AWS Backup
Developer Guide

Setting Access Policies on Backup Vaults and Recovery Points

With AWS Backup, you can assign a policy to a role, user, or group that restricts access to backup vaults and the resources they contain. Assigning policies allows you to do things like grant access to users to create backup plans and on-demand backups, but limit their ability to delete recovery points after they're created.

For information about using policies to grant or restrict access to resources, see Identity-Based Policies and Resource-Based Policies in the IAM User Guide. You can use the following example policies as a guide to limit access to resources when you are working with AWS Backup vaults.

For a list of Amazon Resource Names (ARNs) that you can use to identify recovery points for different resource types, see AWS Backup Resource ARNs for resource-specific recovery point ARNs.

Deny Access to a Resource Type in a Backup Vault

This policy denies access to the specified API operations for all Amazon EBS snapshots in a backup vault.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "statement ID", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::Account ID:role/MyRole" }, "Action": [ "backup:UpdateRecoveryPointLifecycle", "backup:DescribeRecoveryPoint", "backup:DeleteRecoveryPoint", "backup:GetRecoveryPointRestoreMetadata", "backup:StartRestoreJob", "backup:DescribeRecoveryPoint" ], "Resource": ["arn:aws:ec2:Region:::snapshot/*"] } ] }


This access policy only controls user access to AWS Backup APIs. Some backup types, such as Amazon Elastic Block Store (Amazon EBS) and Amazon Relational Database Service (Amazon RDS) snapshots, can also be accessed using the APIs of those services. You can create separate access policies in IAM that control access to those APIs in order to fully control the access to backups.

Deny Access to a Backup Vault

This policy denies access to the specified API operations targeting a backup vault.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "statement ID", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::Account ID:role/MyRole" }, "Action": [ "backup:DescribeBackupVault", "backup:DeleteBackupVault", "backup:PutBackupVaultAccessPolicy", "backup:DeleteBackupVaultAccessPolicy", "backup:GetBackupVaultAccessPolicy", "backup:StartBackupJob", "backup:GetBackupVaultNotifications", "backup:PutBackupVaultNotifications", "backup:DeleteBackupVaultNotifications", "backup:ListRecoveryPointsByBackupVault" ], "Resource": "arn:aws:backup:Region::Account ID::backup-vault:backup vault name" } ] }

Deny Access to Delete Recovery Points in a Backup Vault

Access to vaults and the ability to delete recovery points stored in them is determined by the access that you grant your users.

Follow these steps to create a resource-based access policy on a backup vault that prevents the deletion of any backups in the backup vault.

To create a resource-based access policy on a backup vault

  1. Sign in to the AWS Management Console, and open the AWS Backup console at

  2. In the navigation pane on the left, choose Backup vaults.

  3. Choose a backup vault in the list.

  4. In the Access policy section, paste the following JSON example. This policy prevents anyone who is not the principal from deleting a recovery point in the target backup vault. Replace statement ID, Account ID, and principal type (role/MyRole) with values for your environment.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "statement ID", "Effect": "Deny", "Principal": "*", "Action": "backup:DeleteRecoveryPoint", "Resource": "*", "Condition": { "StringNotLike": { "aws:userId": [ "arn:aws:iam::Account ID:role/MyRole"" ] } } } ] }

    For information on getting a unique ID for an IAM entity, see Getting the Unique ID

    If you want to limit this to specific resource types, instead of "Resource": "*" you can explicitly include the recovery point types to deny, for example, for Amazon EBS snapshots, change the resource type to:

    "Resource": ["arn:aws:ec2:Region:::snapshot/*"]
  5. Choose Attach policy.