Managed policies for AWS Backup - AWS Backup

Managed policies for AWS Backup

Managed policies

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account.

AWS managed policies deliver an out-of-the-box experience for AWS Backup

Customer managed policies give you fine-grained controls to set access to backups in AWS Backup. For example, you can use them to give your database backup administrator access to Amazon RDS backups but not Amazon EFS ones.

For updates to managed policies, see Policy updates.

Customer managed policies

You can create standalone policies that you administer in your own AWS account. These policies are referred to as customer managed policies. You can then attach the policies to multiple principal entities in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.

One way to create a customer managed policy is to start by copying an existing AWS managed policy. That way you know that the policy is correct at the beginning, and all you need to do is customize it to your environment.

The following policies specify backup and restore permissions for individual AWS Backup-supported AWS services and third-party applications. They can be customized and attached to roles that you create to further limit access to AWS resources.

Backup and restore policies for individual AWS Backup-supported resources
Resource backup policy Resource restore policy
Amazon S3 backup policy
{ "Version":"2012-10-17", "Statement":[ { "Sid":"S3BucketBackupPermissions", "Action":[ "s3:GetInventoryConfiguration", "s3:PutInventoryConfiguration", "s3:ListBucketVersions", "s3:ListBucket", "s3:GetBucketVersioning", "s3:GetBucketNotification", "s3:PutBucketNotification", "s3:GetBucketLocation", "s3:GetBucketTagging" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*" ] }, { "Sid":"S3ObjectBackupPermissions", "Action":[ "s3:GetObjectAcl", "s3:GetObject", "s3:GetObjectVersionTagging", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*/*" ] }, { "Sid":"S3GlobalPermissions", "Action":[ "s3:ListAllMyBuckets" ], "Effect":"Allow", "Resource":[ "*" ] }, { "Sid":"KMSBackupPermissions", "Action":[ "kms:Decrypt", "kms:DescribeKey" ], "Effect":"Allow", "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":"s3.*.amazonaws.com" } } }, { "Sid":"EventsPermissions", "Action":[ "events:DescribeRule", "events:EnableRule", "events:PutRule", "events:DeleteRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule", "events:DisableRule" ], "Effect":"Allow", "Resource":"arn:aws:events:*:*:rule/AwsBackupManagedRule*" }, { "Sid":"EventsMetricsGlobalPermissions", "Action":[ "cloudwatch:GetMetricData", "events:ListRules" ], "Effect":"Allow", "Resource":"*" } ] }
Amazon S3 restore policy
{ "Version":"2012-10-17", "Statement":[ { "Sid":"S3BucketRestorePermissions", "Action":[ "s3:CreateBucket", "s3:ListBucketVersions", "s3:ListBucket", "s3:GetBucketVersioning", "s3:GetBucketLocation", "s3:PutBucketVersioning" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*" ] }, { "Sid":"S3ObjectRestorePermissions", "Action":[ "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:PutObjectVersionAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:PutObjectTagging", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:PutObject", "s3:ListMultipartUploadParts" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*/*" ] }, { "Sid":"S3KMSPermissions", "Action":[ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Effect":"Allow", "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":"s3.*.amazonaws.com" } } } ] }
Virtual Machine backup policy
{ "Sid": "BackupGatewayBackupPermissions" "Effect": "Allow", "Action": [ "backup-gateway:Backup", "backup-gateway:ListTagsForResource" ], "Resource": "arn:aws:backup-gateway:*:*:vm/*" }
Virtual Machine restore policy
{ "Sid": "GatewayRestorePermissions", "Effect": "Allow", "Action": [ "backup-gateway:Restore" ], "Resource": "arn:aws:backup-gateway:*:*:hypervisor/*" }
Amazon EBS backup policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ec2:CreateTags", "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:CopySnapshot", "ec2:DescribeTags" ], "Resource":"*" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Amazon EBS restore policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource":"*" } ] }
Amazon EFS backup policy
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "elasticfilesystem:Backup", "elasticfilesystem:DescribeTags" ], "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*", "Effect":"Allow" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Amazon EFS restore policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "elasticfilesystem:Restore", "elasticfilesystem:CreateFilesystem", "elasticfilesystem:DescribeFilesystems", "elasticfilesystem:DeleteFilesystem" ], "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*" } ] }
Amazon RDS backup policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:DescribeDBSnapshots", "rds:CreateDBSnapshot", "rds:CopyDBSnapshot", "rds:DescribeDBInstances", "rds:CreateDBClusterSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:CopyDBClusterSnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "rds:DeleteDBSnapshot", "rds:ModifyDBSnapshotAttribute" ], "Resource":[ "arn:aws:rds:*:*:snapshot:awsbackup:*" ] }, { "Effect": "Allow", "Action": [ "rds:DeleteDBClusterSnapshot", "rds:ModifyDBClusterSnapshotAttribute" ], "Resource": [ "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Action":"kms:DescribeKey", "Effect":"Allow", "Resource":"*" } ] }
Amazon RDS restore policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:DescribeDBInstances", "rds:DescribeDBSnapshots", "rds:ListTagsForResource", "rds:RestoreDBInstanceFromDBSnapshot", "rds:DeleteDBInstance", "rds:AddTagsToResource" ], "Resource":"*" } ] }
Amazon Aurora backup policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:CreateDBClusterSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:CopyDBClusterSnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "rds:DeleteDBClusterSnapshot" ], "Resource":[ "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Action":"kms:DescribeKey", "Effect":"Allow", "Resource":"*" } ] }
Amazon Aurora restore policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:DeleteDBCluster", "rds:DescribeDBClusters", "rds:RestoreDBClusterFromSnapshot", "rds:ListTagsForResource", "rds:AddTagsToResource" ], "Resource":"*" } ] }
Storage Gateway backup policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "storagegateway:CreateSnapshot", "storagegateway:ListTagsForResource" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots" ], "Resource":"*" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Storage Gateway restore policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "storagegateway:DeleteVolume", "storagegateway:DescribeCachediSCSIVolumes", "storagegateway:DescribeStorediSCSIVolumes" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Effect":"Allow", "Action":[ "storagegateway:DescribeGatewayInformation", "storagegateway:CreateStorediSCSIVolume", "storagegateway:CreateCachediSCSIVolume" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*" }, { "Effect":"Allow", "Action":[ "storagegateway:ListVolumes" ], "Resource":"arn:aws:storagegateway:*:*:*" } ] }
Amazon FSx backup policy
{ "Version":"2012-10-17", "Statement":[ { "Action": "fsx:DescribeBackups", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Action": "fsx:CreateBackup", "Effect": "Allow", "Resource": [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:backup/*" ] }, { "Action": "fsx:DescribeFileSystems", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:ListTagsForResource", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:DeleteBackup", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Effect": "Allow", "Action": [ "fsx:ListTagsForResource", "fsx:ManageBackupPrincipalAssociations", "fsx:CopyBackup", "fsx:TagResource" ], "Resource": "arn:aws:fsx:*:*:backup/*" } ] }
Amazon FSx restore policy
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "fsx:CreateFileSystemFromBackup" ], "Effect": "Allow", "Resource": [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:backup/*" ] }, { "Action": "fsx:DescribeFileSystems", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:DescribeBackups", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Action": [ "fsx:DeleteFileSystem", "fsx:UntagResource" ], "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*", "Condition": { "Null": { "aws:ResourceTag/aws:backup:source-resource": "false" } } }, { "Action": "ds:DescribeDirectories", "Effect": "Allow", "Resource": "*" } ] }
Amazon EC2 backup policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateImage", "ec2:DeregisterImage" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CopyImage", "ec2:CopySnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:image/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeNetworkInterfaces", "ec2:DescribeElasticGpus", "ec2:DescribeSpotInstanceRequests" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Amazon EC2 restore policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeImages", "ec2:DescribeInstances" ], "Resource":"*" }, { "Action":[ "ec2:RunInstances" ], "Effect":"Allow", "Resource":"*" }, { "Action":[ "ec2:TerminateInstances" ], "Effect":"Allow", "Resource":"arn:aws:ec2:*:*:instance/*" }, { "Action":"iam:PassRole", "Resource":"arn:aws:iam::<account-id>:role/<role-name>", "Effect":"Allow" } ] }
Windows VSS (Volume Shadow Copy Service) Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateImage", "ec2:DeregisterImage" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CopyImage", "ec2:CopySnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:image/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeNetworkInterfaces", "ec2:DescribeElasticGpus", "ec2:DescribeSpotInstanceRequests" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Effect":"Allow", "Action":[ "ssm:CancelCommand", "ssm:GetCommandInvocation" ], "Resource":"*" }, { "Effect":"Allow", "Action":"ssm:SendCommand", "Resource":[ "arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot", "arn:aws:ec2:*:*:instance/*" ] } ] }

To restore an encrypted backup, do one of the following:

  • Add your role to the allowlist for the AWS Key Management Service (AWS KMS) key policy, or

  • Attach this policy to your IAM role for restores:

    { "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncrypt*" ], "Effect": "Allow", "Resource": "*" }

AWS managed policies

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

However, you can't change the permissions defined in AWS managed policies. AWS occasionally updates the permissions defined in an AWS managed policy. When this occurs, the update affects all principal entities (users, groups, and roles) that the policy is attached to.

AWS Backup provides several AWS managed policies for common use cases. These policies make it easier to define the right permissions and control access to your backups. There are two types of managed policies. One type is designed to be assigned to users to control their access to AWS Backup. The other type of managed policy is designed to be attached to roles that you pass to AWS Backup. The following table lists all the managed policies that AWS Backup provides and describes how they are defined. You can find these managed policies in the Policies section of the IAM console.

Policy name IAM-managed policy name Description
AWS Backup For Amazon S3 Backup Policy AWSBackupServiceRolePolicyForS3Backup This policy contains the permissions necessary for AWS Backup to back up any S3 bucket. This includes access to all objects in a bucket and any associated AWS KMS key.
AWS Backup For Amazon S3 Restore Policy AWSBackupServiceRolePolicyForS3Restore This policy contains permissions necessary for AWS Backup to restore an S3 backup to a bucket. This includes read and write permissions to the buckets and the usage of any AWS KMS key in regards to S3 operations.
Backup Audit IAM Policy AWSBackupAuditAccess

This policy grants permissions for users to create controls and frameworks that define their expectations for AWS Backup resources and activities, and to audit AWS Backup resources and activities against their defined controls and frameworks. This policy grants permissions to AWS Config and similar services to describe user expectations perform the audits.

This policy also grants permissions to deliver audit reports to Amazon S3 and similar services, and enables users to find and open their audit reports.

AWS Service Role Policy for Backup Reports AWSServiceRolePolicyForBackupReports AWS Backup uses this policy for the AWSServiceRoleForBackupReports service-linked role. This service-linked role gives AWS Backup permissions to monitor and report on the compliance of your backup settings, jobs, and resources with your frameworks.
Backup Administrator IAM Policy AWSBackupFullAccess

(AWSBackupAdminPolicy is deprecated)

The backup administrator has full access to AWS Backup operations, including creating or editing backup plans, assigning AWS resources to backup plans, and restoring backups. Backup administrators are responsible for determining and enforcing backup compliance by defining backup plans that meet their organization's business and regulatory requirements. Backup administrators also ensure that their organization's AWS resources are assigned to the appropriate plan.
Backup Operator IAM Policy AWSBackupOperatorAccess

(AWSBackupOperatorPolicy is deprecated)

Backup operators are users that are responsible for ensuring the resources that they are responsible for are properly backed up. Backup operators have permissions to assign AWS resources to the backup plans that the backup administrator creates. They also have permissions to create on-demand backups of their AWS resources and to configure the retention period of on-demand backups. Backup operators do not have permissions to create or edit backup plans or to delete scheduled backups after they are created. Backup operators can restore backups. You can limit the resource types that a backup operator can assign to a backup plan or restore from a backup. You do this by allowing only certain service roles to be passed to AWS Backup that have permissions for a certain resource type.
Backup Administrator AWS Organizations Policy AWSBackupOrganizationAdminAccess The organization administrator has full access to AWS Organizations operations, including creating, editing, or deleting backup policies, assigning backup policies to accounts and organizational units, and monitoring backup activities within the organization. Organization administrators are responsible for protecting accounts in their organization by defining and assigning backup policies that meet their organization's business and regulatory requirements.
Default Service Role Policy for Backups AWSBackupServiceRolePolicyForBackup Provides AWS Backup permissions to create backups of all supported resource types on your behalf.
Default Service Role Policy for Restores AWSBackupServiceRolePolicyForRestores Provides AWS Backup permissions to restore backups of all supported resource types on your behalf. For EC2 instance restores, you must also include the following permissions to launch the EC2 instance:
"Action":"iam:PassRole", "Resource":"arn:aws:iam::account-id:role/role-name", "Effect":"Allow"

Policy updates for AWS Backup

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

View details about updates to AWS managed policies for AWS Backup since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Backup Document history page.

Change Description Date

AWSBackupServiceRolePolicyForRestores — Added access for Amazon RDS restore jobs.

AWS Backup added the following actions to grant access to create a database instance: rds:CreateDBInstance.

AWS Backup needed this permission for its support of Amazon RDS multi-Availability Zone (Multi-AZ) functionality.

July 20, 2022

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to support Amazon S3 backup

AWS Backup added the s3:GetBucketTagging permission to grant the user permission to select buckets to backup with a resource wildcard. Without this permission, users who select which buckets to backup with a resource wildcard will be unsuccessful.

AWS Backup needed that permission for its support of Amazon S3 data.

May 6, 2022

AWSBackupServiceRolePolicyForBackup — Added new permissions to support FSx for ONTAP volume level backup.

AWS Backup added volume resources in the scope of existing fsx:CreateBackup and fsx:ListTagsForResource actions, and added new action fsx:DescribeVolumes to support FSx for ONTAP volume level backups.

AWS Backup needed this permission for its support of FSx for ONTAP.

April 27, 2022

AWSBackupServiceRolePolicyForRestores — Added permissions to support restoring FSx for ONTAP volumes.

AWS Backup added the following actions to grant the users permissions to restore FSx for ONTAP volumes fsx:DescribeVolumes, fsx:CreateVolumeFromBackup, fsx:DeleteVolume, and fsx:UntagResource.

AWS Backup needed this permission for its support of FSx for ONTAP.

April 27, 2022

AWSBackupServiceRolePolicyForS3Backup — Added new permissions to support Amazon S3 backup

AWS Backup added the following actions to grant the user permissions to receive notifications of changes to their Amazon S3 buckets during backup operations: s3:GetBucketNotification and s3:PutBucketNotification.

AWS Backup needed those permissions for its support of Amazon S3 data.

February 25, 2022

AWSBackupServiceRolePolicyForS3Backup — Added new AWS Managed Policy to support Amazon S3 backup

In the new AWSBackupServiceRolePolicyForS3Backup AWS Managed Policy, AWS Backup added the following actions to grant the user permissions to back up their Amazon S3 buckets: s3:GetInventoryConfiguration, s3:PutInventoryConfiguration, s3:ListBucketVersions, s3:ListBucket, s3:GetBucketTagging, s3:GetBucketVersioning, s3:GetBucketNotification,s3:GetBucketLocation, and s3:ListAllMyBuckets

AWS Backup added the following actions to grant the user permissions to back up their Amazon S3 objects: s3:GetObject,s3GetObjectAcl, s3:GetObjectVersionTagging, s3:GetObjectVersionAcl, s3:GetObjectTagging, and s3:GetObjectVersion.

AWS Backup added the following actions to grant the user permissions to back up their encrypted Amazon S3 data: kms:Decrypt and kms:DescribeKey.

AWS Backup added the following actions to grant the user permissions to take incremental backups of their Amazon S3 data using Amazon EventBridge rules: events:DescribeRule, events:EnableRule, events:PutRule, events:DeleteRule, events:PutTargets, events:RemoveTargets, events:ListTargetsByRule, events:DisableRule, cloudwatch:GetMetricData, and events:ListRules.

AWS Backup needed those permissions for its support of Amazon S3 data.

February 17, 2022

AWSBackupServiceRolePolicyForS3Restore — Added new AWS Managed Policy to support Amazon S3 restore

In the new AWSBackupServiceRolePolicyForS3Restore AWS Managed Policy, AWS Backup added the following actions to grant the user permissions to restore their Amazon S3 buckets: s3:CreateBucket, s3:ListBucketVersions, s3:ListBucket, s3:GetBucketVersioning, s3:GetBucketLocation, and s3:PutBucketVersioning.

AWS Backup added the following actions to grant the user permissions to restore their Amazon S3 buckets: s3:GetObject, s3:GetObjectVersion, s3:DeleteObject, s3:PutObjectVersionAcl, s3:GetObjectVersionAcl, s3:GetObjectTagging, s3:PutObjectTagging, s3:GetObjectAcl, s3:PutObjectAcl, s3:PutObject, and s3:ListMultipartUploadParts.

AWS Backup added the following actions to grant the user permissions to encrypt their restored Amazon S3 data: kms:Decrypt, kms:DescribeKey, and kms:GenerateDataKey.

AWS Backup needed those permissions for its support of Amazon S3 data.

February 17, 2022

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to support Amazon S3 backup

AWS Backup added s3:ListAllMyBuckets to grant the user permissions to view a list of their buckets and choose which ones to assign to a backup plan.

AWS Backup needed that permission for its support of Amazon S3 data.

February 14, 2022

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to list AWS Backup Gateway resources

AWS Backup added backup-gateway:ListVirtualMachines to grant the user permissions to view a list of their virtual machines and choose which ones to assign to a backup plan.

AWS Backup also added backup-gateway:ListTagsForResource to grant the user permissions to list the tags for their virtual machines.

AWS Backup needed these permission for its support of virtual machines, which launched November 30, 2021.

November 30, 2021

AWSBackupServiceRolePolicyForBackup — Added permissions to back up virtual machines

AWS Backup added backup-gateway:Backup to grant the user permissions restore their virtual machine backups. AWS Backup also added backup-gateway:ListTagsForResource to grant the user permissions to list the tags assigned to their virtual machine backups.

AWS Backup needed this permission for its support of virtual machines, which launched November 30, 2021.

November 30, 2021

AWSBackupServiceRolePolicyForRestores — Added permission to restore virtual machines

AWS Backup added backup-gateway:Restore to grant the user permissions restore their virtual machine backups.

AWS Backup needed this permission for its support of virtual machines, which launched November 30, 2021.

November 30, 2021

AWSBackupFullAccess — Added permission to work with virtual machines

AWS Backup added the following actions to grant the users permissions to use AWS Backup Gateway to back up, restore, and manage their virtual machines: backup-gateway:AssociateGatewayToServer, backup-gateway:CreateGateway, backup-gateway:DeleteGateway, backup-gateway:DeleteHypervisor, backup-gateway:DisassociateGatewayFromServer, backup-gateway:ImportHypervisorConfiguration, backup-gateway:ListGateways, backup-gateway:ListHypervisors, backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, backup-gateway:PutMaintenanceStartTime, backup-gateway:TagResource, backup-gateway:TestHypervisorConfiguration, backup-gateway:UntagResource, backup-gateway:UpdateGatewayInformation, and backup-gateway:UpdateHypervisor.

AWS Backup needed this permission for its support of AWS Backup Gateway, which launched November 30, 2021.

November 30, 2021

AWSBackupOperatorAccess — Added permission to list AWS Backup Gateway resources

AWS Backup added the following actions to grant the user permissions to back up their virtual machines: backup-gateway:ListGateways, backup-gateway:ListHypervisors, backup-gateway:ListTagsForResource, and backup-gateway:ListVirtualMachines.

AWS Backup needed this permission for its support of virtual machines, which launched November 30, 2021.

November 30, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to back up Amazon DynamoDB tables

AWS Backup added dynamodb:ListTagsOfResource to grant the user permissions to list tags of their DynamoDB tables to back up using AWS Backup's advanced DynamoDB backup features.

AWS Backup needed this permission for its advanced DynamoDB backup features, which launched November 23, 2021.

November 23, 2021

AWSBackupServiceRolePolicyForBackup — Added permissions to back up Amazon DynamoDB tables

AWS Backup added dynamodb:StartAwsBackupJob to grant the user permissions to back up their DynamoDB tables using advanced backup features.

AWS Backup also added dynamodb:ListTagsOfResource to grant the user to permissions to copy tags from their source DynamoDB tables to their backups.

AWS Backup needed these permission for its advanced DynamoDB backup features, which launched November 23, 2021.

November 23, 2021

AWSBackupServiceLinkedRolePolicyForRestores — Added permissions to restore Amazon DynamoDB tables

AWS Backup added dynamodb:RestoreTableFromAwsBackup to grant the user permissions restore their DynamoDB tables backed up using AWS Backup's advanced DynamoDB advanced backup features.

AWS Backup needed this permission to restore backups created using AWS Backup's advanced DynamoDB features, which launched November 23, 2021.

November 23, 2021

AWSBackupServiceRolePolicyForRestores — Added permissions to restore Amazon DynamoDB tables

AWS Backup added dynamodb:RestoreTableFromAwsBackup to grant the user permissions restore their DynamoDB tables backed up using AWS Backup's advanced DynamoDB advanced backup features.

AWS Backup needed this permission to restore backups created using AWS Backup's advanced DynamoDB features, which launched November 23, 2021.

November 23, 2021

AWSBackupOperatorAccess — Removed redundant actions

AWS Backup removed the existing actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

AWS Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of the AWSBackupOperatorAccess AWS Managed Policy. Also, AWS Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of the AWSBackupOperatorAccess AWS Managed Policy.

November 23, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permissions to support fine-grained resource assignments to backup plans

AWS Backup added the new actions elasticfilesystem:DescribeFileSystems, dynamodb:ListTables, storagegateway:ListVolumes, ec2:DescribeVolumes, ec2:DescribeInstances, rds:DescribeDBInstances, rds:DescribeDBClusters, and fsx:DescribeFileSystems to allow customers to view and choose from a list of their AWS Backup-supported resources when selecting which resources to assign to a backup plan.

AWS Backup needed these permissions to give customers additional, flexibile ways to assign their resources to their backup plans.

November 10, 2021

AWSBackupAuditAccess — Added new policy

AWS Backup added AWSBackupAuditAccess to grant the user permissions to use AWS Backup Audit Manager. Permissions include the ability to configure compliance frameworks and generate reports.

AWS Backup needed this permission for AWS Backup Audit Manager, which launched August 24, 2021.

August 24, 2021

AWSServiceRolePolicyForBackupReports — Added new policy

AWS Backup added AWSServiceRolePolicyForBackupReports to grant permissions for a service-linked role to automate the monitoring of backup settings, jobs, and resources for compliance with frameworks configured by the user.

AWS Backup needed this permission for AWS Backup Audit Manager, which launched August 24, 2021.

August 24, 2021

AWSBackupFullAccess — Added permission to create service-linked role

AWS Backup added iam:CreateServiceLinkedRole to create a service-linked role (on a best-effort basis) to automate the deletion of expired recovery points for you. Without this service-linked role, AWS Backup cannot delete expired recovery points after customers delete the original IAM role they used to create their recovery points.

AWS Backup needed this permission as part of the DeleteRecoveryPoint API operation.

July 5, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to support deletion of DynamoDB recovery points

AWS Backup added the new action dynamodb:DeleteBackup to grant DeleteRecoveryPoint permission to automate the deletion of expired DynamoDB recovery points based on your backup plan lifecycle settings.

AWS Backup needed this permission to delete DynamoDB tables as part of the DeleteRecoveryPoint API operation.

July 5, 2021

AWSBackupOperatorAccess — Removed redundant actions

AWS Backup removed the existing actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

AWS Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of the AWSBackupOperatorAccess AWS Managed Policy. Also, AWS Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of the AWSBackupOperatorAccess AWS Managed Policy.

May 25, 2021

AWSBackupOperatorPolicy — Removed redundant actions

AWS Backup removed the existing actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

AWS Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of the AWSBackupOperatorPolicy AWS Managed Policy. Also, AWS Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of the AWSBackupOperatorPolicy AWS Managed Policy.

May 25, 2021

AWSBackupServiceRolePolicyForRestores — Added permission to apply tags to Amazon FSx restores

AWS Backup added the new action fsx:TagResource to grant StartRestoreJob permission to allow you to apply tags to Amazon FSx file systems during the restore process.

AWS Backup needed this permission to apply tags to Amazon FSx file systems as part of the StartRestoreJob API operation.

May 24, 2021

AWSBackupServiceRolePolicyForRestores — Added permission to perform Amazon EC2 restores

AWS Backup added the new actions ec2:DescribeImages and ec2:DescribeInstances to grant StartRestoreJob permission to allow you to restore Amazon EC2 instances from recovery points.

AWS Backup needed this permission to restore Amazon EC2 instances from recovery points as part of the StartRestoreJob API operation.

May 24, 2021

AWSBackupServiceRolePolicyForBackup — Added permission to perform Amazon FSx cross-Region and cross-account copies

AWS Backup added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

AWS Backup needed this permission to copy Amazon FSx recovery points across Regions and accounts as part of the StartCopyJob API operation.

April 12, 2021

AWSBackupServiceLinkedRolePolicyForBackup — Added permission to perfrom Amazon FSx cross-Region and cross-account copies

AWS Backup added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

AWS Backup needed this permission to copy Amazon FSx recovery points across Regions and accounts as part of the StartCopyJob API operation.

April 12, 2021

AWSBackupServiceRolePolicyForBackup — Added permissions to support encrypted DynamoDB table backup

AWS Backup updated its AWS managed policies to comply with the following requirement:

For AWS Backup to create a backup of an encrypted DynamoDB table, you must add the permissions kms:Decrypt and kms:GenerateDataKey to the IAM role used for backup.

March 10, 2021

AWSBackupFullAccess — Added permissions to support Amazon RDS continuous backups and point-in-time restore

AWS Backup updated its AWS managed policy to comply with the following requirements:

To use AWS Backup to configure continuous backups for your Amazon RDS database, verify the API permission rds:ModifyDBInstance exists in the IAM role defined by your Backup plan configuration.

To restore Amazon RDS continuous backups, you must add the permission rds:RestoreDBInstanceToPointInTime to the IAM role you submitted for restore job.

In the AWS Backup console, to describe the range of times available for point-in-time recovery, you must include the rds:DescribeDBInstanceAutomatedBackups API permission in your IAM-managed policy.

March 10, 2021

AWS Backup started tracking changes

AWS Backup started tracking changes for its AWS-managed policies.

March 10, 2021