Policy updates for AWS Backup - AWS Backup

Policy updates for AWS Backup

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

View details about updates to AWS managed policies for AWS Backup since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Backup Document history page.

Change Description Date

AWSBackupFullAccess — Added permission to create service-linked role

AWS Backup added iam:CreateServiceLinkedRole to create a service-linked role (on a best effort basis) to automate the deletion of expired recovery points for you. Without this service-linked role, AWS Backup cannot delete expired recovery points after customers delete the original IAM role they used to create their recovery points.

AWS Backup needed this permission as part of the DeleteRecoveryPoint API operation.

July 5, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to support deletion of DynamoDB recovery points

AWS Backup added the new action dynamodb:DeleteBackup to grant DeleteRecoveryPoint permission to automate the deletion of expired DynamoDB recovery points based on your backup plan lifecycle settings.

AWS Backup needed this permission to delete DynamoDB tables as part of the DeleteRecoveryPoint API operation.

July 5, 2021

AWSBackupOperatorAccess — Removed redundant actions

AWS Backup removed the existing actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

AWS Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of the AWSBackupOperatorAccess AWS Managed Policy. Also, AWS Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of the AWSBackupOperatorAccess AWS Managed Policy.

May 25, 2021

AWSBackupOperatorPolicy — Removed redundant actions

AWS Backup removed the existing actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

AWS Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of the AWSBackupOperatorPolicy AWS Managed Policy. Also, AWS Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of the AWSBackupOperatorPolicy AWS Managed Policy.

May 25, 2021

AWSBackupServiceRolePolicyForRestores — Added permission to apply tags to Amazon FSx restores

AWS Backup added the new action fsx:TagResource to grant StartRestoreJob permission to allow you to apply tags to Amazon FSx file systems during the restore process.

AWS Backup needed this permission to apply tags to Amazon FSx file systems as part of the StartRestoreJob API operation.

May 24, 2021

AWSBackupServiceRolePolicyForRestores — Added permission to perform Amazon EC2 restores

AWS Backup added the new actions ec2:DescribeImages and ec2:DescribeInstances to grant StartRestoreJob permission to allow you to restore Amazon EC2 instances from recovery points.

AWS Backup needed this permission to restore Amazon EC2 instances from recovery points as part of the StartRestoreJob API operation.

May 24, 2021

AWSBackupServiceRolePolicyForBackup — Added permission to perform Amazon FSx cross-Region and cross-account copies

AWS Backup added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

AWS Backup needed this permission to copy Amazon FSx recovery points across Regions and accounts as part of the StartCopyJob API operation.

April 12, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to perfrom Amazon FSx cross-Region and cross-account copies

AWS Backup added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

AWS Backup needed this permission to copy Amazon FSx recovery points across Regions and accounts as part of the StartCopyJob API operation.

April 12, 2021

AWSBackupServiceRolePolicyForBackup — Added permissions to support encrypted DynamoDB table backup

AWS Backup updated its AWS managed policies to comply with the following requirement:

For AWS Backup to create a backup of an encrypted DynamoDB table, you must add the permissions kms:Decrypt and kms:GenerateDataKey to the IAM role used for backup.

March 10, 2021

AWSBackupFullAccess — Added permissions to support Amazon RDS continuous backups and point-in-time restore

AWS Backup updated its AWS managed policy to comply with the following requirements:

To use AWS Backup to configure continuous backups for your Amazon RDS database, verify the API permission rds:ModifyDBInstance exists in the IAM role defined by your Backup plan configuration.

To restore Amazon RDS continuous backups, you must add the permission rds:RestoreDBInstanceToPointInTime to the IAM role you submitted for restore job.

In the AWS Backup console, to describe the range of times available for point-in-time recovery, you must include the rds:DescribeDBInstanceAutomatedBackups API permission in your IAM managed policy.

March 10, 2021

AWS Backup started tracking changes

AWS Backup started tracking changes for its AWS managed policies.

March 10, 2021