Identity and access management in Amazon Backup
Access to Amazon Backup requires credentials. Those credentials must have permissions to access Amazon resources, such as an Amazon DynamoDB database or an Amazon EFS file system. Moreover, recovery points created by Amazon Backup for some Amazon Backup-supported services cannot be deleted using the source service (such as Amazon EFS). You can delete those recovery points using Amazon Backup.
The following sections provide details on how you can use Amazon Identity and Access Management (IAM) and Amazon Backup to help secure access to your resources.
Warning
Amazon Backup uses the same IAM role that you chose when assigning resources to manage your
recovery point lifecycle. If you delete or modify that role, Amazon Backup cannot manage your
recovery point lifecycle. When this occurs, it will attempt to use a service-linked role to
manage your lifecycle. In a small percentage of cases, this might also not work, leaving
EXPIRED
recovery points on your storage, which might create unwanted costs.
To delete EXPIRED
recovery points, manually delete them using the procedure in
Deleting backups.