IAM service roles - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM service roles

An Amazon Identity and Access Management (IAM) role is similar to a user, in that it is an Amazon identity with permissions policies that determine what the identity can and cannot do in Amazon. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A service role is a role that an Amazon service assumes to perform actions on your behalf. As a service that performs backup operations on your behalf, Amazon Backup requires that you pass it a role to assume when performing backup operations on your behalf. For more information about IAM roles, see IAM Roles in the IAM User Guide.

The role that you pass to Amazon Backup must have an IAM policy with the permissions that enable Amazon Backup to perform actions associated with backup operations, such as creating, restoring, or expiring backups. Different permissions are required for each of the Amazon services that Amazon Backup supports. The role must also have Amazon Backup listed as a trusted entity, which enables Amazon Backup to assume the role.

When you assign resources to a backup plan, or if you perform an on-demand backup, copy, or restore, you must pass a service role that has access to perform the underlying operations on the specified resources. Amazon Backup uses this role to create, tag, and delete resources in your account.

Using Amazon roles to control access to backups

You can use roles to control access to your backups by defining narrowly scoped roles and by specifying who can pass that role to Amazon Backup. For example, you could create a role that only grants permissions to back up Amazon Relational Database Service (Amazon RDS) databases and only grant Amazon RDS database owners permission to pass that role to Amazon Backup. Amazon Backup provides several predefined managed policies for each of the supported services. You can attach these managed policies to roles that you create. This makes it easier to create service-specific roles that have the correct permissions that Amazon Backup needs.

For more information about Amazon managed policies for Amazon Backup, see Managed policies for Amazon Backup.

Default service role for Amazon Backup

When using the Amazon Backup console for the first time, you can choose to have Amazon Backup create a default service role for you. This role has the permissions that Amazon Backup needs to perform backup operations for all the Amazon services that it supports. To choose the default service role, follow any of the options in Getting Started.

Note

The default role is automatically created when you use the Amazon Web Services Management Console. You can create the default role using the Amazon Command Line Interface (Amazon CLI), but it must be done manually.

If you prefer to use custom roles, such as separate roles for different resource types, you can also do that and pass your custom roles to Amazon Backup. To view examples of roles that enable backup and restore for individual resource types, see the Customer managed policies table.

The default service role created by Amazon Backup manages creating and restoring backups without working with custom roles. The default service role is called AWSBackupDefaultServiceRole.

AWSBackupDefaultServiceRole contains two managed policies, AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores.

AWSBackupServiceRolePolicyForBackup includes an IAM policy that grants Amazon Backup permissions to describe the resource being backed up, the ability to create, delete, describe, or add tags to a backup regardless of the Amazon KMS key with which it is encrypted. This IAM policy includes the necessary permissions for all the resource types that Amazon Backup supports.

AWSBackupServiceRolePolicyForRestores includes an IAM policy that grants Amazon Backup permissions to create, delete, or describe the new resource being created from a backup regardless of the Amazon KMS key with which it is encrypted. It also includes permissions to tag the newly created resource. This IAM policy includes the necessary permissions for all the resource types that Amazon Backup supports.

To restore an Amazon EC2 instance, you must launch a new instance.

Creating the default service role in the console

Specific actions you take in the Amazon Backup Console create the Amazon Backup default service role.

To create the Amazon Backup default service role AWSBackupDefaultServiceRole in your Amazon account:
  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup.

  2. To create the role for your account, either assign resources to a backup plan or create an on-demand backup.

    1. Create a backup plan and assign resources to the backup. See Create a scheduled backup.

    2. Alternatively, create an on-demand backup. See Create an on-demand backup.

  3. Verify that you have created the AWSBackupDefaultServiceRole in your account by following these steps:

    1. Wait a few minutes. For more information, see Changes that I make are not always immediately visible in the Amazon Identity and Access Management User Guide.

    2. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

    3. In the left navigation menu, choose Roles.

    4. In the search bar, type AWSBackupDefaultServiceRole. If this selection exists, you have created the Amazon Backup default role and completed this procedure.

    5. If AWSBackupDefaultServiceRole still does not appear, add the following permissions to either the IAM user or IAM role you use to access the console.

      { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:AttachRolePolicy", "iam:PassRole" ], "Resource":"arn:aws:iam::*:role/service-role/AWSBackupDefaultServiceRole" }, { "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" } ] }

      For China Regions, replace aws with aws-cn. For Amazon GovCloud (US) Regions, replace aws with aws-us-gov.

    6. If you cannot add permissions to your IAM user or IAM role, ask your administrator to manually create a role with a name other than AWSBackupDefaultServiceRole and attach that role to these managed policies:

      • AWSBackupServiceRolePolicyForBackup

      • AWSBackupServiceRolePolicyForRestores