# Managed policies for Amazon Backup
Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your Amazon Web Services account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
*Amazon managed policies* are created and administered by Amazon. You can't change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to.
*Customer managed policies* give you fine-grained controls to set access to backups in Amazon Backup. For example, you can use them to give your database backup administrator access to Amazon RDS backups but not Amazon EFS ones.
For more information, see [Managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.
## Customer managed policies
The following sections describe the recommended backup and restore permissions for the Amazon services and third-party application supported by Amazon Backup. You can use the existing Amazon managed policies as a model as you create your own policy documents, and then customize them to further restrict access to your Amazon resources.
### How to build a customer managed policy from managed policy statements
Each service section below lists the specific statement names (Sids) you need from the Amazon Backup managed policies. To build a least-privilege customer managed policy for a specific service, follow these steps:
1. Open the managed policy reference for [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html) (for backup permissions) or [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html) (for restore permissions).
1. Locate each statement by its `Sid` value as listed in the service section below.
1. Copy the full JSON block for each required statement into your custom policy document.
1. Wrap the statements in a valid IAM policy structure. Include the `Version` element to avoid [IAM Access Analyzer warnings](https://docs.amazonaws.cn/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-missing-version):
```
{
"Version": "2012-10-17",
"Statement": [
{{// Paste your extracted statements here}}
]
}
```
1. (Optional) Narrow the `Resource` field in each statement to restrict access to specific resources rather than using `"*"`.
Alternatively, you can retrieve the full policy JSON using the Amazon CLI:
```
aws iam get-policy-version \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup \
--version-id $(aws iam get-policy --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup --query "Policy.DefaultVersionId" --output text) \
--query "PolicyVersion.Document" \
--output json
```
This returns the complete policy document, from which you can extract the statements you need by matching the `Sid` values listed in the service sections below.
**Important**
When using custom IAM roles for Amazon Backup, you must include resource-specific permissions in addition to Amazon Backup permissions. For example, when calling `backup:ListTags` on an Amazon RDS resource, your custom IAM role must also include `rds:ListTagsForResource` permission. While these permissions are included in the default Amazon Backup service role, they must be explicitly added to customer-managed policies. The underlying resource permissions required depend on the specific Amazon service and operation being performed.
### Amazon Aurora
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DynamoDBBackupPermissions`
+ `RDSClusterModifyPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
+ `KMSPermissions`
**Restore**
Start with the `RDSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).
### Amazon Aurora DSQL
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DSQLBackupPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
+ `KMSPermissions`
**Restore**
Start with the `DSQLRestorePermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).
### Amazon DynamoDB
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DynamoDBPermissions`
+ `DynamoDBBackupResourcePermissions`
+ `DynamodbBackupPermissions`
+ `KMSDynamoDBPermissions`
**Restore**
Start with the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html):
+ `DynamoDBPermissions`
+ `DynamoDBBackupResourcePermissions`
+ `DynamoDBRestorePermissions`
+ `KMSPermissions`
### Amazon EBS
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `EBSResourcePermissions`
+ `EBSTagAndDeletePermissions`
+ `EBSCopyPermissions`
+ `EBSSnapshotTierPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
**Restore**
Start with the `EBSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).
Add the following statement.
```
{
"Effect":"Allow",
"Action": [
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes"
],
"Resource":"*"
},
```
### Amazon EC2
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `EBSCopyPermissions`
+ `EC2CopyPermissions`
+ `EC2Permissions`
+ `EC2TagPermissions`
+ `EC2ModifyPermissions`
+ `EBSResourcePermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
**Restore**
Start with the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html):
+ `EBSPermissions`
+ `EC2DescribePermissions`
+ `EC2RunInstancesPermissions`
+ `EC2TerminateInstancesPermissions`
+ `EC2CreateTagsPermissions`
Add the following statement.
```
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws-cn:iam::{{account-id}}:role/{{role-name}}"
},
```
Replace {{role-name}} with the name of the EC2 instance profile role that will be attached to the restored EC2 instance. This is not the Amazon Backup service role, but rather the IAM role that provides permissions to applications running on the EC2 instance.
### Amazon EFS
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `EFSPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
**Restore**
Start with the `EFSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).
### Amazon FSx
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `FsxBackupPermissions`
+ `FsxCreateBackupPermissions`
+ `FsxPermissions`
+ `FsxVolumePermissions`
+ `FsxListTagsPermissions`
+ `FsxDeletePermissions`
+ `FsxResourcePermissions`
+ `KMSPermissions`
**Restore**
Start with the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html):
+ `FsxPermissions`
+ `FsxTagPermissions`
+ `FsxBackupPermissions`
+ `FsxDeletePermissions`
+ `FsxDescribePermissions`
+ `FsxVolumeTagPermissions`
+ `FsxBackupTagPermissions`
+ `FsxVolumePermissions`
+ `DSPermissions`
+ `KMSDescribePermissions`
### Amazon Neptune
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DynamoDBBackupPermissions`
+ `RDSClusterModifyPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
+ `KMSPermissions`
**Restore**
Start with the `RDSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).
### Amazon RDS
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DynamoDBBackupPermissions`
+ `RDSBackupPermissions`
+ `RDSClusterModifyPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
+ `KMSPermissions`
**Restore**
Start with the `RDSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).
### Amazon S3
**Backup**
Start with [AWSBackupServiceRolePolicyForS3Backup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForS3Backup.html).
Add the `BackupVaultPermissions` and `BackupVaultCopyPermissions` statements if you need to copy backups to a different account.
**Restore**
Start with [AWSBackupServiceRolePolicyForS3Restore](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForS3Restore.html).
### Amazon Storage Gateway
**Backup**
Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `StorageGatewayPermissions`
+ `EBSTagAndDeletePermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
Add the following statement.
```
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSnapshots"
],
"Resource":"*"
},
```
**Restore**
Start with the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html):
+ `StorageGatewayVolumePermissions`
+ `StorageGatewayGatewayPermissions`
+ `StorageGatewayListPermissions`
### Virtual machine
**Backup**
Start with the `BackupGatewayBackupPermissions` statement from [AWSBackupServiceRolePolicyForBackup](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html).
**Restore**
Start with the `GatewayRestorePermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).
### Encrypted backup
**To restore an encrypted backup, do one of the following**
+ Add your role to the allowlist for the Amazon KMS key policy
+ Add the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html) to your IAM role for restores:
+ `KMSDescribePermissions`
+ `KMSPermissions`
+ `KMSCreateGrantPermissions`
## Policy updates for Amazon Backup
View details about updates to Amazon managed policies for Amazon Backup since this service began tracking these changes.
| Change | Description | Date |
| --- | --- | --- |
| – Update to an existing policy | Amazon Backup added the following permission to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup Restore Testing to delete RDS Tenant Databases after restore test completion. | March 18, 2026 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to initiate malware scans on your recovery points. | February 23, 2026 |
| – New policy | Amazon Backup added a new Amazon managed policy that provides Amazon GuardDuty permission to read and scan customer backups. Amazon Backup passes a role with this policy to GuardDuty when initiating the operations `StartMalwareScan`.
This is necessary to provide all necessary permissions needed for malware scans on recovery points of Amazon EC2,Amazon EBS, and Amazon S3 resources.
For more information, see the managed policy . | November 19, 2025 |
| – New policy | Amazon Backup added a new Amazon managed policy that provides Amazon Backup permission to initiate malware scans on your recovery points.
This is necessary to provide all necessary permissions needed for malware scans on recovery points of Amazon EC2,Amazon EBS, and Amazon S3 resources.
For more information, see the managed policy . | November 19, 2025 |
| – Update to an existing policy | Added `malware-protection.guardduty.amazonaws.com` to `IamPassRolePermissions`, which is necessary to initiate malware scan jobs. | November 19, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions are necessary to initiate malware scan jobs. | November 19, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to backup and restore Amazon EKS clusters. | November 10, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to backup and restore Amazon EKS clusters. | November 10, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to create backups of Amazon EKS clusters and their associated resources on behalf of customers. | November 10, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to create backups of Amazon EKS clusters and their associated resources on behalf of customers. | November 10, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to perform restore operations for Amazon EKS clusters and their associated resources on behalf of customers. | November 10, 2025 |
| – Update to an existing policy | Amazon Backup added the following permission to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
This permission allows Amazon Backup to synchronize delegated administrator information with Organizations for cross-account management features. | September 9, 2025 |
| – New policy | Amazon Backup added a new Amazon managed policy that provides Amazon GuardDuty permission to read and scan customer backups. Amazon Backup passes a role with this policy to GuardDuty when initiating the operations `StartMalwareScan`.
This is necessary to provide all necessary permissions needed for malware scans on recovery points of Amazon EC2,Amazon EBS, and Amazon S3 resources.
For more information, see the managed policy . | November 24, 2025 |
| – New policy | Amazon Backup added a new Amazon managed policy that provides Amazon Backup permission to initiate malware scans on your recovery points.
This is necessary to provide all necessary permissions needed for malware scans on recovery points of Amazon EC2,Amazon EBS, and Amazon S3 resources.
For more information, see the managed policy . | November 24, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions are necessary for Amazon Backup to perform orchestrated multi-Region restore operations for DSQL resources on behalf of customers. | July 17, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions are necessary for Amazon Backup integration with Amazon Account Management and Amazon Organizations so customers have the option of Multi-party approval (MPA) as part of their logically air-gapped vaults. | June 17, 2025 |
| – Update to an existing policy: | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions are necessary to allow customers to restore Amazon FSx for OpenZFS Multi-availability zone (Multi-AZ) snapshots through Amazon Backup. | May 27, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to backup and restore Amazon Aurora DSQL resources. | May 21, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to backup and restore Amazon Aurora DSQL resources. | May 21, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to create, delete, retrieve, and manage Amazon Aurora DSQL snapshots on behalf of customers. | May 21, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to create, delete, retrieve, encrypt, decrypt, and manage Amazon Aurora DSQL snapshots on behalf of customers. | May 21, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions allow Amazon Backup to manage Aurora DSQL backups at customer-specified intervals. | May 21, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions are necessary for designated customers to have full access to Amazon Redshift Serverless backups, including required read permissions as well as the ability to delete Amazon Redshift Serverless recovery points (snapshot backups). | March 31, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions are necessary for designated customers to have all necessary backup permissions to Amazon Redshift Serverless, including required read permissions. | March 31, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions are necessary for Amazon Backup to manage Amazon Redshift Serverless snapshots at customer specified intervals. | March 31, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions are necessary to allow Amazon Backup to create, delete, retrieve, and manage Amazon Redshift Serverless snapshots on behalf of customers. | March 31, 2025 |
| – Update to an existing policy | Amazon Backup added the following permissions to this policy:[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/aws-backup/latest/devguide/security-iam-awsmanpol.html)
These permissions are necessary to allow Amazon Backup to restore Amazon Redshift and Amazon Redshift Serverless snapshots on behalf of the customer. | March 31, 2025 |
| – Added a new Amazon managed policy | Amazon Backup added the AWSBackupSearchOperatorAccess Amazon managed policy. | February 27, 2025 |
| – Update to an existing policy | Amazon Backup added the permission `rds:AddTagsToResource` to support Amazon RDS multi-tenant snapshot cross-account copy of backups.
This permission is necessary to complete operations when a customer chooses to create a cross-account copy of a multi-tenant RDS snapshot. | January 8, 2025 |
| – Update to an existing policy | Amazon Backup added the permissions `rds:CreateTenantDatabase` and `rds:DeleteTenantDatabase` to this policy to support the restore process of Amazon RDS resources.
These permissions are necessary to complete customer operations for restoring multi-tenant snapshots. | January 8, 2025 |
| – Added a new Amazon managed policy | Amazon Backup added the AWSBackupServiceRolePolicyForItemRestores Amazon managed policy. | November 26, 2024 |
| – Added a new Amazon managed policy | Amazon Backup added the AWSBackupServiceRolePolicyForIndexing Amazon managed policy. | November 26, 2024 |
| – Update to an existing policy | Amazon Backup added permission `backup:TagResource` to this policy.
The permission is necessary to obtain tagging permissions during the creation of a recovery point. | May 17, 2024 |
| – Update to an existing policy | Amazon Backup added permission `backup:TagResource` to this policy.
The permission is necessary to obtain tagging permissions during the creation of a recovery point. | May 17, 2024 |
| – Update to an existing policy | Amazon Backup added permission `backup:TagResource` to this policy.
The permission is necessary to obtain tagging permissions during the creation of a recovery point. | May 17, 2024 |
| – Update to an existing policy | Added the permission `rds:DeleteDBInstanceAutomatedBackups`.
This permission is necessary for Amazon Backup to support continuous backup and point-in-time-restore of Amazon RDS instances. | May 1, 2024 |
| – Update to an existing policy | Amazon Backup updated the Amazon Resource Name (ARN) in permission `storagegateway:ListVolumes` from `arn:aws-cn:storagegateway:*:*:gateway/*` to `*` in order to accommodate a change in the Storage Gateway API model. | May 1, 2024 |
| – Update to an existing policy | Amazon Backup updated the Amazon Resource Name (ARN) in permission `storagegateway:ListVolumes` from `arn:aws-cn:storagegateway:*:*:gateway/*` to `*` in order to accommodate a change in the Storage Gateway API model. | May 1, 2024 |
| – Update to an existing policy | Added the following permissions to describe and list recovery points and protected resources in order to conduct restore testing plans: `backup:DescribeRecoveryPoint`, `backup:DescribeProtectedResource`, `backup:ListProtectedResources`, and `backup:ListRecoveryPointsByResource`.
Added the permission `ec2:DescribeSnapshotTierStatus` to support Amazon EBS archive tier storage.
Added the permission `rds:DescribeDBClusterAutomatedBackups` to support Amazon Aurora continuous backups.
Added the following permissions to support restore testing of Amazon Redshift backups: `redshift:DescribeClusters` and `redshift:DeleteCluster`.
Added the permission `timestream:DeleteTable` to support restore testing of Amazon Timestream backups. | February 14, 2024 |
| – Update to an existing policy | Added the permissions `ec2:DescribeSnapshotTierStatus` and `ec2:RestoreSnapshotTier`.
These permissions are necessary for users to have the option to restore Amazon EBS resources stored with Amazon Backup from archive storage.
For EC2 instance restores, you must also include permissions as shown in the following policy statement to launch the EC2 instance: | November 27, 2023 |
| – Update to an existing policy | Added the permissions `ec2:DescribeSnapshotTierStatus` and `ec2:ModifySnapshotTier` to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier.
These permissions are necessary for users to have the option to transition Amazon EBS resources stored with Amazon Backup to archive storage. | November 27, 2023 |
| – Update to an existing policy | Added the permissions `ec2:DescribeSnapshotTierStatus` and `ec2:ModifySnapshotTier` to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier.
These permissions are necessary for users to have the option to transition Amazon EBS resources stored with Amazon Backup to archive storage.
Added the permissions `rds:DescribeDBClusterSnapshots` and `rds:RestoreDBClusterToPointInTime`, which is necessary for PITR (point-in-time restores) of Aurora clusters. |
| – New policy | Provides the permissions necessary to conduct restore testing. The permissions include the actions `list, read, and write` for the following services to be included in restore tests: Aurora, DocumentDB, DynamoDB, Amazon EBS, Amazon EC2, Amazon EFS, FSx for Lustre, FSx for Windows File Server, FSx for ONTAP, FSx for OpenZFS, Amazon Neptune, Amazon RDS, and Amazon S3. | November 27, 2023 |
| – Update to an existing policy | Added `restore-testing.backup.amazonaws.com` to `IamPassRolePermissions` and `IamCreateServiceLinkedRolePermissions`. This addition is necessary for Amazon Backup to conduct restore tests on behalf of customers. | November 27, 2023 |
| – Update to an existing policy | Added the permissions `rds:DescribeDBClusterSnapshots` and `rds:RestoreDBClusterToPointInTime`, which is necessary for PITR (point-in-time restores) of Aurora clusters. | September 6, 2023 |
| – Update to an existing policy | Added the permission `rds:DescribeDBClusterAutomatedBackups`, which is necessary for continuous backup and point-in-time restore of Aurora clusters. | September 6, 2023 |
| – Update to an existing policy | Added the permission `rds:DescribeDBClusterAutomatedBackups`, which is necessary for continuous backup and point-in-time restore of Aurora clusters. | September 6, 2023 |
| – Update to an existing policy | Added the permission `rds:DescribeDBClusterAutomatedBackups`. This permission is necessary for Amazon Backup support of continuous backup and point-in-time restore of Aurora clusters.
Added the permission `rds:DeleteDBClusterAutomatedBackups` to allow Amazon Backup lifecycle to delete and disassociate Amazon Aurora continuous recovery points when a retention period finishes. This permission is necessary for the Aurora recovery point to avoid a transition into an `EXIPIRED` state.
Added the permission `rds:ModifyDBCluster` which allows Amazon Backup to interact with Aurora clusters. This addition allows users the ability to enable or disable continuous backups based on desired configurations. | September 6, 2023 |
| – Update to an existing policy | Added the action `ram:GetResourceShareAssociations` to grant the user permission to get resource share associations for new vault type. | August 8, 2023 |
| – Update to an existing policy | Added the action `ram:GetResourceShareAssociations` to grant the user permission to get resource share associations for new vault type. | August 8, 2023 |
| – Update to an existing policy | Added the permission `s3:PutInventoryConfiguration` to enhance backup performance speeds by using a bucket inventory. | August 1, 2023 |
| – Update to an existing policy | Added the following actions to grant the user permissions to add tags to restore resources: `storagegateway:AddTagsToResource`, `elasticfilesystem:TagResource`, `ec2:CreateTags` for only `ec2:CreateAction` that includes either `RunInstances` or `CreateVolume`, `fsx:TagResource`, and `cloudformation:TagResource`. | May 22, 2023 |
| – Update to an existing policy | Replaced the resource selection within the API `config:DescribeComplianceByConfigRule` with a wildcard resource to make it easier for a user to select resources. | April 11, 2023 |
| – Update to an existing policy | Added the following permission to restore Amazon EFS using a customer managed key: `kms:GenerateDataKeyWithoutPlaintext`. This helps to ensure users have required permissions to restore Amazon EFS resources. | March 27, 2023 |
| – Update to an existing policy | Updated the `config:DescribeConfigRules` and `config:DescribeConfigRuleEvaluationStatus` actions to allow Amazon Backup Audit Manager to access Amazon Backup Audit Manager-managed Amazon Config rules. | March 9, 2023 |
| – Update to an existing policy | Added the following permissions: `kms:Decrypt`, `s3:PutBucketOwnershipControls`, and `s3:GetBucketOwnershipControls` to the policy `AWSBackupServiceRolePolicyForS3Restore`. These permissions are necessary to support restores of objects when KMS encryption is used in the original backup and for restoring objects when object ownership is configured on the original bucket instead of ACL. | February 13, 2023 |
| – Update to an existing policy | Added the following permissions to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling: `backup-gateway:GetHypervisorPropertyMappings`, `backup-gateway:GetVirtualMachine`, `backup-gateway:PutHypervisorPropertyMappings`, `backup-gateway:GetHypervisor`, `backup-gateway:StartVirtualMachinesMetadataSync`, `backup-gateway:GetBandwidthRateLimitSchedule`, and `backup-gateway:PutBandwidthRateLimitSchedule`. | December 15, 2022 |
| – Update to an existing policy | Added the following permissions to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling: `backup-gateway:GetHypervisorPropertyMappings`, `backup-gateway:GetVirtualMachine`, `backup-gateway:GetHypervisor`, and `backup-gateway:GetBandwidthRateLimitSchedule`. | December 15, 2022 |
| – New policy | Provides permissions for Amazon Backup Gateway to sync the metadata of virtual machines in on-premise networks with Backup Gateway. | December 15, 2022 |
| – Update to an existing policy | Added the following permissions to support Amazon Redshift resources: `redshift:DescribeClusters`, `redshift:DescribeClusterSubnetGroups`, `redshift:DescribeNodeConfigurationOptions`, `redshift:DescribeOrderableClusterOptions`, `redshift:DescribeClusterParameterGroups`, `redshift:DescribeClusterTracks`, `redshift:DescribeSnapshotSchedules`, and `ec2:DescribeAddresses`. | November 27, 2022 |
| – Update to an existing policy | Added the following permissions to support Amazon Redshift resources: `redshift:DescribeClusters`, `redshift:DescribeClusterSubnetGroups`, `redshift:DescribeNodeConfigurationOptions`, `redshift:DescribeOrderableClusterOptions`, `redshift:DescribeClusterParameterGroups,`, `redshift:DescribeClusterTracks`. `redshift:DescribeSnapshotSchedules`, and `ec2:DescribeAddresses`. | November 27, 2022 |
| – Update to an existing policy | Added the following permissions to support Amazon Redshift restore jobs: `redshift:RestoreFromCluster Snapshot`, `redshift:RestoreTableFromClusterSnapshot`, `redshift:DescribeClusters`, and `redshift:DescribeTableRestoreStatus`. | November 27, 2022 |
| – Update to an existing policy | Added the following permissions to support Amazon Redshift backup jobs: `redshift:CreateClusterSnapshot`, `redshift:DescribeClusterSnapshots`, `redshift:DescribeTags`, `redshift:DeleteClusterSnapshot`, `redshift:DescribeClusters`, and `redshift:CreateTags`. | November 27, 2022 |
| – Update to an existing policy | Added the following permission to support CloudFormation resources: `cloudformation:ListStacks`. | November 27, 2022 |
| – Update to an existing policy | Added the following permission to support CloudFormation resources: `cloudformation:ListStacks`. | November 27, 2022 |
| – Update to an existing policy | Added the following permissions to support CloudFormation resources: `redshift:DescribeClusterSnapshots`, `redshift:DescribeTags`, `redshift:DeleteClusterSnapshot`, and `redshift:DescribeClusters`. | November 27, 2022 |
| – Update to an existing policy | Added the following permissions to support Amazon CloudFormation application stack backup jobs: `cloudformation:GetTemplate`, `cloudformation:DescribeStacks`, and `cloudformation:ListStackResources`. | November 16, 2022 |
| – Update to an existing policy | Added the following permissions to support Amazon CloudFormation application stack backup jobs: `cloudformation:CreateChangeSet` and `cloudformation:DescribeChangeSet` | November 16, 2022 |
| – Update to an existing policy | Added the following permissions to this policy to allow organization administrators to usethe Delegated Administrator feature: `organizations:ListDelegatedAdministrator`, `organizations:RegisterDelegatedAdministrator`, and `organizations:DeregisterDelegatedAdministrator` | November 27, 2022 |
| – Update to an existing policy | Added the permission `s3:GetBucketAcl` to support backup operations of Amazon Backup for Amazon S3. | August 24, 2022 |
| – Update to an existing policy | Added the following actions to grant access to create a database instance to support multi-Availability Zone (Multi-AZ) functionality: `rds:CreateDBInstance`. | July 20, 2022 |
| – Update to an existing policy | Added the `s3:GetBucketTagging` permission to grant the user permission to select buckets to backup with a resource wildcard. Without this permission, users who select which buckets to backup with a resource wildcard are unsuccessful. | May 6, 2022 |
| – Update to an existing policy | Added volume resources in the scope of existing `fsx:CreateBackup` and `fsx:ListTagsForResource` actions, and added new action `fsx:DescribeVolumes` to support FSx for ONTAP volume level backups. | April 27, 2022 |
| – Update to an existing policy | Added the following actions to grant the users permissions to restore FSx for ONTAP volumes `fsx:DescribeVolumes`, `fsx:CreateVolumeFromBackup`, `fsx:DeleteVolume`, and `fsx:UntagResource`. | April 27, 2022 |
| – Update to an existing policy | Added the following actions to grant the user permissions to receive notifications of changes to their Amazon S3 buckets during backup operations: `s3:GetBucketNotification` and `s3:PutBucketNotification`. | February 25, 2022 |
| – New policy | Added the following actions to grant the user permissions to back up their Amazon S3 buckets: `s3:GetInventoryConfiguration`, `s3:PutInventoryConfiguration`, `s3:ListBucketVersions`, `s3:ListBucket`, `s3:GetBucketTagging`, `s3:GetBucketVersioning`, `s3:GetBucketNotification`,`s3:GetBucketLocation`, and `s3:ListAllMyBuckets`
Added the following actions to grant the user permissions to back up their Amazon S3 objects: `s3:GetObject`,`s3GetObjectAcl`, `s3:GetObjectVersionTagging`, `s3:GetObjectVersionAcl`, `s3:GetObjectTagging`, and `s3:GetObjectVersion`.
Added the following actions to grant the user permissions to back up their encrypted Amazon S3 data: `kms:Decrypt` and `kms:DescribeKey`.
Added the following actions to grant the user permissions to take incremental backups of their Amazon S3 data using Amazon EventBridge rules: `events:DescribeRule`, `events:EnableRule`, `events:PutRule`, `events:DeleteRule`, `events:PutTargets`, `events:RemoveTargets`, `events:ListTargetsByRule`, `events:DisableRule`, `cloudwatch:GetMetricData`, and `events:ListRules`. | February 17, 2022 |
| – New policy | Added the following actions to grant the user permissions to restore their Amazon S3 buckets: `s3:CreateBucket`, `s3:ListBucketVersions`, `s3:ListBucket`, `s3:GetBucketVersioning`, `s3:GetBucketLocation`, and `s3:PutBucketVersioning`.
Added the following actions to grant the user permissions to restore their Amazon S3 buckets: `s3:GetObject`, `s3:GetObjectVersion`, `s3:DeleteObject`, `s3:PutObjectVersionAcl`, `s3:GetObjectVersionAcl`, `s3:GetObjectTagging`, `s3:PutObjectTagging`, `s3:GetObjectAcl`, `s3:PutObjectAcl`, `s3:PutObject`, and `s3:ListMultipartUploadParts`.
Added the following actions to grant the user permissions to encrypt their restored Amazon S3 data: `kms:Decrypt`, `kms:DescribeKey`, and `kms:GenerateDataKey`. | February 17, 2022 |
| – Update to an existing policy | Added `s3:ListAllMyBuckets` to grant the user permissions to view a list of their buckets and choose which ones to assign to a backup plan. | February 14, 2022 |
| – Update to an existing policy | Added `backup-gateway:ListVirtualMachines` to grant the user permissions to view a list of their virtual machines and choose which ones to assign to a backup plan.
Added `backup-gateway:ListTagsForResource` to grant the user permissions to list the tags for their virtual machines. | November 30, 2021 |
| – Update to an existing policy | Added `backup-gateway:Backup` to grant the user permissions restore their virtual machine backups. Amazon Backup also added `backup-gateway:ListTagsForResource` to grant the user permissions to list the tags assigned to their virtual machine backups. | November 30, 2021 |
| – Update to an existing policy | Added `backup-gateway:Restore` to grant the user permissions restore their virtual machine backups. | November 30, 2021 |
| – Update to an existing policy | Added the following actions to grant the users permissions to use Amazon Backup Gateway to back up, restore, and manage their virtual machines: `backup-gateway:AssociateGatewayToServer`, `backup-gateway:CreateGateway`, `backup-gateway:DeleteGateway`, `backup-gateway:DeleteHypervisor`, `backup-gateway:DisassociateGatewayFromServer`, `backup-gateway:ImportHypervisorConfiguration`, `backup-gateway:ListGateways`, `backup-gateway:ListHypervisors`, `backup-gateway:ListTagsForResource`, `backup-gateway:ListVirtualMachines`, `backup-gateway:PutMaintenanceStartTime`, `backup-gateway:TagResource`, `backup-gateway:TestHypervisorConfiguration`, `backup-gateway:UntagResource`, `backup-gateway:UpdateGatewayInformation`, and `backup-gateway:UpdateHypervisor`. | November 30, 2021 |
| – Update to an existing policy | Added the following actions to grant the user permissions to back up their virtual machines: `backup-gateway:ListGateways`, `backup-gateway:ListHypervisors`, `backup-gateway:ListTagsForResource`, and `backup-gateway:ListVirtualMachines`. | November 30, 2021 |
| – Update to an existing policy | Added `dynamodb:ListTagsOfResource` to grant the user permissions to list tags of their DynamoDB tables to back up using Amazon Backup's advanced DynamoDB backup features. | November 23, 2021 |
| – Update to an existing policy | Added `dynamodb:StartAwsBackupJob` to grant the user permissions to back up their DynamoDB tables using advanced backup features.
Added `dynamodb:ListTagsOfResource` to grant the user to permissions to copy tags from their source DynamoDB tables to their backups. | November 23, 2021 |
| – Update to an existing policy | Added `dynamodb:RestoreTableFromAwsBackup` to grant the user permissions restore their DynamoDB tables backed up using Amazon Backup's advanced DynamoDB advanced backup features. | November 23, 2021 |
| – Update to an existing policy | Added `dynamodb:RestoreTableFromAwsBackup` to grant the user permissions restore their DynamoDB tables backed up using Amazon Backup's advanced DynamoDB advanced backup features. | November 23, 2021 |
| – Update to an existing policy | Removed the actions `backup:GetRecoveryPointRestoreMetadata` and `rds:DescribeDBSnapshots` because they were redundant.
Amazon Backup did not need both `backup:GetRecoveryPointRestoreMetadata` and `backup:Get*` as part of `AWSBackupOperatorAccess`. Also, Amazon Backup did not need both `rds:DescribeDBSnapshots` and `rds:describeDBSnapshots` as part of `AWSBackupOperatorAccess`. | November 23, 2021 |
| – Update to an existing policy | Added the new actions `elasticfilesystem:DescribeFileSystems`, `dynamodb:ListTables`, `storagegateway:ListVolumes`, `ec2:DescribeVolumes`, `ec2:DescribeInstances`, `rds:DescribeDBInstances`, `rds:DescribeDBClusters`, and `fsx:DescribeFileSystems` to allow customers to view and choose from a list of their Amazon Backup-supported resources when selecting which resources to assign to a backup plan. | November 10, 2021 |
| – New policy | Added `AWSBackupAuditAccess` to grant the user permissions to use Amazon Backup Audit Manager. Permissions include the ability to configure compliance frameworks and generate reports. | August 24, 2021 |
| – New policy | Added `AWSServiceRolePolicyForBackupReports` to grant permissions for a service-linked role to automate the monitoring of backup settings, jobs, and resources for compliance with frameworks configured by the user. | August 24, 2021 |
| – Update to an existing policy | Added `iam:CreateServiceLinkedRole` to create a service-linked role (on a best-effort basis) to automate the deletion of expired recovery points for you. Without this service-linked role, Amazon Backup cannot delete expired recovery points after customers delete the original IAM role they used to create their recovery points. | July 5, 2021 |
| – Update to an existing policy | Added the new action `dynamodb:DeleteBackup` to grant `DeleteRecoveryPoint` permission to automate the deletion of expired DynamoDB recovery points based on your backup plan lifecycle settings. | July 5, 2021 |
| – Update to an existing policy | Removed the actions `backup:GetRecoveryPointRestoreMetadata` and `rds:DescribeDBSnapshots` because they were redundant.
Amazon Backup did not need both `backup:GetRecoveryPointRestoreMetadata` and `backup:Get*` as part of `AWSBackupOperatorAccess` Also, Amazon Backup did not need both `rds:DescribeDBSnapshots` and `rds:describeDBSnapshots` as part of `AWSBackupOperatorAccess` | May 25, 2021 |
| – Update to an existing policy | Removed the actions `backup:GetRecoveryPointRestoreMetadata` and `rds:DescribeDBSnapshots` because they were redundant.
Amazon Backup did not need both `backup:GetRecoveryPointRestoreMetadata` and `backup:Get*` as part of `AWSBackupOperatorAccess`. Also, Amazon Backup did not need both `rds:DescribeDBSnapshots` and `rds:describeDBSnapshots` as part of `AWSBackupOperatorAccess`. | May 25, 2021 |
| [AWSBackupServiceRolePolicyForRestores]() – Update to an existing policy | Added the new action `fsx:TagResource` to grant `StartRestoreJob` permission to allow you to apply tags to Amazon FSx file systems during the restore process. | May 24, 2021 |
| – Update to an existing policy | Added the new actions `ec2:DescribeImages` and `ec2:DescribeInstances` to grant `StartRestoreJob` permission to allow you to restore Amazon EC2 instances from recovery points. | May 24, 2021 |
| – Update to an existing policy | Added the new action `fsx:CopyBackup` to grant `StartCopyJob` permission to allow you to copy Amazon FSx recovery points across Regions and accounts. | April 12, 2021 |
| – Update to an existing policy | Added the new action `fsx:CopyBackup` to grant `StartCopyJob` permission to allow you to copy Amazon FSx recovery points across Regions and accounts. | April 12, 2021 |
| – Update to an existing policy | Updated to comply with the following requirement:
For Amazon Backup to create a backup of an encrypted DynamoDB table, you must add the permissions `kms:Decrypt` and `kms:GenerateDataKey` to the IAM role used for backup. | March 10, 2021 |
| – Update to an existing policy | Updated to comply with the following requirements:
To use Amazon Backup to configure continuous backups for your Amazon RDS database, verify the API permission `rds:ModifyDBInstance` exists in the IAM role defined by your Backup plan configuration.
To restore Amazon RDS continuous backups, you must add the permission `rds:RestoreDBInstanceToPointInTime` to the IAM role you submitted for restore job.
In the Amazon Backup console, to describe the range of times available for point-in-time recovery, you must include the `rds:DescribeDBInstanceAutomatedBackups` API permission in your IAM-managed policy. | March 10, 2021 |
| Amazon Backup started tracking changes | Amazon Backup started tracking changes for its Amazon-managed policies. | March 10, 2021 |