Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Requester tasks
Associate a Multi-party approval
team with a LAG vault
You can associate a Multi-party approval team with a logically air-gapped vault to
enable collaborative approval for access to the vault (step 5 in the Overview).
- Console
-
Associate a Multi-party approval team with a LAG vault
Open the Amazon Backup console at https://console.amazonaws.cn/backup.
-
Navigate to the Backup vaults section in the left
navigation pane.
-
Select the logically air-gapped backup vault you want to associate with an
MPA team.
-
On the vault details page, select Assign
approval team.
-
From the dropdown menu, select the approval team you want to associate
with the vault
-
Enter an optional requester comment, explaining the reason for the
association.
-
Select Send request to submit the association
request.
If this is the first approval team to be associated with the vault, the team
will be associated with the vault. If the vault already has an associated team,
see Update Multi-party approval
team for steps.
- CLI
-
Use the CLI command associate-backup-vault-mpa-approval-team,
modified with the following parameters:
aws backup associate-backup-vault-mpa-approval-team \
--backup-vault-name VAULT_NAME \
--mpa-approval-team-arn MPA_TEAM_ARN \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
If this is the first approval team to be associated with the vault, the team
will be associated with the vault. If the vault already has an associated team,
see Update Multi-party approval
team for steps.
Request access to a logically air-gapped
vault
You can request access to a logically air-gapped vault in another account (step 6 in
the Overview). After an approval team
has granted the request, Amazon Backup creates a restore access backup vault in your designated
recovery account so that account will have temporary access to recovery points in the
connected logically air-gapped vault.
- Console
-
Request access to a logically air-gapped vault
-
Open the Amazon Backup console at https://console.amazonaws.cn/backup.
-
Navigate to the Backup vaults section in the left
navigation pane
-
Select the Vaults accessible through MPA tab
-
Select Request vault access.
-
Enter the source backup vault ARN of the logically air-gapped vault you
want to access.
-
Enter an optional name for the restore access backup vault. If you do not
input a name, Amazon Backup will assign a name based on the name of the logically air
gapped vault.
-
Enter an optional requester comment explaining the reason for the access
request.
-
Select Send request to submit the access
request.
The approval team members associated with the source vault will receive an
email notification to approve the request.
Once the request is approved by the required number ("threshold") of team
members, the restore access backup vault will be created in the recovery
account.
- CLI
-
Use the CLI command create-restore-access-backup-vault:
aws backup create-restore-access-backup-vault \
--source-backup-vault-arn SOURCE_VAULT_ARN \
--backup-vault-name OPTIONAL_VAULT_NAME \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
The MPA approval team members associated with the source vault will receive a
notification to approve the request. Once the request is approved by the required
number ("threshold") of team members, the restore access backup vault will be
created in the recovery account.
You can check the status of the vault using:
aws backup describe-backup-vault \
--backup-vault-name VAULT_NAME \
--region REGION
Disassociate Multi-party approval
team from logically air gapped vault
You can disassociate a Multi-party approval team from a logically air-gapped vault
(step 7 in the Overview).
- Console
-
Disassociate approval team from LAG vault
Open the Amazon Backup console at https://console.amazonaws.cn/backup.
-
Navigate to the Backup vaults section in the left
navigation pane.
-
Select the logically air-gapped backup vault from which you want to
disassociate the approval team.
-
On the Vault details page, select
Disassociate approval team.
-
Enter an optional requester comment explaining the reason for the
disassociation.
-
Select Send request to submit the disassociation
request.
The current approval team members will receive a notification to approve the
request.
Once approved by the required number of team members, the team will be
disassociated from the vault.
- CLI
-
Use the CLI command
disassociate-backup-vault-mpa-approval-team:
aws backup disassociate-backup-vault-mpa-approval-team \
--backup-vault-name VAULT_NAME \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
The current MPA approval team members will receive a notification to approve
the request. Once approved by the required number of team members, the team will
be disassociated from the vault.
Revoke restore access backup vault
You can revoke access to a restore access backup vault from the source vault
account.
- Console
-
Revoke restore access backup vault
Open the Amazon Backup console at https://console.amazonaws.cn/backup.
-
Navigate to the Backup vaults section in the left
navigation pane.
-
Select the logically air-gapped backup vault for which you want to revoke
access.
-
On the Vault details page, scroll down to the
Access through Multi-party approval section.
-
Find the restore access backup vault you want to revoke, then select
Request to remove vault access.
-
Enter an optional requester comment explaining the reason for the
revocation.
-
Select Send request to submit the revocation
request.
The approval team members will receive a notification to approve the
request.
Once approved by the required number of team members, the restore access
backup vault will be deleted from the recovery account
- CLI
-
First, list the restore access backup vaults associated with your source
vault:
aws backup list-restore-access-backup-vaults \
--backup-vault-name SOURCE_VAULT_NAME \
--region REGION
Then, use the CLI command
revoke-restore-access-backup-vault:
aws backup revoke-restore-access-backup-vault \
--backup-vault-name SOURCE_VAULT_NAME \
--restore-access-backup-vault-arn RESTORE_ACCESS_VAULT_ARN \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
The approval team members will receive a notification to approve the request.
Once approved by the required number of team members, the restore access backup
vault will be deleted from the recovery account.
Update the Multi-party approval team
associated with a LAG vault
You can update the Multi-party approval team associated with a logically air-gapped
vault (step 8 in the Overview).
- Console
-
Update the approval team associated with a logically air-gapped
vault
Open the Amazon Backup console at https://console.amazonaws.cn/backup.
-
Navigate to the Backup vaults section in the left
navigation pane.
-
Select the logically air-gapped backup vault for which you want to update
the approval team.
-
On the vault details page, select Request approval team
change.
-
From the dropdown menu, select the new approval team you want to associate
with the vault.
-
Enter an optional requester comment explaining the reason for the
change.
-
Select Send request to submit the change
request.
The current approval team members will receive an email notification to
approve the request.
Once approved by the required number of team members (threshold) from the
current MPA team, the new team will be associated with the vault.
- CLI
-
Use the CLI command associate-backup-vault-mpa-approval-team with
the new team ARN:
aws backup associate-backup-vault-mpa-approval-team \
--backup-vault-name VAULT_NAME \
--mpa-approval-team-arn NEW_MPA_TEAM_ARN \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
The current approval team members will receive a notification to approve the
request. Once approved by the required number of team members (threshold) from the
current team, the new MPA team will be associated with the vault.