How to configure EC2 Instaces to create Application-Aware backups usin Veeam Backup for AWS

In this article I will explain how to configure the AWS SSM on EC2 Instances to Veeam Backup for AWS be able to create VSS Snapshots for those instances.

Veeam Backup for AWS depends on AWS SSM to create the VSS Snapshots, so before enable the Application-Aware option in the policy we need to configure the instances correctly with all the necessary components.

Let’s start creating a IAM policy with all permissiona that we need:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:CreateTags",
                "ec2:CreateSnapshot",
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply",
                "ssm:DescribeAssociation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:DescribeDocument",
                "ssm:GetManifest",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:ListAssociations",
                "ssm:ListInstanceAssociations",
                "ssm:PutInventory",
                "ssm:PutComplianceItems",
                "ssm:PutConfigurePackageResult",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation",
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        }
    ]
}

Create a IAM Role for EC2:

Attache the policy created to the IAM Role:

Now we can attach the IAM Role with the EC2 instance that we like to create Application-Aware backups.
Modify the IAM Role for the EC2 instance:

Choose the IAM Role from the list:

Check if the EC2 instance has the SSM Agent installed

1. It's preinstalled if you are using an AMI from AWS
2. It's possible to install manually if needed
   1. Windows: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-win.html
   2. Linux: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html

Check if the instance is showing on SSM Inventory section:

• This step is mandatory. The instance MUST show in SSM Inventory to be able to install the AWS VSS Components.

Now we need to install the AWS VSS Components to the EC2 instance using AWS Cli.
Run the command below using AWS Cli:

aws ssm send-command \
			    --document-name "AWS-ConfigureAWSPackage" \
			    --instance-ids "i-12345678" \
                --parameters '{"action":["Install"],"name":["AwsVssComponents"]}'

Change the “instance-ids” parameter for the instance-id from the EC2 instance you are installing the VSS Component.

We can also perform this step using the “Run Command” on AWS System Manager:

Choose the “AWS-ConfiguraAWSPackage”:

Choose a name for the command:

Choose the instances. It’s possible to use tags, resource group or choose the instances manually:

If it works, the VSS Components should be found on “C:\Program Files\Amazon\AwsVssComponents”:

Now we can enable the Application-Aware option in the policy:

With everything configured the VSS snapshot should work as the image below:

You can check in the AWS Console too. If the Snapshot has the tag "AppConsistent = true" the VSS Snapshot worked:

Guides used to create this article:

VBAWS User Guide: Enabling Application-Aware Processing
AWS User Guide: Create application-consistent snapshots
AWS User Guide: Configure instance permissions for Systems Manager