IAM Service Roles - AWS Backup

IAM Service Roles

An AWS Identity and Access Management (IAM) role is similar to a user, in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A service role is a role that an AWS service assumes to perform actions on your behalf. As a service that performs backup operations on your behalf, AWS Backup requires that you pass it a role to assume when performing backup operations on your behalf. For more information about IAM roles, see IAM Roles in the IAM User Guide.

The role that you pass to AWS Backup must have an IAM policy with the permissions that enable AWS Backup to perform actions associated with backup operations, such as creating, restoring, or expiring backups. Different permissions are required for each of the AWS services that AWS Backup supports. The role must also have AWS Backup listed as a trusted entity, which enables AWS Backup to assume the role.

You pass a role to AWS Backup when restoring or creating a backup. You also specify a role when assigning your AWS resources to a backup plan. This is the role that AWS Backup assumes when creating and expiring backups on your behalf according to the backup plan that you assigned the resource to.

Using AWS Roles to Control Access to Backups

You can use roles to control access to your backups by defining narrowly scoped roles and by specifying who can pass that role to AWS Backup. For example, you could create a role that only grants permissions to back up Amazon Relational Database Service (Amazon RDS) databases and only grant Amazon RDS database owners permission to pass that role to AWS Backup. AWS Backup provides several predefined managed policies for each of the supported services. You can attach these managed policies to roles that you create. This makes it easier to create service-specific roles that have the correct permissions that AWS Backup needs.

For more information about AWS managed policies for AWS Backup, see Managed Policies.

Default Service Roles for AWS Backup

When using AWS Backup for the first time, you can choose to have AWS Backup create a default service role for you. This role has the permissions that AWS Backup requires to perform backup operations for all the AWS services that it supports. You should use the default role if you are okay with using the same role for all of the resource types that you want to back up. If you prefer to use separate roles for different resource types for security reasons, you can also create your own roles to pass to AWS Backup rather than using the default roles.


If you are a first-time user of AWS Backup, you must create the role, list the role, and pass the role permissions. After the role is created, only list role and pass role permissions are required.

There are two separate default roles that AWS Backup can create for you. One is for creating backups, and the other is for restoring backups.

AWS Backup Default Service Role for Backups

This role includes an IAM policy that grants AWS Backup permissions to describe the resource being backed up, the ability to create, delete, or describe a backup, and the ability to add tags to the backup. This IAM policy includes the necessary permissions for all the resource types that AWS Backup supports.

AWS Backup Default Service Role for Restores

This role includes an IAM policy that grants AWS Backup permissions to create, delete, or describe the new resource being created from a backup. It also includes permissions to tag the newly created resource. This IAM policy includes the necessary permissions for all the resource types that AWS Backup supports.