Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set access policies on backup vaults

With Amazon Backup, you can assign policies to backup vaults and the resources they contain. Assigning policies allows you to do things like grant access to users to create backup plans and on-demand backups, but limit their ability to delete recovery points after they're created.

For information about using policies to grant or restrict access to resources, see Identity-Based Policies and Resource-Based Policies in the IAM User Guide. You can also control access using tags.

You can use the following example policies as a guide to limit access to resources when you are working with Amazon Backup vaults. Unlike other IAM-based policies, Amazon Backup access policies don't support a wildcard in the Action key.

For a list of Amazon Resource Names (ARNs) that you can use to identify recovery points for different resource types, see Amazon Backup resource ARNs for resource-specific recovery point ARNs.

Vault access policies only control user access to Amazon Backup APIs. Some backup types, such as Amazon Elastic Block Store (Amazon EBS) and Amazon Relational Database Service (Amazon RDS) snapshots, can also be accessed using the APIs of those services. You can create separate access policies in IAM that control access to those APIs to fully control the access to those backup types.

Regardless of the Amazon Backup vault's access policy, cross-account access for any action other than backup:CopyIntoBackupVault will be rejected; that is, Amazon Backup will reject any other request from an account that is different from the account of the resource that is being referenced.

Deny access to a resource type in a backup vault

This policy denies access to the specified API operations for all Amazon EBS snapshots in a backup vault.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::Account ID:role/MyRole"
            },
            "Action": [
                "backup:UpdateRecoveryPointLifecycle",
                "backup:DescribeRecoveryPoint",
                "backup:DeleteRecoveryPoint",
                "backup:GetRecoveryPointRestoreMetadata",
                "backup:StartRestoreJob"
            ],
            "Resource": ["arn:aws:ec2:Region::snapshot/*"]
        }
    ]
}

Deny access to a backup vault

This policy denies access to the specified API operations targeting a backup vault.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "Amazon": "arn:aws:iam::Account ID:role/MyRole"
            },
            "Action": [
                "backup:DescribeBackupVault",
                "backup:DeleteBackupVault",
                "backup:PutBackupVaultAccessPolicy",
                "backup:DeleteBackupVaultAccessPolicy",
                "backup:GetBackupVaultAccessPolicy",
                "backup:StartBackupJob",
                "backup:GetBackupVaultNotifications",
                "backup:PutBackupVaultNotifications",
                "backup:DeleteBackupVaultNotifications",
                "backup:ListRecoveryPointsByBackupVault"
            ],
            "Resource": "arn:aws:backup:Region:Account ID:backup-vault:backup vault name"
        }
    ]
}

Deny access to delete recovery points in a backup vault

Access to vaults and the ability to delete recovery points stored in them is determined by the access that you grant your users.

Follow these steps to create a resource-based access policy on a backup vault that prevents the deletion of any backups in the backup vault.