Managed policies for Amazon Backup
Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your Amazon Web Services account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
Amazon managed policies are created and administered by Amazon. You can't change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to.
Customer managed policies give you fine-grained controls to set access to backups in Amazon Backup. For example, you can use them to give your database backup administrator access to Amazon RDS backups but not Amazon EFS ones.
For more information, see Managed policies in the IAM User Guide.
Customer managed policies
The following sections describe the recommended backup and restore permissions for the Amazon Web Services services and third-party application supported by Amazon Backup. You can use the existing Amazon managed policies as a model as you create your own policy documents, and then customize them to further restrict access to your Amazon resources.
Backup
Start with the following statements from AWSBackupServiceRolePolicyForBackup:
DynamoDBBackupPermissions
RDSClusterModifyPermissions
GetResourcesPermissions
BackupVaultPermissions
KMSPermissions
Restore
Start with the RDSPermissions
statement from AWSBackupServiceRolePolicyForRestores.
Backup
Start with the following statements from AWSBackupServiceRolePolicyForBackup:
DynamoDBPermissions
DynamoDBBackupResourcePermissions
DynamodbBackupPermissions
KMSDynamoDBPermissions
Restore
Start with the following statements from AWSBackupServiceRolePolicyForRestores:
DynamoDBPermissions
DynamoDBBackupResourcePermissions
DynamoDBRestorePermissions
KMSPermissions
Backup
Start with the following statements from AWSBackupServiceRolePolicyForBackup:
EBSResourcePermissions
EBSTagAndDeletePermissions
EBSCopyPermissions
EBSSnapshotTierPermissions
GetResourcesPermissions
BackupVaultPermissions
Restore
Start with the EBSPermissions
statement from AWSBackupServiceRolePolicyForRestores.
Add the following statement.
{ "Effect":"Allow", "Action": [ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource":"*" },
Backup
Start with the following statements from AWSBackupServiceRolePolicyForBackup:
EBSCopyPermissions
EC2CopyPermissions
EC2Permissions
EC2TagPermissions
EC2ModifyPermissions
EBSResourcePermissions
GetResourcesPermissions
BackupVaultPermissions
Restore
Start with the following statements from AWSBackupServiceRolePolicyForRestores:
EBSPermissions
EC2DescribePermissions
EC2RunInstancesPermissions
EC2TerminateInstancesPermissions
EC2CreateTagsPermissions
Add the following statement.
{ "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::
account-id
:role/role-name
" },
Backup
Start with the following statements from AWSBackupServiceRolePolicyForBackup:
EFSPermissions
GetResourcesPermissions
BackupVaultPermissions
Restore
Start with the EFSPermissions
statement from AWSBackupServiceRolePolicyForRestores.
Backup
Start with the following statements from AWSBackupServiceRolePolicyForBackup:
FsxBackupPermissions
FsxCreateBackupPermissions
FsxPermissions
FsxVolumePermissions
FsxListTagsPermissions
FsxDeletePermissions
FsxResourcePermissions
KMSPermissions
Restore
Start with the following statements from AWSBackupServiceRolePolicyForRestores:
FsxPermissions
FsxTagPermissions
FsxBackupPermissions
FsxDeletePermissions
FsxDescribePermissions
FsxVolumeTagPermissions
FsxBackupTagPermissions
FsxVolumePermissions
DSPermissions
KMSDescribePermissions
Backup
Start with the following statements from AWSBackupServiceRolePolicyForBackup:
DynamoDBBackupPermissions
RDSClusterModifyPermissions
GetResourcesPermissions
BackupVaultPermissions
KMSPermissions
Restore
Start with the RDSPermissions
statement from AWSBackupServiceRolePolicyForRestores.
Backup
Start with the following statements from AWSBackupServiceRolePolicyForBackup:
DynamoDBBackupPermissions
RDSBackupPermissions
RDSClusterModifyPermissions
GetResourcesPermissions
BackupVaultPermissions
KMSPermissions
Restore
Start with the RDSPermissions
statement from AWSBackupServiceRolePolicyForRestores.
Backup
Start with AWSBackupServiceRolePolicyForS3Backup.
Add the BackupVaultPermissions
and BackupVaultCopyPermissions
statements if you need to copy backups to a different account.
Restore
Start with AWSBackupServiceRolePolicyForS3Restore.
Backup
Start with the following statements from AWSBackupServiceRolePolicyForBackup:
StorageGatewayPermissions
EBSTagAndDeletePermissions
GetResourcesPermissions
BackupVaultPermissions
Add the following statement.
{ "Effect": "Allow", "Action": [ "ec2:DescribeSnapshots" ], "Resource":"*" },
Restore
Start with the following statements from AWSBackupServiceRolePolicyForRestores:
StorageGatewayVolumePermissions
StorageGatewayGatewayPermissions
StorageGatewayListPermissions
Backup
Start with the BackupGatewayBackupPermissions
statement from AWSBackupServiceRolePolicyForBackup.
Restore
Start with the GatewayRestorePermissions
statement from AWSBackupServiceRolePolicyForRestores.
Encrypted backup
To restore an encrypted backup, do one of the following
-
Add your role to the allowlist for the Amazon KMS key policy
-
Add the following statements from AWSBackupServiceRolePolicyForRestores to your IAM role for restores:
KMSDescribePermissions
KMSPermissions
KMSCreateGrantPermissions
Policy updates for Amazon Backup
View details about updates to Amazon managed policies for Amazon Backup since this service began tracking these changes.
Change | Description | Date |
---|---|---|
AWSBackupServiceRolePolicyForBackup – Update to an existing policy |
Amazon Backup added permission The permission is necessary to obtain tagging permissions during the creation of a recovery point. |
May 17, 2024 |
AWSBackupServiceRolePolicyForS3Backup – Update to an existing policy |
Amazon Backup added permission The permission is necessary to obtain tagging permissions during the creation of a recovery point. |
May 17, 2024 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy |
Amazon Backup added permission The permission is necessary to obtain tagging permissions during the creation of a recovery point. |
May 17, 2024 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy | Added the permission This permission is necessary for Amazon Backup to support continuous backup and point-in-time-restore of Amazon RDS instances. |
May 1, 2024 |
AWSBackupFullAccess – Update to an existing policy | Amazon Backup updated the Amazon Resource Name (ARN) in permission
|
May 1, 2024 |
AWSBackupOperatorAccess – Update to an existing policy | Amazon Backup updated the Amazon Resource Name (ARN) in permission
|
May 1, 2024 |
AWSServiceRolePolicyForBackupRestoreTesting – Update to an existing policy |
Added the following permissions to describe and list recovery points
and protected resources in order to conduct restore testing plans:
Added the permission Added the permission
Added the following permissions to support restore testing of Amazon Redshift
backups: Added the permission |
February 14, 2024 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added the permissions These permissions are necessary for users to have the option to restore Amazon EBS resources stored with Amazon Backup from archive storage. For EC2 instance restores, you must also include permissions as shown in the following policy statement to launch the EC2 instance: |
November 27, 2023 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy |
Added the permissions These permissions are necessary for users to have the option to transition Amazon EBS resources stored with Amazon Backup to archive storage. |
November 27, 2023 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy |
Added the permissions These permissions are necessary for users to have the option to transition Amazon EBS resources stored with Amazon Backup to archive storage. Added the permissions |
|
AWSServiceRolePolicyForBackupRestoreTesting – New policy |
Provides the permissions necessary to conduct restore testing.
The permissions include the actions |
November 27, 2023 |
AWSBackupFullAccess – Update to an existing policy |
Added |
November 27, 2023 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy | Added the permissions |
September 6, 2023 |
AWSBackupFullAccess – Update to an existing policy | Added the permission
|
September 6, 2023 |
AWSBackupOperatorAccess – Update to an existing policy | Added the permission
|
September 6, 2023 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy |
Added the permission
Added the permission Added the permission |
September 6, 2023 |
AWSBackupFullAccess – Update to an existing policy |
Added the action |
August 8, 2023 |
AWSBackupOperatorAccess – Update to an existing policy |
Added the action |
August 8, 2023 |
AWSBackupServiceRolePolicyForS3Backup – Update to an existing policy |
Added the permission |
August 1, 2023 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added the following actions to grant the user permissions to add tags
to restore resources: |
May 22, 2023 |
AWSBackupAuditAccess – Update to an existing policy |
Replaced the resource selection within the API
|
April 11, 2023 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added the following permission to restore Amazon EFS using a customer
managed key: |
March 27, 2023 |
AWSServiceRolePolicyForBackupReports – Update to an existing policy |
Updated the |
March 9, 2023 |
AWSBackupServiceRolePolicyForS3Restore – Update to an existing policy |
Added the following permissions: |
February 13, 2023 |
AWSBackupFullAccess – Update to an existing policy | Added the following permissions to schedule backups using VMware
tags of virtual machines and to support schedule-based bandwidth throttling:
|
December 15, 2022 |
AWSBackupOperatorAccess – Update to an existing policy | Added the following permissions to schedule backups using VMware
tags of virtual machines and to support schedule-based bandwidth throttling:
|
December 15, 2022 |
AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync – New policy |
Provides permissions for Amazon Backup Gateway to sync the metadata of virtual machines in on-premise networks with Backup Gateway. |
December 15, 2022 |
AWSBackupFullAccess – Update to an existing policy | Added the following permissions to support Amazon Redshift resources:
|
November 27, 2022 |
AWSBackupOperatorAccess – Update to an existing policy | Added the following permissions to support Amazon Redshift resources:
|
November 27, 2022 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added the following permissions to support Amazon Redshift restore jobs:
|
November 27, 2022 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy |
Added the following permissions to support Amazon Redshift backup jobs:
|
November 27, 2022 |
AWSBackupFullAccess – Update to an existing policy | Added the following permission to support CloudFormation resources:
|
November 27, 2022 |
AWSBackupOperatorAccess – Update to an existing policy | Added the following permission to support CloudFormation resources:
|
November 27, 2022 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy | Added the following permissions to support CloudFormation resources:
|
November 27, 2022 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy | Added the following permissions to support Amazon CloudFormation application stack backup jobs:
|
November 16, 2022 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy | Added the following permissions to support Amazon CloudFormation application stack backup jobs:
|
November 16, 2022 |
AWSBackupOrganizationAdminAccess – Update to an existing policy | Added the following permissions to this policy to allow organization administrators
to usethe Delegated Administrator feature:
|
November 27, 2022 |
AWSBackupServiceRolePolicyForS3Backup – Update to an existing policy |
Added the permission |
August 24, 2022 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added the following actions to grant access to create a database
instance to support multi-Availability Zone (Multi-AZ) functionality:
|
July 20, 2022 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy |
Added the |
May 6, 2022 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy |
Added volume resources in the scope of existing
|
April 27, 2022 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added the following actions to grant the users permissions to restore
FSx for ONTAP volumes |
April 27, 2022 |
AWSBackupServiceRolePolicyForS3Backup – Update to an existing policy |
Added the following actions to grant the user permissions to receive
notifications of changes to their Amazon S3 buckets during backup operations:
|
February 25, 2022 |
AWSBackupServiceRolePolicyForS3Backup – New policy |
Added the following actions to grant the user permissions to back
up their Amazon S3 buckets: Added the following actions to grant the user permissions to back up
their Amazon S3 objects: Added the following actions to grant the user permissions to back up
their encrypted Amazon S3 data: Added the following actions to grant the user permissions to take
incremental backups of their Amazon S3 data using Amazon EventBridge rules:
|
February 17, 2022 |
AWSBackupServiceRolePolicyForS3Restore – New policy |
Added the following actions to grant the user permissions to
restore their Amazon S3 buckets: Added the following actions to grant the user permissions to restore
their Amazon S3 buckets: Added the following actions to grant the user permissions to encrypt
their restored Amazon S3 data: |
February 17, 2022 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy |
Added |
February 14, 2022 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy |
Added Added |
November 30, 2021 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy |
Added |
November 30, 2021 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added |
November 30, 2021 |
AWSBackupFullAccess – Update to an existing policy |
Added the following actions to grant the users permissions to use
Amazon Backup Gateway to back up, restore, and manage their virtual machines:
|
November 30, 2021 |
AWSBackupOperatorAccess – Update to an existing policy |
Added the following actions to grant the user permissions to back up
their virtual machines: |
November 30, 2021 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy |
Added |
November 23, 2021 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy |
Added Added |
November 23, 2021 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added |
November 23, 2021 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added |
November 23, 2021 |
AWSBackupOperatorAccess – Update to an existing policy |
Removed the actions
Amazon Backup did not need both |
November 23, 2021 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy |
Added the new actions
|
November 10, 2021 |
AWSBackupAuditAccess – New policy |
Added |
August 24, 2021 |
AWSServiceRolePolicyForBackupReports – New policy |
Added |
August 24, 2021 |
AWSBackupFullAccess – Update to an existing policy |
Added |
July 5, 2021 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy |
Added the new action |
July 5, 2021 |
AWSBackupOperatorAccess – Update to an existing policy |
Removed the actions
Amazon Backup did not need both |
May 25, 2021 |
AWSBackupOperatorAccess – Update to an existing policy |
Removed the actions
Amazon Backup did not need both |
May 25, 2021 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added the new action |
May 24, 2021 |
AWSBackupServiceRolePolicyForRestores – Update to an existing policy |
Added the new actions |
May 24, 2021 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy |
Added the new action |
April 12, 2021 |
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy |
Added the new action |
April 12, 2021 |
AWSBackupServiceRolePolicyForBackup – Update to an existing policy |
Updated to comply with the following requirement: For Amazon Backup to create a backup of an encrypted DynamoDB table, you must add the
permissions |
March 10, 2021 |
AWSBackupFullAccess – Update to an existing policy |
Updated to comply with the following requirements: To use Amazon Backup to configure continuous backups for your Amazon RDS database, verify
the API permission To restore Amazon RDS continuous backups, you must add the permission
In the Amazon Backup console, to describe the range of times available for
point-in-time recovery, you must include the
|
March 10, 2021 |
Amazon Backup started tracking changes |
Amazon Backup started tracking changes for its Amazon-managed policies. |
March 10, 2021 |