Vault access policies - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Vault access policies

With Amazon Backup, you can assign policies to backup vaults and the resources they contain. Assigning policies allows you to do things like grant access to users to create backup plans and on-demand backups, but limit their ability to delete recovery points after they're created.

For information about using policies to grant or restrict access to resources, see Identity-Based Policies and Resource-Based Policies in the IAM User Guide. You can also control access using tags.

You can use the following example policies as a guide to limit access to resources when you are working with Amazon Backup vaults. Unlike other IAM-based policies, Amazon Backup access policies don't support a wildcard in the Action key.

For a list of Amazon Resource Names (ARNs) that you can use to identify recovery points for different resource types, see Amazon Backup resource ARNs for resource-specific recovery point ARNs.

Vault access policies only control user access to Amazon Backup APIs. Some backup types, such as Amazon Elastic Block Store (Amazon EBS) and Amazon Relational Database Service (Amazon RDS) snapshots, can also be accessed using the APIs of those services. You can create separate access policies in IAM that control access to those APIs to fully control the access to those backup types.

Regardless of the Amazon Backup vault's access policy, cross-account access for any action other than backup:CopyIntoBackupVault will be rejected; that is, Amazon Backup will reject any other request from an account that is different from the account of the resource that is being referenced.

Deny access to a resource type in a backup vault

This policy denies access to the specified API operations for all Amazon EBS snapshots in a backup vault.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::Account ID:role/MyRole" }, "Action": [ "backup:UpdateRecoveryPointLifecycle", "backup:DescribeRecoveryPoint", "backup:DeleteRecoveryPoint", "backup:GetRecoveryPointRestoreMetadata", "backup:StartRestoreJob" ], "Resource": ["arn:aws:ec2:Region::snapshot/*"] } ] }

Deny access to a backup vault

This policy denies access to the specified API operations targeting a backup vault.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "Amazon": "arn:aws:iam::Account ID:role/MyRole" }, "Action": [ "backup:DescribeBackupVault", "backup:DeleteBackupVault", "backup:PutBackupVaultAccessPolicy", "backup:DeleteBackupVaultAccessPolicy", "backup:GetBackupVaultAccessPolicy", "backup:StartBackupJob", "backup:GetBackupVaultNotifications", "backup:PutBackupVaultNotifications", "backup:DeleteBackupVaultNotifications", "backup:ListRecoveryPointsByBackupVault" ], "Resource": "arn:aws:backup:Region:Account ID:backup-vault:backup vault name" } ] }

Deny access to delete recovery points in a backup vault

Access to vaults and the ability to delete recovery points stored in them is determined by the access that you grant your users.

Follow these steps to create a resource-based access policy on a backup vault that prevents the deletion of any backups in the backup vault.

To create a resource-based access policy on a backup vault
  1. Sign in to the Amazon Web Services Management Console, and open the Amazon Backup console at https://console.amazonaws.cn/backup.

  2. In the navigation pane on the left, choose Backup vaults.

  3. Choose a backup vault in the list.

  4. In the Access policy section, paste the following JSON example. This policy prevents anyone who is not the principal from deleting a recovery point in the target backup vault.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "backup:DeleteRecoveryPoint", "Resource": "*", "Condition": { "StringNotEquals": { "aws:userId": [ "AAAAAAAAAAAAAAAAAAAAA:", "BBBBBBBBBBBBBBBBBBBBBB", "112233445566" ] } } } ] }

    To allow list IAM identities using their ARN, use the aws:PrincipalArn global condition key in the following example.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "backup:DeleteRecoveryPoint", "Resource": "*", "Condition": { "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::112233445566:role/mys3role", "arn:aws:iam::112233445566:user/shaheer", "112233445566" ] } } } ] }

    For information about getting a unique ID for an IAM entity, see Getting the unique identifier in the IAM User Guide.

    If you want to limit this to specific resource types, instead of "Resource": "*", you can explicitly include the recovery point types to deny. For example, for Amazon EBS snapshots, change the resource type to the following.

    "Resource": ["arn:aws:ec2::Region::snapshot/*"]
  5. Choose Attach policy.