Identity and access management in Amazon Backup - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Identity and access management in Amazon Backup

Access to Amazon Backup requires credentials. Those credentials must have permissions to access Amazon resources, such as an Amazon DynamoDB database or an Amazon EFS file system. Moreover, recovery points created by Amazon Backup for some Amazon Backup-supported services cannot be deleted using the source service (such as Amazon EFS). You can delete those recovery points using Amazon Backup.

The following sections provide details on how you can use Amazon Identity and Access Management (IAM) and Amazon Backup to help secure access to your resources.


Amazon Backup uses the same IAM role that you chose when assigning resources to manage your recovery point lifecycle. If you delete or modify that role, Amazon Backup cannot manage your recovery point lifecycle. When this occurs, it will attempt to use a service-linked role to manage your lifecycle. In a small percentage of cases, this might also not work, leaving EXPIRED recovery points on your storage, which might create unwanted costs. To delete EXPIRED recovery points, manually delete them using the procedure in Deleting backups.