A common request from customers with large AWS environments has been how best to set up IAM roles for Veeam Backup for AWS. Customers with dozens or hundreds of accounts had to configure templates or scripts to create roles in each of their accounts and then add them to Veeam. This can be a time-consuming endeavor at scale, and I created a solution that uses native AWS services to automate the process. Thankfully, that solution only applies to previous versions of Veeam Backup for AWS now.
Veeam Backup for AWS v9 now has built-in support for AWS Organizations, allowing you to easily protect all of your AWS resources regardless of the size or complexity of your organization. Let’s take a look at this new feature and how it works.
Laying the foundation
Before you can leverage this feature, you must have AWS Organizations enabled, and you need to be familiar with AWS CloudFormation and StackSets and how these services work together. AWS Organizations and CloudFormation are de facto standards for managing operations, security, and billing for your AWS environment, so it’s a good idea to familiarize yourself with them and the AWS whitepaper, Organizing Your AWS Environment Using Multiple Accounts.
Overview
The setup process is straightforward and consists of three steps:
- Export the CloudFormation templates from Veeam Backup for AWS
- Use the templates to deploy the CloudFormation stacks from your management account
- Set up the roles and organization in Veeam
The Veeam Backup for AWS user guide has a dedicated section for Managing AWS Organizations which covers the product functionality, so I’ll spend a little more time here on the general workflow and AWS.
Template time
First, you’ve got to create the templates. This is done from the Veeam Backup for AWS console, under Configuration / Infrastructure / Organizations tab. Click the Use a CloudFormation template link to get started.
Give your roles names that will help you identify them. These names will be important in a later step, so make them descriptive. In my examples, I’ve given them each a “veeam-org-“ prefix and then finish the name with the task they’ll be used for. In the Template format drop down, choose CloudFormation.
The next step gives you an option to specify granular permissions in case you want to limit the scope of services you’ll use Veeam to protect. All of this is detailed in the user guide, so my example doesn’t select this option.
This can be useful if, for example, you only want to protect EC2 resources, so you wouldn’t need any of the permissions required to protect other services. This helps you follow the principle of least privilege, an important tenant in the AWS Well-Architected Framework.
Proceed to the next step, then select Create to create the templates. They will automatically download to your system.
Go go gadget CloudFormation
Now it’s time to head over to another browser tab and login to your AWS management account. Once there, go to the CloudFormation service, and create a stack using your veeam-org-rescan-role template. Select your options, then submit the deployment to set up the IAM role that Veeam will use to scan your organization for member accounts. When complete, you’ll see the stack change status to “CREATE_COMPLETE” like the example screenshot.
Next you’re going to create your StackSets using the templates that were created for backup and restore operations and deploying worker instances into production accounts (necessary for certain tasks, such as protecting instances with volumes encrypted by an AWS managed KMS key). In short, StackSets allow you to easily deploy stacks to multiple member accounts. Because AWS Organizations integrates with CloudFormation, new accounts added to the org or target OU will automatically have these stacks deployed. This is an important capability in ensuring all of your AWS accounts are configured consistently in accordance with your policies.
In my example, I have one management account and two member accounts, and I deployed the stacks to the entire organization, so both member accounts will have backup and restore roles and production worker roles. You can also choose to deploy StackSets to specific OUs in your org. When the StackSet has finished deployment, you will see a screen similar to the screenshot below showing the member accounts where stack instances were deployed and their status. We want to see the green “SUCCEEDED”.
He’s a pinball (AWS) wizard
With the stacks now deployed, switch back to your Veeam Backup for AWS console and add the roles and set up your organization for protection. Navigate back to Configuration / Infrastructure / Organizations tab and select the second step, Add organization rescan role.
This will take you to the familiar Add IAM role wizard, and this time we’re going to specify granular permissions for the Organization rescan role.
Be sure to use the role names that you specified when you created the templates.
Now that you’ve added the rescan role, you can add the organization and begin scanning it for member accounts. Back to the configuration, then select Add organization.
When you add the organization, again, be sure you put the names of the roles when you created the templates. Veeam will attempt to use these specific role names when it accesses the accounts.
The step for scope allows you to select specific OUs within the organization and use them as sources in your policies. This allows you to carve up your organization into business units so that you can protect one OU with different policies from another.
That completes the setup! Now when you create new backup policies, you can select an organization as a source for your policies. When the policy runs, it will use the IAM roles that were deployed into your member accounts as a StackSet to access the accounts.
I hope you enjoyed this short walkthrough. I was really excited to see this enhancement, and I think it will greatly enhance your ability to protect large AWS environments with Veeam.