# Identity and access management in Amazon Backup Access to Amazon Backup requires credentials. Those credentials must have permissions to access Amazon resources, such as an Amazon DynamoDB database or an Amazon EFS file system. Moreover, recovery points created by Amazon Backup for some Amazon Backup-supported services cannot be deleted using the source service (such as Amazon EFS). You can delete those recovery points using Amazon Backup. The following sections provide details on how you can use [Amazon Identity and Access Management (IAM)](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction.html) and Amazon Backup to help secure access to your resources. **Warning** Amazon Backup uses the same IAM role that you chose when assigning resources to manage your recovery point lifecycle. If you delete or modify that role, Amazon Backup cannot manage your recovery point lifecycle. When this occurs, it will attempt to use a service-linked role to manage your lifecycle. In a small percentage of cases, this might also not work, leaving `EXPIRED` recovery points on your storage, which might create unwanted costs. To delete `EXPIRED` recovery points, manually delete them using the procedure in [Deleting backups](https://docs.amazonaws.cn/aws-backup/latest/devguide/deleting-backups.html). **Topics** + [Authentication](authentication.md) + [Access control](access-control.md) + [IAM service roles](iam-service-roles.md) + [Managed policies for Amazon Backup](security-iam-awsmanpol.md) + [Using service-linked roles for Amazon Backup](using-service-linked-roles.md) + [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md)