount the volume within Kubernetes. While Veeam Kasten will transparently work with this setup, there are a couple of things to be aware of when using Veeam Kasten to back up EFS that is different from EBS.

  • Veeam Kasten creates its own vault to back up EFS.

  • EFS volumes are created externally and today require manual cleanup when all references to them from Kubernetes are gone. This also means that when a restore happens, a manual cleanup of the old volumes will be needed.

  • Unlike EBS, EFS backups can be slow because of the underlying AWS performance constraints with different data sets. Backup policy action frequencies should be set to accommodate this performance difference.

Finally, to operate on AWS EFS, Veeam Kasten will need the following permissions to perform backups and restores.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "backup:CreateBackupVault",
                "backup:DeleteRecoveryPoint",
                "backup:DescribeBackupJob",
                "backup:DescribeRecoveryPoint",
                "backup:DescribeRestoreJob",
                "backup:GetRecoveryPointRestoreMetadata",
                "backup:ListRecoveryPointsByBackupVault",
                "backup:ListRecoveryPointsByResource",
                "backup:ListTags",
                "backup:StartBackupJob",
                "backup:StartRestoreJob",
                "backup:TagResource",
                "elasticfilesystem:CreateFileSystem",
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:CreateTags",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DeleteMountTarget",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeTags",
                "elasticfilesystem:TagResource",
                "sts:GetCallerIdentity"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::<accountID>:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem",
                "arn:aws:iam::<accountID>:role/service-role/AWSBackupDefaultServiceRole"
            ]
        }
    ]
}

Using Veeam Kasten with AWS Secrets Manager

When enabling Veeam Kasten DR using AWS Secrets Manager, it is required that an AWS Infrastructure Profile is created prior with credentials that have the adequate permissions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountId:role/EC2RoleToAccessSecrets"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}

More policy examples for secrets in AWS Secrets Manager are documented here.

Optional KMS Permissions

When operating on Encrypted EBS volumes, Veeam Kasten will ensure snapshots and any new volumes created from those snapshots are encrypted with the same key.

If Customer Managed Keys (CMKs) are used to encrypt the EBS volumes, the following permissions should be granted for all KMS keys.

{
  "Version": "2012-10-17",
  "Statement": [
      {
        "Effect": "Allow",
        "Action": [
            "kms:GenerateDataKeyWithoutPlaintext",
            "kms:DescribeKey",
            "kms:ReEncryptTo",
            "kms:ReEncryptFrom"
        ],
        "Resource": "arn:aws:kms:::key/${KMS_KEY_ID}"
      }
  ]
}