Veeam Backup for AWS - Cross account roles

[leemurphy]

Is there any plans to move away from ONLY using access keys for adding an account to the AWS Backup appliance?

AWS Best practice is to use Cross Account roles rather than IAM Keys for this purpose and I was hoping v6 of the AWS appliance would add this capability.

A better option is to:

- Ensure the IAM Role associated with the Veeam Backup for AWS instance has sts:AssumeRole capability (it can be limited to a standard role name).
- Allow you to add another AWS Account with the specified role name for the backup to assume (Role ARN instead of IAM Keys)
- provide a downloadable policy template with required permissions that can be deployed by the user into the other account.

IAM Keys need to be rotated (adding overhead and security concerns) and should only really be used for non AWS Hosted infrastructure to communicate to AWS services.

[nielsengelen]

Hi,

The access and secret key are only needed for adding an account that we automatically make in the AWS infrastructure. After, it can be removed from the AWS management console.

- Ensure the IAM Role associated with the Veeam Backup for AWS instance has sts:AssumeRole capability (it can be limited to a standard role name).

I'm not sure how you deployed it but this should already be in place as described in our user guide.

- Allow you to add another AWS Account with the specified role name for the backup to assume (Role ARN instead of IAM Keys)

This is tracked for an upcoming release to resolve it.

- provide a downloadable policy template with required permissions that can be deployed by the user into the other account.

Export to CloudFormation is also planned for an upcoming release to overcome this.