Managed policies for Amazon Backup - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managed policies for Amazon Backup

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your Amazon Web Services account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.

Amazon managed policies are created and administered by Amazon.

Customer managed policies give you fine-grained controls to set access to backups in Amazon Backup. For example, you can use them to give your database backup administrator access to Amazon RDS backups but not Amazon EFS ones.

Customer managed policies

One way to create a customer managed policy is to start by copying an existing Amazon managed policy. That way you know that the policy is correct at the beginning, and all you need to do is customize it to your environment.

The following policies specify backup and restore permissions for individual Amazon Backup-supported Amazon services and third-party applications. They can be customized and attached to roles that you create to further limit access to Amazon resources.

The following policies specify backup permissions for individual Amazon Backup-supported Amazon services and third-party applications. They can be customized and attached to roles that you create to further limit access to Amazon resources.

Amazon S3
{ "Version":"2012-10-17", "Statement":[ { "Sid":"S3BucketBackupPermissions", "Action":[ "s3:GetInventoryConfiguration", "s3:PutInventoryConfiguration", "s3:ListBucketVersions", "s3:ListBucket", "s3:GetBucketVersioning", "s3:GetBucketNotification", "s3:PutBucketNotification", "s3:GetBucketLocation", "s3:GetBucketTagging", "s3:GetBucketAcl" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*" ] }, { "Sid":"S3ObjectBackupPermissions", "Action":[ "s3:GetObjectAcl", "s3:GetObject", "s3:GetObjectVersionTagging", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*/*" ] }, { "Sid":"S3GlobalPermissions", "Action":[ "s3:ListAllMyBuckets" ], "Effect":"Allow", "Resource":[ "*" ] }, { "Sid":"KMSBackupPermissions", "Action":[ "kms:Decrypt", "kms:DescribeKey" ], "Effect":"Allow", "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":"s3.*.amazonaws.com" } } }, { "Sid":"EventsPermissions", "Action":[ "events:DescribeRule", "events:EnableRule", "events:PutRule", "events:DeleteRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule", "events:DisableRule" ], "Effect":"Allow", "Resource":"arn:aws:events:*:*:rule/AwsBackupManagedRule*" }, { "Sid":"EventsMetricsGlobalPermissions", "Action":[ "cloudwatch:GetMetricData", "events:ListRules" ], "Effect":"Allow", "Resource":"*" } ] }
VM
{ "Sid": "BackupGatewayBackupPermissions" "Effect": "Allow", "Action": [ "backup-gateway:Backup", "backup-gateway:ListTagsForResource" ], "Resource": "arn:aws:backup-gateway:*:*:vm/*" }
Amazon EBS
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ec2:CreateTags", "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:CopySnapshot", "ec2:DescribeTags" ], "Resource":"*" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Amazon EFS
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "elasticfilesystem:Backup", "elasticfilesystem:DescribeTags" ], "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*", "Effect":"Allow" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Amazon RDS
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:DescribeDBSnapshots", "rds:CreateDBSnapshot", "rds:CopyDBSnapshot", "rds:DescribeDBInstances", "rds:CreateDBClusterSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:CopyDBClusterSnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "rds:DeleteDBSnapshot", "rds:ModifyDBSnapshotAttribute" ], "Resource":[ "arn:aws:rds:*:*:snapshot:awsbackup:*" ] }, { "Effect": "Allow", "Action": [ "rds:DeleteDBClusterSnapshot", "rds:ModifyDBClusterSnapshotAttribute" ], "Resource": [ "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Action":"kms:DescribeKey", "Effect":"Allow", "Resource":"*" } ] }
Amazon Aurora
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:CreateDBClusterSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:CopyDBClusterSnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "rds:DeleteDBClusterSnapshot" ], "Resource":[ "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Action":"kms:DescribeKey", "Effect":"Allow", "Resource":"*" } ] }
Storage Gateway
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "storagegateway:CreateSnapshot", "storagegateway:ListTagsForResource" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots" ], "Resource":"*" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Amazon FSx
{ "Version":"2012-10-17", "Statement":[ { "Action": "fsx:DescribeBackups", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Action": "fsx:CreateBackup", "Effect": "Allow", "Resource": [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:backup/*" ] }, { "Action": "fsx:DescribeFileSystems", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:ListTagsForResource", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:DeleteBackup", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Effect": "Allow", "Action": [ "fsx:ListTagsForResource", "fsx:ManageBackupPrincipalAssociations", "fsx:CopyBackup", "fsx:TagResource" ], "Resource": "arn:aws:fsx:*:*:backup/*" } ] }
Amazon EC2
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateImage", "ec2:DeregisterImage" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CopyImage", "ec2:CopySnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:image/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeNetworkInterfaces", "ec2:DescribeElasticGpus", "ec2:DescribeSpotInstanceRequests" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
DynamoDB
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "dynamodb:DescribeTable", "dynamodb:CreateBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*", "Effect":"Allow" }, { "Action":[ "dynamodb:DescribeBackup", "dynamodb:DeleteBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*/backup/*", "Effect":"Allow" }, { "Action":[ "kms:Decrypt", "kms:GenerateDataKey" ], "Effect":"Allow", "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":[ "dynamodb.*.amazonaws.com" ] } } }, { "Sid":"DynamodbBackupPermissions", "Effect":"Allow", "Action":[ "dynamodb:StartAwsBackupJob", "dynamodb:ListTagsOfResource" ], "Resource":"arn:aws:dynamodb:*:*:table/*" } ] }

The following policies specify restore permissions for individual Amazon Backup-supported Amazon services and third-party applications. They can be customized and attached to roles that you create to further limit access to Amazon resources.

Amazon S3
{ "Version":"2012-10-17", "Statement":[ { "Sid":"S3BucketRestorePermissions", "Action":[ "s3:CreateBucket", "s3:ListBucketVersions", "s3:ListBucket", "s3:GetBucketVersioning", "s3:GetBucketLocation", "s3:PutBucketVersioning" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*" ] }, { "Sid":"S3ObjectRestorePermissions", "Action":[ "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:PutObjectVersionAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:PutObjectTagging", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:PutObject", "s3:ListMultipartUploadParts" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*/*" ] }, { "Sid":"S3KMSPermissions", "Action":[ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Effect":"Allow", "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":"s3.*.amazonaws.com" } } } ] }
VM
{ "Sid": "GatewayRestorePermissions", "Effect": "Allow", "Action": [ "backup-gateway:Restore" ], "Resource": "arn:aws:backup-gateway:*:*:hypervisor/*" }
Amazon EBS
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource":"*" } ] }
Amazon EFS
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "elasticfilesystem:Restore", "elasticfilesystem:CreateFilesystem", "elasticfilesystem:DescribeFilesystems", "elasticfilesystem:DeleteFilesystem" ], "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*" } ] }
Amazon RDS
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:DescribeDBInstances", "rds:DescribeDBSnapshots", "rds:ListTagsForResource", "rds:RestoreDBInstanceFromDBSnapshot", "rds:DeleteDBInstance", "rds:AddTagsToResource" ], "Resource":"*" } ] }
Amazon Aurora
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:DeleteDBCluster", "rds:DescribeDBClusters", "rds:RestoreDBClusterFromSnapshot", "rds:ListTagsForResource", "rds:AddTagsToResource" ], "Resource":"*" } ] }
Storage Gateway
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "storagegateway:DeleteVolume", "storagegateway:DescribeCachediSCSIVolumes", "storagegateway:DescribeStorediSCSIVolumes" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Effect":"Allow", "Action":[ "storagegateway:DescribeGatewayInformation", "storagegateway:CreateStorediSCSIVolume", "storagegateway:CreateCachediSCSIVolume" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*" }, { "Effect":"Allow", "Action":[ "storagegateway:ListVolumes" ], "Resource":"arn:aws:storagegateway:*:*:*" } ] }
Amazon FSx
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "fsx:CreateFileSystemFromBackup" ], "Effect": "Allow", "Resource": [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:backup/*" ] }, { "Action": "fsx:DescribeFileSystems", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:DescribeBackups", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Action": [ "fsx:DeleteFileSystem", "fsx:UntagResource" ], "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*", "Condition": { "Null": { "aws:ResourceTag/aws:backup:source-resource": "false" } } }, { "Action": "ds:DescribeDirectories", "Effect": "Allow", "Resource": "*" } ] }
Amazon EC2
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeImages", "ec2:DescribeInstances" ], "Resource":"*" }, { "Action":[ "ec2:RunInstances" ], "Effect":"Allow", "Resource":"*" }, { "Action":[ "ec2:TerminateInstances" ], "Effect":"Allow", "Resource":"arn:aws:ec2:*:*:instance/*" }, { "Action":"iam:PassRole", "Resource":"arn:aws:iam::<account-id>:role/<role-name>", "Effect":"Allow" } ] }
DynamoDB
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem", "dynamodb:DescribeTable" ], "Resource":"arn:aws:dynamodb:*:*:table/*" }, { "Effect":"Allow", "Action":[ "dynamodb:RestoreTableFromBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*/backup/*" }, { "Effect":"Allow", "Action":[ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":[ "dynamodb.*.amazonaws.com" ] } } }, { "Sid":"DynamoDBRestorePermissions", "Effect":"Allow", "Action":[ "dynamodb:RestoreTableFromAwsBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*" } ] }
To restore an encrypted backup, do one of the following
  • Add your role to the allowlist for the Amazon Key Management Service (Amazon KMS) key policy

  • Attach this policy to your IAM role for restores:

    { "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncrypt*" ], "Effect": "Allow", "Resource": "*" }

Policy updates for Amazon Backup

Amazon services maintain and update Amazon managed policies. You can't change the permissions in Amazon managed policies. Services occasionally add additional permissions to an Amazon managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an Amazon managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an Amazon managed policy, so policy updates won't break your existing permissions.

Additionally, Amazon supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess Amazon managed policy provides read-only access to all Amazon services and resources. When a service launches a new feature, Amazon adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see Amazon managed policies for job functions in the IAM User Guide.

View details about updates to Amazon managed policies for Amazon Backup since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Backup Document history page.

Change Description Date
AWSServiceRolePolicyForBackupRestoreTesting — Added permissions to support additional resource types with the restore testing feature

Amazon Backup added the following permissions to describe and list recovery points and protected resources in order to conduct restore testing plans: backup:DescribeRecoveryPoint, backup:DescribeProtectedResource, backup:ListProtectedResources, and backup:ListRecoveryPointsByResource.

Amazon Backup added the permission ec2:DescribeSnapshotTierStatus to support Amazon EBS archive tier storage.

Amazon Backup added the permission rds:DescribeDBClusterAutomatedBackups to support Amazon Aurora continuous backups.

Amazon Backup added the following permissions to support restore testing of Amazon Redshift backups: redshift:DescribeClusters and redshift:DeleteCluster.

Amazon Backup added the permission timestream:DeleteTable to support restore testing of Amazon Timestream backups.

February 14, 2024

AWSBackupServiceRolePolicyForRestores — Added permissions to support Amazon Backup transition to Amazon Elastic Block Store archive storage tier

Amazon Backup added the permissions ec2:DescribeSnapshotTierStatus and ec2:RestoreSnapshotTier.

These permissions are necessary for users to have the option to restore Amazon EBS resources stored with Amazon Backup from archive storage.

For EC2 instance restores, you must also include permissions as shown in the following policy statement to launch the EC2 instance:

November 27, 2023

AWSBackupServiceRolePolicyForBackups — Added permissions to support Amazon Backup transition to Amazon Elastic Block Store archive storage tier

Amazon Backup added the permissions ec2:DescribeSnapshotTierStatus and ec2:ModifySnapshotTier to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier.

These permissions are necessary for users to have the option to transition Amazon EBS resources stored with Amazon Backup to archive storage.

November 27, 2023

AWSBackupServiceLinkedRolePolicyForBackup — Added permissions to support Amazon Backup transition to Amazon Elastic Block Store archive storage tier

— Also added permissions to support continuous backups and PITR (point-in-time restore) for Amazon Aurora.

Amazon Backup added the permissions ec2:DescribeSnapshotTierStatus and ec2:ModifySnapshotTier to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier.

These permissions are necessary for users to have the option to transition Amazon EBS resources stored with Amazon Backup to archive storage.

Amazon Backup added the permissions rds:DescribeDBClusterSnapshots and rds:RestoreDBClusterToPointInTime, which is necessary for PITR (point-in-time restores) of Aurora clusters.

AWSServiceRoleForBackupRestoreTesting — Added new service-linked role.

Amazon Backup has added the new service-linked role named AWSServiceRoleForBackupRestoreTesting, which provides backup permissions to conduct restore testing.

This new service-linked role provides Amazon Backup with permissions necessary to conduct restore testing. The permissions include the actions list, read, and write for the following services to be included in restore tests: Aurora, DocumentDB, DynamoDB, Amazon EBS, Amazon EC2, Amazon EFS, FSx for Lustre, FSx for Windows File Server, FSx for ONTAP, FSx for OpenZFS, Amazon Neptune, Amazon RDS, and Amazon S3.

Change tracking has begun for this policy.

November 27, 2023

AWSBackupFullAccess — Added pass role permission to support restore testing.

Amazon Backup added restore-testing.backup.amazonaws.com to IamPassRolePermissions and IamCreateServiceLinkedRolePermissions. This addition is necessary for Amazon Backup to conduct restore tests on behalf of customers.

November 27, 2023

AWSBackupServiceRolePolicyForRestores — Added permissions to support continuous backups and PITR (point-in-time restore) for Amazon Aurora.

Amazon Backup added the permissions rds:DescribeDBClusterSnapshots and rds:RestoreDBClusterToPointInTime, which is necessary for PITR (point-in-time restores) of Aurora clusters.

September 6, 2023

AWSBackupFullAccess — Added new permission to support continuous backups and PITR (point-in-time restore) for Amazon Aurora.

Amazon Backup added the permission rds:DescribeDBClusterAutomatedBackups, which is necessary for continuous backup and point-in-time restore of Aurora clusters.

September 6, 2023

AWSBackupOperatorAccess — Added new permission to support continuous backups and PITR (point-in-time restore) for Amazon Aurora.

Amazon Backup added the permission rds:DescribeDBClusterAutomatedBackups, which is necessary for continuous backup and point-in-time restore of Aurora clusters.

September 6, 2023

AWSBackupServiceRolePolicyForBackup — Added permissions to support continuous backups and PITR (point-in-time restore) for Amazon Aurora.

Amazon Backup added the permission rds:DescribeDBClusterAutomatedBackups. This permission is necessary for Amazon Backup support of continuous backup and point-in-time restore of Aurora clusters.

Amazon Backup added the permission rds:DeleteDBClusterAutomatedBackups to allow Amazon Backup lifecycle to delete and disassociate Amazon Aurora continuous recovery points when a retention period finishes. This permission is necessary for the Aurora recovery point to avoid a transition into an EXIPIRED state.

Amazon Backup added the permission rds:ModifyDBCluster which allows Amazon Backup to interact with Aurora clusters. This addition allows users the ability to enable or disable continuous backups based on desired configurations.

September 6, 2023

AWSBackupFullAccess — Added permission to get Resource Share Associations for new vault type.

Amazon Backup added the action ram:GetResourceShareAssociations to grant the user permission to get resource share associations for new vault type.

Amazon Backup requires this additional permission to interact with Amazon RAM.

August 8, 2023

AWSBackupOperatorAccess — Added permission to get Resource Share Associations for new vault type.

Amazon Backup added the action ram:GetResourceShareAssociations to grant the user permission to get resource share associations for new vault type.

Amazon Backup requires this additional permission to interact with Amazon RAM.

August 8, 2023

AWSBackupServiceRolePolicyForS3Backup — Added new permission to support Amazon S3 backup

Amazon Backup added the permission s3:PutInventoryConfiguration.

Amazon Backup needs this permission to enhance backup performance speeds by using a bucket inventory.

August 1, 2023

AWSBackupServiceRolePolicyForRestores — Added permissions to add tags to resources during a restore job.

Amazon Backup added the following actions to grant the user permissions to add tags to restore resources: storagegateway:AddTagsToResource, elasticfilesystem:TagResource, ec2:CreateTags for only ec2:CreateAction that includes either RunInstances or CreateVolume, fsx:TagResource, and cloudformation:TagResource.

These added permissions are necessary for Amazon Backup to add tags to resources during the restore process.

May 22, 2023

AWSBackupAuditAccess — Replaced resource selection

Amazon Backup replaced the resource selection within the API config:DescribeComplianceByConfigRule with a wildcard resource.

This expanded resource selection makes it easier for a user to select a resource with fewer errors.

April 11, 2023

AWSBackupServiceRolePolicyForRestores — Added permissions to support encrypted Amazon Elastic File System restores.

Amazon Backup added the following permission to restore Amazon EFS using a customer managed key: kms:GenerateDataKeyWithoutPlaintext.

This update is necessary to help ensure users have required permissions to restore Amazon EFS resources.

March 27, 2023

AWSServiceRolePolicyForBackupReports — Updated action

Amazon Backup updated the config:DescribeConfigRules and config:DescribeConfigRuleEvaluationStatus actions to allow Amazon Backup Audit Manager to access Amazon Backup Audit Manager-managed Amazon Config rules.

Amazon Backup requires this update to interact with Amazon Config.

March 9, 2023

AWSBackupServiceRolePolicyForS3Restore — Adding new permission for restores involving Amazon KMS encryptions

Amazon Backup added the following permissions: kms:Decrypt, s3:PutBucketOwnershipControls, and s3:GetBucketOwnershipControls to the policy AWSBackupServiceRolePolicyForS3Restore.

These permissions are necessary to support restores of objects when KMS encryption is used in the original backup and for restoring objects when object ownership is configured on the original bucket instead of ACL.

February 13, 2023

AWSBackupFullAccess — Added new permissions to support VMware backup operations

Amazon Backup added the following permissions: backup-gateway:GetHypervisorPropertyMappings, backup-gateway:GetVirtualMachine, backup-gateway:PutHypervisorPropertyMappings, backup-gateway:GetHypervisor, backup-gateway:StartVirtualMachinesMetadataSync, backup-gateway:GetBandwidthRateLimitSchedule, and backup-gateway:PutBandwidthRateLimitSchedule.

These permissions are necessary for Amazon Backup to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling.

December 15, 2022

AWSBackupOperatorAccess — Added new permissions to support backup operations

Amazon Backup added the following permissions: backup-gateway:GetHypervisorPropertyMappings, backup-gateway:GetVirtualMachine, backup-gateway:GetHypervisor, and backup-gateway:GetBandwidthRateLimitSchedule.

These permissions are necessary for Amazon Backup to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling.

December 15, 2022

Amazon BackupGatewayServiceRolePolicyForVirtualMachineMetadataSync — Added new policy with permissions to support Amazon Backup Gateway sync with virtual machines.

Amazon Backup introduced this policy, and within it, the following permissions: backup-gateway:ListTagsForResource, backup-gateway:TagResource, and backup-gateway:UntagResource.

These permissions are necessary for Amazon Backup Gateway to sync the metadata of virtual machines in on-premise networks with Backup Gateway.

December 15, 2022

AWSBackupFullAccess — Added permissions to allow Amazon Backup to support Amazon Redshift resources.

Amazon Backup added the following permissions: redshift:DescribeClusters, redshift:DescribeClusterSubnetGroups, redshift:DescribeNodeConfigurationOptions, redshift:DescribeOrderableClusterOptions, redshift:DescribeClusterParameterGroups, redshift:DescribeClusterTracks, redshift:DescribeSnapshotSchedules, and ec2:DescribeAddresses.

These permissions are necessary for Amazon Backup to utilize Amazon Redshift resources.

November 27, 2022

AWSBackupOperatorAccess — Added permissions for Amazon Backup to support Amazon Redshift resources.

Amazon Backup added the following permissions: redshift:DescribeClusters, redshift:DescribeClusterSubnetGroups, redshift:DescribeNodeConfigurationOptions, redshift:DescribeOrderableClusterOptions, redshift:DescribeClusterParameterGroups,, redshift:DescribeClusterTracks. redshift:DescribeSnapshotSchedules, and ec2:DescribeAddresses.

These permissions are necessary for Amazon Backup to utilize Amazon Redshift resources.

November 27, 2022

AWSBackupServiceRolePolicyForRestores — Added permissions to allow Amazon Backup to access Amazon Redshift resources.

Amazon Backup added the following permissions: redshift:RestoreFromClusterSnapshot, redshift:RestoreTableFromClusterSnapshot, redshift:DescribeClusters, and redshift:DescribeTableRestoreStatus.

Amazon Backup needs these permissions for its support of Amazon Redshift restore jobs.

November 27, 2022

AWSBackupServiceRolePolicyForBackup — Added permissions to allow Amazon Backup to access Amazon Redshift resources.

Amazon Backup added the following permissions: redshift:CreateClusterSnapshot, redshift:DescribeClusterSnapshots, redshift:DescribeTags, redshift:DeleteClusterSnapshot, redshift:DescribeClusters, and redshift:CreateTags.

Amazon Backup needs these permissions for its support of Amazon Redshift backup jobs.

November 27, 2022

AWSBackupFullAccess — Added permission to allow Amazon Backup to support Amazon CloudFormation resources.

Amazon Backup added the following permission: cloudformation:ListStacks. This permission is necessary for Backup to support CloudFormation resources.

November 27, 2022

AWSBackupOperatorAccess — Added permission to allow Amazon Backup to support Amazon CloudFormation resources.

Amazon Backup added the following permission: cloudformation:ListStacks. This permission is necessary for Backup to support CloudFormation resources.

November 27, 2022

AWSBackupServiceLinkedRolePolicyForBackup — Added permissions to allow Amazon Backup to support Amazon CloudFormation resources.

Amazon Backup added the following permissions: redshift:DescribeClusterSnapshots, redshift:DescribeTags, redshift:DeleteClusterSnapshot, and redshift:DescribeClusters.

These permissions are necessary for Backup to support CloudFormation resources.

November 27, 2022

AWSBackupServiceRolePolicyForBackup — Added permissions to allow Amazon Backup to access Amazon CloudFormation resources.

Amazon Backup added the following permissions: cloudformation:GetTemplate, cloudformation:DescribeStacks, and cloudformation:ListStackResources.

These permissions are necessary for Amazon Backup to support Amazon CloudFormation application stack backup jobs.

November 16, 2022

AWSBackupServiceRolePolicyForRestores — Added permissions to allow Amazon Backup to access Amazon CloudFormation resources.

Amazon Backup added the following permissions: cloudformation:CreateChangeSet and cloudformation:DescribeChangeSet

These permissions are necessary for Amazon Backup to support Amazon CloudFormation application stack restore jobs.

November 16, 2022

AWSBackupOrganizationAdminAccess — Amazon Backup added permissions to this policy for Delegated Administrator functions.

Amazon Backup added the following permissions to this policy: organizations:ListDelegatedAdministrator, organizations:RegisterDelegatedAdministrator, and organizations:DeregisterDelegatedAdministrator

These permissions are necessary to allow organization administrators to use the Delegated Administrator feature.

November 27, 2022

AWSBackupServiceRolePolicyForS3Backup — Added new permission to support Amazon S3 backup

Amazon Backup added the permission s3:GetBucketAcl.

Amazon Backup needs this permission for backup operations of Amazon Backup for S3.

August 24, 2022

AWSBackupServiceRolePolicyForRestores — Added access for Amazon RDS restore jobs.

Amazon Backup added the following actions to grant access to create a database instance: rds:CreateDBInstance.

Amazon Backup needed this permission for its support of Amazon RDS multi-Availability Zone (Multi-AZ) functionality.

July 20, 2022

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to support Amazon S3 backup

Amazon Backup added the s3:GetBucketTagging permission to grant the user permission to select buckets to backup with a resource wildcard. Without this permission, users who select which buckets to backup with a resource wildcard will be unsuccessful.

Amazon Backup needed that permission for its support of Amazon S3 data.

May 6, 2022

AWSBackupServiceRolePolicyForBackup — Added new permissions to support FSx for ONTAP volume level backup.

Amazon Backup added volume resources in the scope of existing fsx:CreateBackup and fsx:ListTagsForResource actions, and added new action fsx:DescribeVolumes to support FSx for ONTAP volume level backups.

Amazon Backup needed this permission for its support of FSx for ONTAP.

April 27, 2022

AWSBackupServiceRolePolicyForRestores — Added permissions to support restoring FSx for ONTAP volumes.

Amazon Backup added the following actions to grant the users permissions to restore FSx for ONTAP volumes fsx:DescribeVolumes, fsx:CreateVolumeFromBackup, fsx:DeleteVolume, and fsx:UntagResource.

Amazon Backup needed this permission for its support of FSx for ONTAP.

April 27, 2022

AWSBackupServiceRolePolicyForS3Backup — Added new permissions to support Amazon S3 backup

Amazon Backup added the following actions to grant the user permissions to receive notifications of changes to their Amazon S3 buckets during backup operations: s3:GetBucketNotification and s3:PutBucketNotification.

Amazon Backup needed those permissions for its support of Amazon S3 data.

February 25, 2022

AWSBackupServiceRolePolicyForS3Backup — Added new Amazon Managed Policy to support Amazon S3 backup

In the new AWSBackupServiceRolePolicyForS3Backup Amazon Managed Policy, Amazon Backup added the following actions to grant the user permissions to back up their Amazon S3 buckets: s3:GetInventoryConfiguration, s3:PutInventoryConfiguration, s3:ListBucketVersions, s3:ListBucket, s3:GetBucketTagging, s3:GetBucketVersioning, s3:GetBucketNotification,s3:GetBucketLocation, and s3:ListAllMyBuckets

Amazon Backup added the following actions to grant the user permissions to back up their Amazon S3 objects: s3:GetObject,s3GetObjectAcl, s3:GetObjectVersionTagging, s3:GetObjectVersionAcl, s3:GetObjectTagging, and s3:GetObjectVersion.

Amazon Backup added the following actions to grant the user permissions to back up their encrypted Amazon S3 data: kms:Decrypt and kms:DescribeKey.

Amazon Backup added the following actions to grant the user permissions to take incremental backups of their Amazon S3 data using Amazon EventBridge rules: events:DescribeRule, events:EnableRule, events:PutRule, events:DeleteRule, events:PutTargets, events:RemoveTargets, events:ListTargetsByRule, events:DisableRule, cloudwatch:GetMetricData, and events:ListRules.

Amazon Backup needed those permissions for its support of Amazon S3 data.

February 17, 2022

AWSBackupServiceRolePolicyForS3Restore — Added new Amazon Managed Policy to support Amazon S3 restore

In the new AWSBackupServiceRolePolicyForS3Restore Amazon Managed Policy, Amazon Backup added the following actions to grant the user permissions to restore their Amazon S3 buckets: s3:CreateBucket, s3:ListBucketVersions, s3:ListBucket, s3:GetBucketVersioning, s3:GetBucketLocation, and s3:PutBucketVersioning.

Amazon Backup added the following actions to grant the user permissions to restore their Amazon S3 buckets: s3:GetObject, s3:GetObjectVersion, s3:DeleteObject, s3:PutObjectVersionAcl, s3:GetObjectVersionAcl, s3:GetObjectTagging, s3:PutObjectTagging, s3:GetObjectAcl, s3:PutObjectAcl, s3:PutObject, and s3:ListMultipartUploadParts.

Amazon Backup added the following actions to grant the user permissions to encrypt their restored Amazon S3 data: kms:Decrypt, kms:DescribeKey, and kms:GenerateDataKey.

Amazon Backup needed those permissions for its support of Amazon S3 data.

February 17, 2022

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to support Amazon S3 backup

Amazon Backup added s3:ListAllMyBuckets to grant the user permissions to view a list of their buckets and choose which ones to assign to a backup plan.

Amazon Backup needed that permission for its support of Amazon S3 data.

February 14, 2022

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to list Amazon Backup Gateway resources

Amazon Backup added backup-gateway:ListVirtualMachines to grant the user permissions to view a list of their virtual machines and choose which ones to assign to a backup plan.

Amazon Backup also added backup-gateway:ListTagsForResource to grant the user permissions to list the tags for their virtual machines.

Amazon Backup needed these permission for its support of virtual machines, which launched November 30, 2021.

November 30, 2021

AWSBackupServiceRolePolicyForBackup — Added permissions to back up virtual machines

Amazon Backup added backup-gateway:Backup to grant the user permissions restore their virtual machine backups. Amazon Backup also added backup-gateway:ListTagsForResource to grant the user permissions to list the tags assigned to their virtual machine backups.

Amazon Backup needed this permission for its support of virtual machines, which launched November 30, 2021.

November 30, 2021

AWSBackupServiceRolePolicyForRestores — Added permission to restore virtual machines

Amazon Backup added backup-gateway:Restore to grant the user permissions restore their virtual machine backups.

Amazon Backup needed this permission for its support of virtual machines, which launched November 30, 2021.

November 30, 2021

AWSBackupFullAccess — Added permission to work with virtual machines

Amazon Backup added the following actions to grant the users permissions to use Amazon Backup Gateway to back up, restore, and manage their virtual machines: backup-gateway:AssociateGatewayToServer, backup-gateway:CreateGateway, backup-gateway:DeleteGateway, backup-gateway:DeleteHypervisor, backup-gateway:DisassociateGatewayFromServer, backup-gateway:ImportHypervisorConfiguration, backup-gateway:ListGateways, backup-gateway:ListHypervisors, backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, backup-gateway:PutMaintenanceStartTime, backup-gateway:TagResource, backup-gateway:TestHypervisorConfiguration, backup-gateway:UntagResource, backup-gateway:UpdateGatewayInformation, and backup-gateway:UpdateHypervisor.

Amazon Backup needed this permission for its support of Amazon Backup Gateway, which launched November 30, 2021.

November 30, 2021

AWSBackupOperatorAccess — Added permission to list Amazon Backup Gateway resources

Amazon Backup added the following actions to grant the user permissions to back up their virtual machines: backup-gateway:ListGateways, backup-gateway:ListHypervisors, backup-gateway:ListTagsForResource, and backup-gateway:ListVirtualMachines.

Amazon Backup needed this permission for its support of virtual machines, which launched November 30, 2021.

November 30, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to back up Amazon DynamoDB tables

Amazon Backup added dynamodb:ListTagsOfResource to grant the user permissions to list tags of their DynamoDB tables to back up using Amazon Backup's advanced DynamoDB backup features.

Amazon Backup needed this permission for its advanced DynamoDB backup features, which launched November 23, 2021.

November 23, 2021

AWSBackupServiceRolePolicyForBackup — Added permissions to back up Amazon DynamoDB tables

Amazon Backup added dynamodb:StartAwsBackupJob to grant the user permissions to back up their DynamoDB tables using advanced backup features.

Amazon Backup also added dynamodb:ListTagsOfResource to grant the user to permissions to copy tags from their source DynamoDB tables to their backups.

Amazon Backup needed these permission for its advanced DynamoDB backup features, which launched November 23, 2021.

November 23, 2021

AWSBackupServiceLinkedRolePolicyForRestores — Added permissions to restore Amazon DynamoDB tables

Amazon Backup added dynamodb:RestoreTableFromAwsBackup to grant the user permissions restore their DynamoDB tables backed up using Amazon Backup's advanced DynamoDB advanced backup features.

Amazon Backup needed this permission to restore backups created using Amazon Backup's advanced DynamoDB features, which launched November 23, 2021.

November 23, 2021

AWSBackupServiceRolePolicyForRestores — Added permissions to restore Amazon DynamoDB tables

Amazon Backup added dynamodb:RestoreTableFromAwsBackup to grant the user permissions restore their DynamoDB tables backed up using Amazon Backup's advanced DynamoDB advanced backup features.

Amazon Backup needed this permission to restore backups created using Amazon Backup's advanced DynamoDB features, which launched November 23, 2021.

November 23, 2021

AWSBackupOperatorAccess — Removed redundant actions

Amazon Backup removed the existing actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

Amazon Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of the AWSBackupOperatorAccess Amazon Managed Policy. Also, Amazon Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of the AWSBackupOperatorAccess Amazon Managed Policy.

November 23, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permissions to support fine-grained resource assignments to backup plans

Amazon Backup added the new actions elasticfilesystem:DescribeFileSystems, dynamodb:ListTables, storagegateway:ListVolumes, ec2:DescribeVolumes, ec2:DescribeInstances, rds:DescribeDBInstances, rds:DescribeDBClusters, and fsx:DescribeFileSystems to allow customers to view and choose from a list of their Amazon Backup-supported resources when selecting which resources to assign to a backup plan.

Amazon Backup needed these permissions to give customers additional, flexibile ways to assign their resources to their backup plans.

November 10, 2021

AWSBackupAuditAccess — Added new policy

Amazon Backup added AWSBackupAuditAccess to grant the user permissions to use Amazon Backup Audit Manager. Permissions include the ability to configure compliance frameworks and generate reports.

Amazon Backup needed this permission for Amazon Backup Audit Manager, which launched August 24, 2021.

August 24, 2021

AWSServiceRolePolicyForBackupReports — Added new policy

Amazon Backup added AWSServiceRolePolicyForBackupReports to grant permissions for a service-linked role to automate the monitoring of backup settings, jobs, and resources for compliance with frameworks configured by the user.

Amazon Backup needed this permission for Amazon Backup Audit Manager, which launched August 24, 2021.

August 24, 2021

AWSBackupFullAccess — Added permission to create service-linked role

Amazon Backup added iam:CreateServiceLinkedRole to create a service-linked role (on a best-effort basis) to automate the deletion of expired recovery points for you. Without this service-linked role, Amazon Backup cannot delete expired recovery points after customers delete the original IAM role they used to create their recovery points.

Amazon Backup needed this permission as part of the DeleteRecoveryPoint API operation.

July 5, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to support deletion of DynamoDB recovery points

Amazon Backup added the new action dynamodb:DeleteBackup to grant DeleteRecoveryPoint permission to automate the deletion of expired DynamoDB recovery points based on your backup plan lifecycle settings.

Amazon Backup needed this permission to delete DynamoDB tables as part of the DeleteRecoveryPoint API operation.

July 5, 2021

AWSBackupOperatorAccess — Removed redundant actions

Amazon Backup removed the existing actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

Amazon Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of the AWSBackupOperatorAccess Amazon Managed Policy. Also, Amazon Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of the AWSBackupOperatorAccess Amazon Managed Policy.

May 25, 2021

AWSBackupOperatorPolicy — Removed redundant actions

Amazon Backup removed the existing actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

Amazon Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of the AWSBackupOperatorPolicy Amazon Managed Policy. Also, Amazon Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of the AWSBackupOperatorPolicy Amazon Managed Policy.

May 25, 2021

AWSBackupServiceRolePolicyForRestores — Added permission to apply tags to Amazon FSx restores

Amazon Backup added the new action fsx:TagResource to grant StartRestoreJob permission to allow you to apply tags to Amazon FSx file systems during the restore process.

Amazon Backup needed this permission to apply tags to Amazon FSx file systems as part of the StartRestoreJob API operation.

May 24, 2021

AWSBackupServiceRolePolicyForRestores — Added permission to perform Amazon EC2 restores

Amazon Backup added the new actions ec2:DescribeImages and ec2:DescribeInstances to grant StartRestoreJob permission to allow you to restore Amazon EC2 instances from recovery points.

Amazon Backup needed this permission to restore Amazon EC2 instances from recovery points as part of the StartRestoreJob API operation.

May 24, 2021

AWSBackupServiceRolePolicyForBackup — Added permission to perform Amazon FSx cross-Region and cross-account copies

Amazon Backup added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

Amazon Backup needed this permission to copy Amazon FSx recovery points across Regions and accounts as part of the StartCopyJob API operation.

April 12, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to perfrom Amazon FSx cross-Region and cross-account copies

Amazon Backup added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

Amazon Backup needed this permission to copy Amazon FSx recovery points across Regions and accounts as part of the StartCopyJob API operation.

April 12, 2021

AWSBackupServiceRolePolicyForBackup — Added permissions to support encrypted DynamoDB table backup

Amazon Backup updated its Amazon managed policies to comply with the following requirement:

For Amazon Backup to create a backup of an encrypted DynamoDB table, you must add the permissions kms:Decrypt and kms:GenerateDataKey to the IAM role used for backup.

March 10, 2021

AWSBackupFullAccess — Added permissions to support Amazon RDS continuous backups and point-in-time restore

Amazon Backup updated its Amazon managed policy to comply with the following requirements:

To use Amazon Backup to configure continuous backups for your Amazon RDS database, verify the API permission rds:ModifyDBInstance exists in the IAM role defined by your Backup plan configuration.

To restore Amazon RDS continuous backups, you must add the permission rds:RestoreDBInstanceToPointInTime to the IAM role you submitted for restore job.

In the Amazon Backup console, to describe the range of times available for point-in-time recovery, you must include the rds:DescribeDBInstanceAutomatedBackups API permission in your IAM-managed policy.

March 10, 2021

Amazon Backup started tracking changes

Amazon Backup started tracking changes for its Amazon-managed policies.

March 10, 2021