Actions, resources, and condition keys for AWS Backup - AWS Identity and Access Management

Actions, resources, and condition keys for AWS Backup

Tip

This page is moving to a new location on November 16, 2020. Please update your bookmark to use the new page at https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html.

AWS Backup (service prefix: backup) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Backup

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CopyIntoBackupVault [permission only] Copy into a backup vault Write
CreateBackupPlan Creates a new backup plan Write

backupPlan*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBackupSelection Creates a new resource assignment in a backup plan. Write

backupPlan*

iam:PassRole

CreateBackupVault Creates a new backup vault. Write

backupVault*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteBackupPlan Deletes a backup plan. Write

backupPlan*

DeleteBackupSelection Deletes a resource assignment from a backup plan. Write

backupPlan*

DeleteBackupVault Deletes a backup vault. Write

backupVault*

DeleteBackupVaultAccessPolicy Deletes backup vault access policy. Write

backupVault*

DeleteBackupVaultNotifications Remove notifications from backup vault. Write

backupVault*

DeleteRecoveryPoint Deletes a recovery point from a backup vault. Write

recoveryPoint*

DescribeBackupJob Describes a backup job Read
DescribeBackupVault Creates a new backup vault with the specified name. Read

backupVault*

DescribeCopyJob Describes a copy job Read

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeProtectedResource Describes a protected resource. Read
DescribeRecoveryPoint Describes a recovery point. Read

recoveryPoint*

DescribeRegionSettings Describes region settings Read
DescribeRestoreJob Describes a restore job. Read
ExportBackupPlanTemplate Exports a backup plan as a JSON. Read
GetBackupPlan Gets a backup plan. Read

backupPlan*

GetBackupPlanFromJSON Transforms a JSON to a backup plan. Read
GetBackupPlanFromTemplate Transforms a template to a backup plan. Read
GetBackupSelection Gets a backup plan resource assignment. Read

backupPlan*

GetBackupVaultAccessPolicy Gets backup vault access policy. Read

backupVault*

GetBackupVaultNotifications Gets backup vault notifications. Read

backupVault*

GetRecoveryPointRestoreMetadata Gets recovery point restore metadata. Read

recoveryPoint*

GetSupportedResourceTypes Gets supported resource types. Read
ListBackupJobs Lists backup jobs. List
ListBackupPlanTemplates Lists backup plan templates provided by AWS Backup. List
ListBackupPlanVersions Lists backup plan versions. List

backupPlan*

ListBackupPlans Lists backup plans. List
ListBackupSelections Lists resource assignments for a specific backup plan. List

backupPlan*

ListBackupVaults Lists backup vaults. List
ListCopyJobs List copy jobs List
ListProtectedResources Lists protected resources by AWS Backup. List
ListRecoveryPointsByBackupVault Lists recovery points inside a backup vault. List

backupVault*

ListRecoveryPointsByResource Lists recovery points for a resource. List
ListRestoreJobs Lists restore jobs. List
ListTags Lists tags for a resource. List

backupPlan

backupVault

recoveryPoint

PutBackupVaultAccessPolicy Adds an access policy to the backup vault. Write

backupVault*

PutBackupVaultNotifications Adds an SNS topic to the backup vault. Write

backupVault*

StartBackupJob Starts a new backup job. Write

backupVault*

iam:PassRole

StartCopyJob Copy a backup from a source region to a destination region. Write

recoveryPoint*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

StartRestoreJob Starts a new restore job. Write

recoveryPoint*

iam:PassRole

StopBackupJob Stops a backup job. Write
TagResource Tags a resource. Tagging

backupPlan

backupVault

recoveryPoint

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Untags a resource. Tagging

backupPlan

backupVault

recoveryPoint

aws:TagKeys

UpdateBackupPlan Updates a backup plan. Write

backupPlan*

UpdateRecoveryPointLifecycle Updates the lifecycle of the recovery point. Write

recoveryPoint*

UpdateRegionSettings Describes region settings Write

Resource types defined by AWS Backup

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
backupVault arn:${Partition}:backup:${Region}:${Account}:backup-vault:${BackupVaultName}

aws:ResourceTag/${TagKey}

backupPlan arn:${Partition}:backup:${Region}:${Account}:backup-plan:${BackupPlanId}

aws:ResourceTag/${TagKey}

recoveryPoint arn:${Partition}:${Vendor}:${Region}:*:${ResourceType}:${RecoveryPointId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Backup

AWS Backup defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters actions based on the tags associated with the resource String
aws:TagKeys Filters actions based on the presence of mandatory tags in the request String