Managed policies for Amazon Backup

Amazon Backup added permission backup:TagResource to this policy.

The permission is necessary to obtain tagging permissions during the creation of a recovery point.

Amazon Backup added permission backup:TagResource to this policy.

The permission is necessary to obtain tagging permissions during the creation of a recovery point.

Amazon Backup added permission backup:TagResource to this policy.

The permission is necessary to obtain tagging permissions during the creation of a recovery point.

Added the permission rds:DeleteDBInstanceAutomatedBackups.

This permission is necessary for Amazon Backup to support continuous backup and point-in-time-restore of Amazon RDS instances.

Amazon Backup updated the Amazon Resource Name (ARN) in permission storagegateway:ListVolumes from arn:aws:storagegateway:*:*:gateway/* to * in order to accommodate a change in the Storage Gateway API model.

Amazon Backup updated the Amazon Resource Name (ARN) in permission storagegateway:ListVolumes from arn:aws:storagegateway:*:*:gateway/* to * in order to accommodate a change in the Storage Gateway API model.

Added the following permissions to describe and list recovery points and protected resources in order to conduct restore testing plans: backup:DescribeRecoveryPoint, backup:DescribeProtectedResource, backup:ListProtectedResources, and backup:ListRecoveryPointsByResource.

Added the permission ec2:DescribeSnapshotTierStatus to support Amazon EBS archive tier storage.

Added the permission rds:DescribeDBClusterAutomatedBackups to support Amazon Aurora continuous backups.

Added the following permissions to support restore testing of Amazon Redshift backups: redshift:DescribeClusters and redshift:DeleteCluster.

Added the permission timestream:DeleteTable to support restore testing of Amazon Timestream backups.

Added the permissions ec2:DescribeSnapshotTierStatus and ec2:RestoreSnapshotTier.

These permissions are necessary for users to have the option to restore Amazon EBS resources stored with Amazon Backup from archive storage.

For EC2 instance restores, you must also include permissions as shown in the following policy statement to launch the EC2 instance:

Added the permissions ec2:DescribeSnapshotTierStatus and ec2:ModifySnapshotTier to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier.

These permissions are necessary for users to have the option to transition Amazon EBS resources stored with Amazon Backup to archive storage.

Added the permissions ec2:DescribeSnapshotTierStatus and ec2:ModifySnapshotTier to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier.

These permissions are necessary for users to have the option to transition Amazon EBS resources stored with Amazon Backup to archive storage.

Added the permissions rds:DescribeDBClusterSnapshots and rds:RestoreDBClusterToPointInTime, which is necessary for PITR (point-in-time restores) of Aurora clusters.

Provides the permissions necessary to conduct restore testing. The permissions include the actions list, read, and write for the following services to be included in restore tests: Aurora, DocumentDB, DynamoDB, Amazon EBS, Amazon EC2, Amazon EFS, FSx for Lustre, FSx for Windows File Server, FSx for ONTAP, FSx for OpenZFS, Amazon Neptune, Amazon RDS, and Amazon S3.

November 27, 2023

Added restore-testing.backup.amazonaws.com to IamPassRolePermissions and IamCreateServiceLinkedRolePermissions. This addition is necessary for Amazon Backup to conduct restore tests on behalf of customers.

Added the permissions rds:DescribeDBClusterSnapshots and rds:RestoreDBClusterToPointInTime, which is necessary for PITR (point-in-time restores) of Aurora clusters.

Added the permission rds:DescribeDBClusterAutomatedBackups, which is necessary for continuous backup and point-in-time restore of Aurora clusters.

Added the permission rds:DescribeDBClusterAutomatedBackups, which is necessary for continuous backup and point-in-time restore of Aurora clusters.

Added the permission rds:DescribeDBClusterAutomatedBackups. This permission is necessary for Amazon Backup support of continuous backup and point-in-time restore of Aurora clusters.

Added the permission rds:DeleteDBClusterAutomatedBackups to allow Amazon Backup lifecycle to delete and disassociate Amazon Aurora continuous recovery points when a retention period finishes. This permission is necessary for the Aurora recovery point to avoid a transition into an EXIPIRED state.

Added the permission rds:ModifyDBCluster which allows Amazon Backup to interact with Aurora clusters. This addition allows users the ability to enable or disable continuous backups based on desired configurations.

Added the action ram:GetResourceShareAssociations to grant the user permission to get resource share associations for new vault type.

Added the action ram:GetResourceShareAssociations to grant the user permission to get resource share associations for new vault type.

Added the permission s3:PutInventoryConfiguration to enhance backup performance speeds by using a bucket inventory.

Added the following actions to grant the user permissions to add tags to restore resources: storagegateway:AddTagsToResource, elasticfilesystem:TagResource, ec2:CreateTags for only ec2:CreateAction that includes either RunInstances or CreateVolume, fsx:TagResource, and cloudformation:TagResource.

Replaced the resource selection within the API config:DescribeComplianceByConfigRule with a wildcard resource to make it easier for a user to select resources.

Added the following permission to restore Amazon EFS using a customer managed key: kms:GenerateDataKeyWithoutPlaintext. This helps to ensure users have required permissions to restore Amazon EFS resources.

Updated the config:DescribeConfigRules and config:DescribeConfigRuleEvaluationStatus actions to allow Amazon Backup Audit Manager to access Amazon Backup Audit Manager-managed Amazon Config rules.

Added the following permissions: kms:Decrypt, s3:PutBucketOwnershipControls, and s3:GetBucketOwnershipControls to the policy AWSBackupServiceRolePolicyForS3Restore. These permissions are necessary to support restores of objects when KMS encryption is used in the original backup and for restoring objects when object ownership is configured on the original bucket instead of ACL.

Added the following permissions to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling: backup-gateway:GetHypervisorPropertyMappings, backup-gateway:GetVirtualMachine, backup-gateway:PutHypervisorPropertyMappings, backup-gateway:GetHypervisor, backup-gateway:StartVirtualMachinesMetadataSync, backup-gateway:GetBandwidthRateLimitSchedule, and backup-gateway:PutBandwidthRateLimitSchedule.

Added the following permissions to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling: backup-gateway:GetHypervisorPropertyMappings, backup-gateway:GetVirtualMachine, backup-gateway:GetHypervisor, and backup-gateway:GetBandwidthRateLimitSchedule.

Provides permissions for Amazon Backup Gateway to sync the metadata of virtual machines in on-premise networks with Backup Gateway.

Added the following permissions to support Amazon Redshift resources: redshift:DescribeClusters, redshift:DescribeClusterSubnetGroups, redshift:DescribeNodeConfigurationOptions, redshift:DescribeOrderableClusterOptions, redshift:DescribeClusterParameterGroups, redshift:DescribeClusterTracks, redshift:DescribeSnapshotSchedules, and ec2:DescribeAddresses.

Added the following permissions to support Amazon Redshift resources: redshift:DescribeClusters, redshift:DescribeClusterSubnetGroups, redshift:DescribeNodeConfigurationOptions, redshift:DescribeOrderableClusterOptions, redshift:DescribeClusterParameterGroups,, redshift:DescribeClusterTracks. redshift:DescribeSnapshotSchedules, and ec2:DescribeAddresses.

Added the following permissions to support Amazon Redshift restore jobs: redshift:RestoreFromCluster Snapshot, redshift:RestoreTableFromClusterSnapshot, redshift:DescribeClusters, and redshift:DescribeTableRestoreStatus.

Added the following permissions to support Amazon Redshift backup jobs: redshift:CreateClusterSnapshot, redshift:DescribeClusterSnapshots, redshift:DescribeTags, redshift:DeleteClusterSnapshot, redshift:DescribeClusters, and redshift:CreateTags.

Added the following permission to support CloudFormation resources: cloudformation:ListStacks.

Added the following permission to support CloudFormation resources: cloudformation:ListStacks.

Added the following permissions to support CloudFormation resources: redshift:DescribeClusterSnapshots, redshift:DescribeTags, redshift:DeleteClusterSnapshot, and redshift:DescribeClusters.

Added the following permissions to support Amazon CloudFormation application stack backup jobs: cloudformation:GetTemplate, cloudformation:DescribeStacks, and cloudformation:ListStackResources.

Added the following permissions to support Amazon CloudFormation application stack backup jobs: cloudformation:CreateChangeSet and cloudformation:DescribeChangeSet

Added the following permissions to this policy to allow organization administrators to usethe Delegated Administrator feature: organizations:ListDelegatedAdministrator, organizations:RegisterDelegatedAdministrator, and organizations:DeregisterDelegatedAdministrator

Added the permission s3:GetBucketAcl to support backup operations of Amazon Backup for Amazon S3.

Added the following actions to grant access to create a database instance to support multi-Availability Zone (Multi-AZ) functionality: rds:CreateDBInstance.

Added the s3:GetBucketTagging permission to grant the user permission to select buckets to backup with a resource wildcard. Without this permission, users who select which buckets to backup with a resource wildcard are unsuccessful.

Added volume resources in the scope of existing fsx:CreateBackup and fsx:ListTagsForResource actions, and added new action fsx:DescribeVolumes to support FSx for ONTAP volume level backups.

Added the following actions to grant the users permissions to restore FSx for ONTAP volumes fsx:DescribeVolumes, fsx:CreateVolumeFromBackup, fsx:DeleteVolume, and fsx:UntagResource.

Added the following actions to grant the user permissions to receive notifications of changes to their Amazon S3 buckets during backup operations: s3:GetBucketNotification and s3:PutBucketNotification.

Added the following actions to grant the user permissions to back up their Amazon S3 buckets: s3:GetInventoryConfiguration, s3:PutInventoryConfiguration, s3:ListBucketVersions, s3:ListBucket, s3:GetBucketTagging, s3:GetBucketVersioning, s3:GetBucketNotification,s3:GetBucketLocation, and s3:ListAllMyBuckets

Added the following actions to grant the user permissions to back up their Amazon S3 objects: s3:GetObject,s3GetObjectAcl, s3:GetObjectVersionTagging, s3:GetObjectVersionAcl, s3:GetObjectTagging, and s3:GetObjectVersion.

Added the following actions to grant the user permissions to back up their encrypted Amazon S3 data: kms:Decrypt and kms:DescribeKey.

Added the following actions to grant the user permissions to take incremental backups of their Amazon S3 data using Amazon EventBridge rules: events:DescribeRule, events:EnableRule, events:PutRule, events:DeleteRule, events:PutTargets, events:RemoveTargets, events:ListTargetsByRule, events:DisableRule, cloudwatch:GetMetricData, and events:ListRules.

Added the following actions to grant the user permissions to restore their Amazon S3 buckets: s3:CreateBucket, s3:ListBucketVersions, s3:ListBucket, s3:GetBucketVersioning, s3:GetBucketLocation, and s3:PutBucketVersioning.

Added the following actions to grant the user permissions to restore their Amazon S3 buckets: s3:GetObject, s3:GetObjectVersion, s3:DeleteObject, s3:PutObjectVersionAcl, s3:GetObjectVersionAcl, s3:GetObjectTagging, s3:PutObjectTagging, s3:GetObjectAcl, s3:PutObjectAcl, s3:PutObject, and s3:ListMultipartUploadParts.

Added the following actions to grant the user permissions to encrypt their restored Amazon S3 data: kms:Decrypt, kms:DescribeKey, and kms:GenerateDataKey.

Added s3:ListAllMyBuckets to grant the user permissions to view a list of their buckets and choose which ones to assign to a backup plan.

Added backup-gateway:ListVirtualMachines to grant the user permissions to view a list of their virtual machines and choose which ones to assign to a backup plan.

Added backup-gateway:ListTagsForResource to grant the user permissions to list the tags for their virtual machines.

Added backup-gateway:Backup to grant the user permissions restore their virtual machine backups. Amazon Backup also added backup-gateway:ListTagsForResource to grant the user permissions to list the tags assigned to their virtual machine backups.

Added backup-gateway:Restore to grant the user permissions restore their virtual machine backups.

Added the following actions to grant the users permissions to use Amazon Backup Gateway to back up, restore, and manage their virtual machines: backup-gateway:AssociateGatewayToServer, backup-gateway:CreateGateway, backup-gateway:DeleteGateway, backup-gateway:DeleteHypervisor, backup-gateway:DisassociateGatewayFromServer, backup-gateway:ImportHypervisorConfiguration, backup-gateway:ListGateways, backup-gateway:ListHypervisors, backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, backup-gateway:PutMaintenanceStartTime, backup-gateway:TagResource, backup-gateway:TestHypervisorConfiguration, backup-gateway:UntagResource, backup-gateway:UpdateGatewayInformation, and backup-gateway:UpdateHypervisor.

Added the following actions to grant the user permissions to back up their virtual machines: backup-gateway:ListGateways, backup-gateway:ListHypervisors, backup-gateway:ListTagsForResource, and backup-gateway:ListVirtualMachines.

Added dynamodb:ListTagsOfResource to grant the user permissions to list tags of their DynamoDB tables to back up using Amazon Backup's advanced DynamoDB backup features.

Added dynamodb:StartAwsBackupJob to grant the user permissions to back up their DynamoDB tables using advanced backup features.

Added dynamodb:ListTagsOfResource to grant the user to permissions to copy tags from their source DynamoDB tables to their backups.

Added dynamodb:RestoreTableFromAwsBackup to grant the user permissions restore their DynamoDB tables backed up using Amazon Backup's advanced DynamoDB advanced backup features.

Added dynamodb:RestoreTableFromAwsBackup to grant the user permissions restore their DynamoDB tables backed up using Amazon Backup's advanced DynamoDB advanced backup features.

Removed the actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

Amazon Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of AWSBackupOperatorAccess. Also, Amazon Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of AWSBackupOperatorAccess.

Added the new actions elasticfilesystem:DescribeFileSystems, dynamodb:ListTables, storagegateway:ListVolumes, ec2:DescribeVolumes, ec2:DescribeInstances, rds:DescribeDBInstances, rds:DescribeDBClusters, and fsx:DescribeFileSystems to allow customers to view and choose from a list of their Amazon Backup-supported resources when selecting which resources to assign to a backup plan.

Added AWSBackupAuditAccess to grant the user permissions to use Amazon Backup Audit Manager. Permissions include the ability to configure compliance frameworks and generate reports.

Added AWSServiceRolePolicyForBackupReports to grant permissions for a service-linked role to automate the monitoring of backup settings, jobs, and resources for compliance with frameworks configured by the user.

Added iam:CreateServiceLinkedRole to create a service-linked role (on a best-effort basis) to automate the deletion of expired recovery points for you. Without this service-linked role, Amazon Backup cannot delete expired recovery points after customers delete the original IAM role they used to create their recovery points.

Added the new action dynamodb:DeleteBackup to grant DeleteRecoveryPoint permission to automate the deletion of expired DynamoDB recovery points based on your backup plan lifecycle settings.

Removed the actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

Amazon Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of AWSBackupOperatorAccess Also, Amazon Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of AWSBackupOperatorAccess

Removed the actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

Amazon Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of AWSBackupOperatorAccess. Also, Amazon Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of AWSBackupOperatorAccess.

Added the new action fsx:TagResource to grant StartRestoreJob permission to allow you to apply tags to Amazon FSx file systems during the restore process.

Added the new actions ec2:DescribeImages and ec2:DescribeInstances to grant StartRestoreJob permission to allow you to restore Amazon EC2 instances from recovery points.

Added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

Added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

Updated to comply with the following requirement:

For Amazon Backup to create a backup of an encrypted DynamoDB table, you must add the permissions kms:Decrypt and kms:GenerateDataKey to the IAM role used for backup.

Updated to comply with the following requirements:

To use Amazon Backup to configure continuous backups for your Amazon RDS database, verify the API permission rds:ModifyDBInstance exists in the IAM role defined by your Backup plan configuration.

To restore Amazon RDS continuous backups, you must add the permission rds:RestoreDBInstanceToPointInTime to the IAM role you submitted for restore job.

In the Amazon Backup console, to describe the range of times available for point-in-time recovery, you must include the rds:DescribeDBInstanceAutomatedBackups API permission in your IAM-managed policy.

Amazon Backup started tracking changes

Amazon Backup started tracking changes for its Amazon-managed policies.