AWS Backup
Developer Guide

Creating a Resource-Based Access Policy for a Backup Vault

With AWS Backup, you can create a resource-based access policy for a backup vault. Doing this enables you to define an access policy to control which users have what kind of access to the backups that are organized in the vault. For more information about resource-based access policies, see Identity-Based Policies and Resource-Based Policies in the IAM User Guide.


This access policy only controls user access to AWS Backup APIs. Some backup types, such as Amazon Elastic Block Store (Amazon EBS) and Amazon Relational Database Service (Amazon RDS) snapshots, can also be accessed using the APIs of those services. You can create separate access policies in IAM that control access to those APIs in order to fully control the access to backups.

Access to vaults and the ability to delete recovery points stored in them will be determined by the access you grant your users. You can further restrict deleting recovery points with a resource-based access policy.

Follow these steps to create a resource-based access policy on a backup vault that prevents the deletion of any backups in the backup vault.

To create a resource-based access policy on a backup vault

  1. Sign in to the AWS Management Console, and open the AWS Backup console at

  2. In the navigation pane on the left, choose Backup vaults.

  3. Choose a backup vault in the list.

  4. In the Access policy section, paste the following JSON example. This policy prevents anyone from deleting a backup in this vault. Replace <your account ID> with your AWS account ID, and replace backup vault name with your vault name.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "backup:DeleteRecoveryPoint", "Resource": "arn:aws:backup:us-east-1:<your account ID>:backup-vault:<backup vault name>" } ] }
  5. Choose Attach policy.