Access Control

You can have valid credentials to authenticate your requests, but unless you have the appropriate permissions, you can't access AWS Backup resources such as backup vaults. You also can't back up AWS resources such as Amazon Elastic Block Store (Amazon EBS) volumes.

Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to AWS Identity and Access Management (IAM) identities (that is, users, groups, and roles). And some services also support attaching permissions policies to resources.

Note

An account administrator (or administrator user) is a user with administrator permissions. For more information, see IAM Best Practices in the IAM User Guide.

When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources.

The following sections cover how access policies work and how you use them to protect your backups.

Resources and Operations

A resource is an object that exists within a service. AWS Backup resources include backup plans, backup vaults, and backups. Backup is a general term that refers to the various types of backup resources that exist in AWS. For example, Amazon EBS snapshots, Amazon Relational Database Service (Amazon RDS) snapshots, and Amazon DynamoDB backups are all types of backup resources.

In AWS Backup, backups are also referred to as recovery points. When using AWS Backup, you also work with the resources from other AWS services that you are trying to protect, such as Amazon EBS volumes or DynamoDB tables. These resources have unique Amazon Resource Names (ARNs) associated with them. ARNs uniquely identify AWS resources. You must have an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies or API calls.

The following table lists resources, subresources, and ARN format.

AWS Backup Resource ARNs
Resource Type	ARN Format
Backup plan	arn:aws:backup:region:account-id:backup-plan:*
Backup vault	arn:aws:backup:region:account-id:backup-vault:*
Recovery point for Amazon EBS	arn:aws:ec2:region::snapshot/*
Recovery point for Amazon EFS	arn:aws:backup:region:account-id:recovery-point:*
Recovery point for Amazon RDS	arn:aws:rds:region:account-id:snapshot:awsbackup:*
Recovery point for Amazon Aurora	arn:aws:rds:region:account-id:cluster-snapshot:awsbackup:*
Recovery point for AWS Storage Gateway	arn:aws:ec2:region::snapshot/*
Recovery point for DynamoDB	arn:aws:dynamodb:region:account-id::table/*/backup/*

AWS Backup provides a set of operations to work with AWS Backup resources. For a list of available operations, see AWS Backup Actions.

Resource Ownership

The AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the principal entity (that is, the AWS account root user, an IAM user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works:

• If you use the AWS account root user credentials of your AWS account to create a backup vault, your AWS account is the owner of the vault.

• If you create an IAM user in your AWS account and grant permissions to create a backup vault to that user, the user can create a backup vault. However, your AWS account, to which the user belongs, owns the backup vault resource.

• If you create an IAM role in your AWS account with permissions to create a backup vault, anyone who can assume the role can create a vault. Your AWS account, to which the role belongs, owns the backup vault resource.

Specifying Policy Elements: Actions, Effects, and Principals

For each AWS Backup resource (see Resources and Operations), the service defines a set of API operations (see Actions). To grant permissions for these API operations, AWS Backup defines a set of actions that you can specify in a policy. Performing an API operation can require permissions for more than one action.

The following are the most basic policy elements:

• Resource – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. For more information, see Resources and Operations.

• Action – You use action keywords to identify resource operations that you want to allow or deny.

• Effect – You specify the effect when the user requests the specific action—this can be either allow or deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.

• Principal – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only).

To learn more about IAM policy syntax and descriptions, see IAM JSON Policy Reference in the IAM User Guide.

For a table showing all of the AWS Backup API actions, see API Permissions: Actions, Resources, and Conditions Reference.

Specifying Conditions in a Policy

When you grant permissions, you can use the IAM policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see Condition in the IAM User Guide.

To express conditions, you use predefined condition keys. There are no condition keys specific to AWS Backup. However, there are AWS-wide condition keys that you can use as appropriate. For a complete list of AWS-wide keys, see AWS Global Condition Context Keys in the IAM User Guide.

Note

AWS Backup does not support tag or context key conditions in access policies for any of its actions.

API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each AWS Backup API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your AWS Backup policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Use the scroll bars to see the rest of the table.

AWS Backup API and Required Permissions for Actions
AWS Backup API Operations	Required Permissions (API Actions)	Resources
CreateBackupPlan	backup:CreateBackupPlan	arn:aws:backup:region:account-id:backup-plan:*
CreateBackupSelection	backup:CreateBackupSelection	arn:aws:backup:region:account-id:backup-plan:*
CreateBackupVault	backup:CreateBackupVault backup-storage:Mount backup-storage:MountCapsule kms:CreateGrant kms:GenerateDataKey kms:Decrypt kms:RetireGrant kms:DescribeKey	arn:aws:backup:region:account-id:backup-vault:* For backup-storage: * For kms: arn:aws:backup:region:account-id:key:*
DeleteBackupPlan	backup:DeleteBackupPlan	arn:aws:backup:region:account-id:backup-plan:*
DeleteBackupSelection	backup:DeleteBackupSelection	arn:aws:backup:region:account-id:backup-plan:*
DeleteBackupVault	backup:DeleteBackupVault Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:*
DeleteBackupVaultAccessPolicy	backup:DeleteBackupVaultAccessPolicy	arn:aws:backup:region:account-id:backup-vault:*
DeleteBackupVaultNotifications	backup:DeleteBackupVaultNotification Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:*
DeleteRecoveryPoint	backup:DeleteRecoveryPoint Uses existing vault access policy.	See AWS Backup Resource ARNs for resource-specific recovery point ARNs.
DescribeBackupJob	backup:DescribeBackupJob
DescribeBackupVault	backup:DescribeBackupVault Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:*
DescribeProtectedResource	backup:DescribeProtectedResource
DescribeRecoveryPoint	backup:DescribeRecoveryPoint Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:* See AWS Backup Resource ARNs for resource-specific recovery point ARNs.
DescribeRestoreJob	backup:DescribeRestoreJob	arn:aws:backup:region:account-id:recovery-point:*
DescribeRegionSettings	backup:DescribeRegionSettings
ExportBackupPlanTemplate	backup:ExportBackupPlanTemplate
GetBackupPlan	backup:GetBackupPlan	arn:aws:backup:region:account-id:backup-plan:*
GetBackupPlanFromJSON	backup:GetBackupPlanFromJSON
GetBackupPlanFromTemplate	backup:GetBackupPlanFromTemplate	arn:aws:backup:region:account-id:backup-plan:*
GetBackupSelection	backup:GetBackupSelection	arn:aws:backup:region:account-id:backup-plan:*
GetBackupVaultAccessPolicy	backup:GetBackupVaultAccessPolicy Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:*
GetBackupVaultNotifications	backup:GetBackupVaultNotification Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:*
GetRecoveryPointRestoreMetadata	backup:GetRecoveryPointRestoreMetadata Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:*
GetSupportedResourceTypes	backup:GetSupportedResourceTypes
ListBackupJobs	backup:ListBackupJobs
ListBackupPlans	backup:ListBackupPlans
ListBackupPlanTemplates	backup:ListBackupPlanTemplates
ListBackupPlanVersions	backup:ListBackupPlanVersions	arn:aws:backup:region:account-id:backup-plan:*
ListBackupSelections	backup:ListBackupSelections	arn:aws:backup:region:account-id:backup-plan:*
ListBackupVaults	backup:ListBackupVaults	arn:aws:backup:region:account-id:backup-vault:*
ListProtectedResources	backup:ListProtectedResources
ListRecoveryPointsByBackupVault	backup:ListRecoveryPointsByBackupVault Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:*
ListRecoveryPointsByResource	backup:ListRecoveryPointsByResource
ListRestoreJobs	backup:ListRestoreJobs
ListTags	backup:ListTags
PutBackupVaultAccessPolicy	backup:PutBackupVaultAccessPolicy Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:*
PutBackupVaultNotifications	backup:PutBackupVaultNotifications Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:*
StartBackupJob	backup:StartBackupJob	arn:aws:backup:region:account-id:backup-vault:*
StartRestoreJob	backup:StartRestoreJob	arn:aws:backup:region:account-id:backup-vault:* arn:aws:backup:region:account-id:recovery-point:* Note StartRestoreJob also needs to have the key-value pair in the metadata for the resource. To get the metadata of the resource, call the GetRecoveryPointRestoreMetadata API.
StopBackupJob	backup:StopBackupJob
TagResource	backup:TagResource
UntagResource	backup:UntagResource
UpdateBackupPlan	backup:UpdateBackupPlan	arn:aws:backup:region:account-id:backup-plan:*
UpdateRecoveryPointLifecycle	backup:UpdateRecoveryPointLifecycle Uses existing vault access policy.	arn:aws:backup:region:account-id:backup-vault:* See AWS Backup Resource ARNs for resource-specific recovery point ARNs.
UpdateRegionSettings	backup:UpdateRegionSettings backup:DescribeRegionSettings

Copy Tags Permissions

When AWS Backup performs a backup or copy job, it attempts to copy the tags from your source resource (or recovery point in the case of copy) to your recovery point. AWS Backup aggregates the tags you specify in your backup plan (or on-demand backup) with the tags from your source resource. If AWS Backup cannot copy all the tags to the recovery point, it will fail the job. This can happen for the following reasons:

• Your resource has more than 50 tags after aggregating your backup job tags with your source resource tags. AWS supports up to 50 tags per resource. For more information, see Tag limits in the AWS General Reference Guide.

• The IAM role you provide to AWS Backup lacks permissions to read the source tags or set the destination tags. For more information and sample IAM role policies, see Managed Policies.

You can use your backup plan to create tags that contradict your source resource tags. When the two conflict, the tags from your backup plan take precedence. Use this technique if you prefer not to copy a tag value from your source resource. Specify the same tag key, but different or empty value, using your backup plan.

Permissions Required to Assign Tags to Backups
Resource Type	Required Permission
Amazon EFS file system	elasticfilesystem:DescribeTags
Amazon FSx file system	fsx:ListTagsForResource
Amazon RDS database and Amazon Aurora cluster	rds:AddTagsToResource rds:ListTagsForResource
AWS Storage Gateway volume	storagegateway:ListTagsForResource
Amazon EC2 instance and Amazon EBS volume	EC2:CreateTags EC2:DescribeTags

DynamoDB does not support assigning tags to backups. AWS Backup does not copy tags from tables.

When an Amazon EC2 backup creates an Image Recovery Point and a set of snapshots, AWS Backup copies tags to the resulting AMI. AWS Backup also copies the tags from the volumes associated with the Amazon EC2 instance to the resulting snapshots.

Access Policies

A permissions policy describes who has access to what. Policies attached to an IAM identity are referred to as identity-based policies (IAM policies). Policies attached to a resource are referred to as resource-based policies. AWS Backup supports both identity-based policies and resource-based policies.

Note

This section discusses using IAM in the context of AWS Backup. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see What Is IAM? in the IAM User Guide. For information about IAM policy syntax and descriptions, see IAM JSON Policy Reference in the IAM User Guide.

Identity-Based Policies (IAM Policies)

Identity-based policies are policies that you can attach to IAM identities, such as users or roles. For example, you can define a policy that allows a user to view and back up AWS resources, but prevents them from restoring backups.

For more information about users, groups, roles, and permissions, see Identities (Users, Groups, and Roles) in the IAM User Guide.

For information about how to use IAM policies to control access to backups, see Managed Policies.

Resource-Based Policies

AWS Backup supports resource-based access policies for backup vaults. This enables you to define an access policy that can control which users have what kind of access to any of the backups organized in a backup vault. Resource-based access policies for backup vaults provide an easy way to control access to your backups.

Backup vault access policies control user access when you use AWS Backup APIs. Some backup types, such as Amazon Elastic Block Store (Amazon EBS) and Amazon Relational Database Service (Amazon RDS) snapshots, can also be accessed using those services' APIs. You can create separate access policies in IAM that control access to those APIs in order to fully control access to backups.

To learn how to create an access policy for backup vaults, see Setting Access Policies on Backup Vaults and Recovery Points.

Managed Policies

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. You can use AWS managed policies or customer managed policies to control access to backups in AWS Backup.

AWS Managed Policies

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

However, you can't change the permissions defined in AWS managed policies. AWS occasionally updates the permissions defined in an AWS managed policy. When this occurs, the update affects all principal entities (users, groups, and roles) that the policy is attached to.

AWS Backup provides several AWS managed policies for common use cases. These policies make it easier to define the right permissions and control access to your backups. There are two types of managed policies. One type is designed to be assigned to users to control their access to AWS Backup. The other type of managed policy is designed to be attached to roles that you pass to AWS Backup. The following table lists all the managed policies that AWS Backup provides and describes how they are defined. You can find these managed policies in the Policies section of the IAM console.

Policy Name	IAM Managed Policy Name	Description
Backup Administrator IAM Policy	AWSBackupFullAccess (AWSBackupAdminPolicy is deprecated)	The backup administrator has full access to AWS Backup operations, including creating or editing backup plans, assigning AWS resources to backup plans, and restoring backups. Backup administrators are responsible for determining and enforcing backup compliance by defining backup plans that meet their organization's business and regulatory requirements. Backup administrators also ensure that their organization's AWS resources are assigned to the appropriate plan.
Backup Operator IAM Policy	AWSBackupOperatorAccess (AWSBackupOperatorPolicy is deprecated)	Backup operators are users that are responsible for ensuring the resources that they are responsible for are properly backed up. Backup operators have permissions to assign AWS resources to the backup plans that the backup administrator creates. They also have permissions to create on-demand backups of their AWS resources and to configure the retention period of on-demand backups. Backup operators do not have permissions to create or edit backup plans or to delete scheduled backups after they are created. Backup operators can restore backups. You can limit the resource types that a backup operator can assign to a backup plan or restore from a backup. You do this by allowing only certain service roles to be passed to AWS Backup that have permissions for a certain resource type.
Backup Administrator AWS Organizations Policy	AWSBackupOrganizationAdminAccess	The organization administrator has full access to AWS Organizations operations, including creating, editing, or deleting backup policies, assigning backup policies to accounts and organizational units, and monitoring backup activities within the organization. Organization administrators are responsible for protecting accounts in their organization by defining and assigning backup policies that meet their organization's business and regulatory requirements.
Default Service Role Policy for Backups	AWSBackupServiceRolePolicyForBackup	Provides AWS Backup permissions to create backups of all supported resource types on your behalf.
Default Service Role Policy for Restores	AWSBackupServiceRolePolicyForRestores	Provides AWS Backup permissions to restore backups of all supported resource types on your behalf. For EC2 instance restores, you must also include the following permissions to launch the EC2 instance: "Action":"iam:PassRole", "Resource":"arn:aws:iam::account-id:role/role-name", "Effect":"Allow"

Customer Managed Policies

You can create standalone policies that you administer in your own AWS account. These policies are referred to as customer managed policies. You can then attach the policies to multiple principal entities in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.

One way to create a customer managed policy is to start by copying an existing AWS managed policy. That way you know that the policy is correct at the beginning, and all you need to do is customize it to your environment.

The following policies specify backup and restore permissions for individual AWS services. They can be customized and attached to roles that you create to further limit access to AWS resources.

Backup and Restore Policies for Individual AWS Services
Service Backup Policy	Service Restore Policy
DynamoDB Backup Policy { "Version":"2012-10-17", "Statement":[ { "Action":[ "dynamodb:DescribeTable", "dynamodb:CreateBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*", "Effect":"Allow" }, { "Action":[ "dynamodb:DescribeBackup", "dynamodb:DeleteBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*/backup/*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }	DynamoDB Restore Policy { "Version":"2012-10-17", "Statement":[ { "Action":[ "dynamodb:DescribeBackup", "dynamodb:DescribeTable", "dynamodb:RestoreTableFromBackup", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource":"arn:aws:dynamodb:*:*:table/*", "Effect":"Allow" }, { "Action":[ "dynamodb:RestoreTableFromBackup", "dynamodb:DeleteBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*/backup/*", "Effect":"Allow" } ] }
Amazon EBS Backup Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ec2:CreateTags", "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:DescribeTags" ], "Resource":"*" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }	Amazon EBS Restore Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource":"*" } ] }
Amazon EFS Backup Policy { "Version":"2012-10-17", "Statement":[ { "Action":[ "elasticfilesystem:Backup", "elasticfilesystem:DescribeTags" ], "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*", "Effect":"Allow" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }	Amazon EFS Restore Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "elasticfilesystem:Restore", "elasticfilesystem:CreateFilesystem", "elasticfilesystem:DescribeFilesystems", "elasticfilesystem:DeleteFilesystem" ], "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*" } ] }
Amazon RDS Backup Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:DescribeDBSnapshots", "rds:CreateDBSnapshot", "rds:CopyDBSnapshot", "rds:DescribeDBInstances", "rds:CreateDBClusterSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:CopyDBClusterSnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "rds:DeleteDBSnapshot", "rds:ModifyDBSnapshotAttribute" ], "Resource":[ "arn:aws:rds:*:*:snapshot:awsbackup:*" ] }, { "Effect": "Allow", "Action": [ "rds:DeleteDBClusterSnapshot", "rds:ModifyDBClusterSnapshotAttribute" ], "Resource": [ "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Action":"kms:DescribeKey", "Effect":"Allow", "Resource":"*" } ] }	Amazon RDS Restore Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:DescribeDBInstances", "rds:DescribeDBSnapshots", "rds:ListTagsForResource", "rds:RestoreDBInstanceFromDBSnapshot", "rds:DeleteDBInstance", "rds:AddTagsToResource" ], "Resource":"*" } ] }
Amazon Aurora Backup Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:CreateDBClusterSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:CopyDBClusterSnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "rds:DeleteDBClusterSnapshot" ], "Resource":[ "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Action":"kms:DescribeKey", "Effect":"Allow", "Resource":"*" } ] }	Amazon Aurora Restore Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:DeleteDBCluster", "rds:DescribeDBClusters", "rds:RestoreDBClusterFromSnapshot", "rds:ListTagsForResource", "rds:AddTagsToResource" ], "Resource":"*" } ] }
AWS Storage Gateway Backup Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "storagegateway:CreateSnapshot", "storagegateway:ListTagsForResource" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots" ], "Resource":"*" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }	AWS Storage Gateway Restore Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "storagegateway:DeleteVolume", "storagegateway:DescribeCachediSCSIVolumes", "storagegateway:DescribeStorediSCSIVolumes" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Effect":"Allow", "Action":[ "storagegateway:DescribeGatewayInformation", "storagegateway:CreateStorediSCSIVolume", "storagegateway:CreateCachediSCSIVolume" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*" }, { "Effect":"Allow", "Action":[ "storagegateway:ListVolumes" ], "Resource":"arn:aws:storagegateway:*:*:*" } ] }
Amazon FSx Backup Policy { "Version":"2012-10-17", "Statement":[ { "Action": "fsx:DescribeBackups", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Action": "fsx:CreateBackup", "Effect": "Allow", "Resource": [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:backup/*" ] }, { "Action": "fsx:DescribeFileSystems", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:ListTagsForResource", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:DeleteBackup", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" } ] }	Amazon FSx Restore Policy { "Version": "2012-10-17", "Statement": [ { "Action": [ "fsx:CreateFileSystemFromBackup" ], "Effect": "Allow", "Resource": [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:backup/*" ] }, { "Action": "fsx:DescribeFileSystems", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:DescribeBackups", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Action": [ "fsx:DeleteFileSystem", "fsx:UntagResource" ], "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*", "Condition": { "Null": { "aws:ResourceTag/aws:backup:source-resource": "false" } } }, { "Action": "ds:DescribeDirectories", "Effect": "Allow", "Resource": "*" } ] }
Amazon EC2 Backup Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateImage", "ec2:DeregisterImage" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CopyImage", "ec2:CopySnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:image/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeNetworkInterfaces", "ec2:DescribeElasticGpus", "ec2:DescribeSpotInstanceRequests" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }	Amazon EC2 Restore Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeImages", "ec2:DescribeInstances" ], "Resource":"*" }, { "Action":[ "ec2:RunInstances" ], "Effect":"Allow", "Resource":"*" }, { "Action":[ "ec2:TerminateInstances" ], "Effect":"Allow", "Resource":"arn:aws:ec2:*:*:instance/*" }, { "Action":"iam:PassRole", "Resource":"arn:aws:iam::<account-id>:role/<role-name>", "Effect":"Allow" } ] }
Windows VSS (Volume Shadow Copy Service) Backup Policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateImage", "ec2:DeregisterImage" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CopyImage", "ec2:CopySnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:image/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeNetworkInterfaces", "ec2:DescribeElasticGpus", "ec2:DescribeSpotInstanceRequests" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Effect":"Allow", "Action":[ "ssm:CancelCommand", "ssm:GetCommandInvocation" ], "Resource":"*" }, { "Effect":"Allow", "Action":"ssm:SendCommand", "Resource":[ "arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot", "arn:aws:ec2:*:*:instance/*" ] } ] }