Managed policies for AWS Backup - AWS Backup

Managed policies for AWS Backup

Managed policies

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account.

AWS managed policies deliver an out-of-the-box experience for AWS Backup

Customer managed policies give you fine-grained controls to set access to backups in AWS Backup. For example, you can use them to give your database backup administrator access to Amazon RDS backups but not Amazon EFS ones.

For updates to managed policies, see Policy updates.

AWS managed policies

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

However, you can't change the permissions defined in AWS managed policies. AWS occasionally updates the permissions defined in an AWS managed policy. When this occurs, the update affects all principal entities (users, groups, and roles) that the policy is attached to.

AWS Backup provides several AWS managed policies for common use cases. These policies make it easier to define the right permissions and control access to your backups. There are two types of managed policies. One type is designed to be assigned to users to control their access to AWS Backup. The other type of managed policy is designed to be attached to roles that you pass to AWS Backup. The following table lists all the managed policies that AWS Backup provides and describes how they are defined. You can find these managed policies in the Policies section of the IAM console.

Policy name IAM-managed policy name Description
Backup Audit IAM Policy AWSBackupAuditAccess

This policy grants permissions for users to create controls and frameworks that define their expectations for AWS Backup resources and activities, and to audit AWS Backup resources and activities against their defined controls and frameworks. This policy grants permissions to AWS Config and similar services to describe user expectations perform the audits.

This policy also grants permissions to deliver audit reports to Amazon S3 and similar services, and enables users to find and open their audit reports.

AWS Service Role Policy for Backup Reports AWSServiceRolePolicyForBackupReports AWS Backup uses this policy for the AWSServiceRoleForBackupReports service-linked role. This service-linked role gives AWS Backup permissions to monitor and report on the compliance of your backup settings, jobs, and resources with your frameworks.
Backup Administrator IAM Policy AWSBackupFullAccess

(AWSBackupAdminPolicy is deprecated)

The backup administrator has full access to AWS Backup operations, including creating or editing backup plans, assigning AWS resources to backup plans, and restoring backups. Backup administrators are responsible for determining and enforcing backup compliance by defining backup plans that meet their organization's business and regulatory requirements. Backup administrators also ensure that their organization's AWS resources are assigned to the appropriate plan.
Backup Operator IAM Policy AWSBackupOperatorAccess

(AWSBackupOperatorPolicy is deprecated)

Backup operators are users that are responsible for ensuring the resources that they are responsible for are properly backed up. Backup operators have permissions to assign AWS resources to the backup plans that the backup administrator creates. They also have permissions to create on-demand backups of their AWS resources and to configure the retention period of on-demand backups. Backup operators do not have permissions to create or edit backup plans or to delete scheduled backups after they are created. Backup operators can restore backups. You can limit the resource types that a backup operator can assign to a backup plan or restore from a backup. You do this by allowing only certain service roles to be passed to AWS Backup that have permissions for a certain resource type.
Backup Administrator AWS Organizations Policy AWSBackupOrganizationAdminAccess The organization administrator has full access to AWS Organizations operations, including creating, editing, or deleting backup policies, assigning backup policies to accounts and organizational units, and monitoring backup activities within the organization. Organization administrators are responsible for protecting accounts in their organization by defining and assigning backup policies that meet their organization's business and regulatory requirements.
Default Service Role Policy for Backups AWSBackupServiceRolePolicyForBackup Provides AWS Backup permissions to create backups of all supported resource types on your behalf.
Default Service Role Policy for Restores AWSBackupServiceRolePolicyForRestores Provides AWS Backup permissions to restore backups of all supported resource types on your behalf. For EC2 instance restores, you must also include the following permissions to launch the EC2 instance:
"Action":"iam:PassRole", "Resource":"arn:aws:iam::account-id:role/role-name", "Effect":"Allow"

Customer managed policies

You can create standalone policies that you administer in your own AWS account. These policies are referred to as customer managed policies. You can then attach the policies to multiple principal entities in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.

One way to create a customer managed policy is to start by copying an existing AWS managed policy. That way you know that the policy is correct at the beginning, and all you need to do is customize it to your environment.

The following policies specify backup and restore permissions for individual AWS services. They can be customized and attached to roles that you create to further limit access to AWS resources.

Backup and restore policies for individual AWS services
Service backup policy Service restore policy
DynamoDB Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "dynamodb:DescribeTable", "dynamodb:CreateBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*", "Effect":"Allow" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Action":[ "dynamodb:DescribeBackup", "dynamodb:DeleteBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*/backup/*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
DynamoDB Restore Policy
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "dynamodb:DescribeBackup", "dynamodb:DescribeTable", "dynamodb:RestoreTableFromBackup", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource":"arn:aws:dynamodb:*:*:table/*", "Effect":"Allow" }, { "Action":[ "dynamodb:RestoreTableFromBackup", "dynamodb:DeleteBackup" ], "Resource":"arn:aws:dynamodb:*:*:table/*/backup/*", "Effect":"Allow" } ] }
Amazon EBS Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ec2:CreateTags", "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:CopySnapshot", "ec2:DescribeTags" ], "Resource":"*" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Amazon EBS Restore Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource":"*" } ] }
Amazon EFS Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "elasticfilesystem:Backup", "elasticfilesystem:DescribeTags" ], "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*", "Effect":"Allow" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Amazon EFS Restore Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "elasticfilesystem:Restore", "elasticfilesystem:CreateFilesystem", "elasticfilesystem:DescribeFilesystems", "elasticfilesystem:DeleteFilesystem" ], "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*" } ] }
Amazon RDS Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:DescribeDBSnapshots", "rds:CreateDBSnapshot", "rds:CopyDBSnapshot", "rds:DescribeDBInstances", "rds:CreateDBClusterSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:CopyDBClusterSnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "rds:DeleteDBSnapshot", "rds:ModifyDBSnapshotAttribute" ], "Resource":[ "arn:aws:rds:*:*:snapshot:awsbackup:*" ] }, { "Effect": "Allow", "Action": [ "rds:DeleteDBClusterSnapshot", "rds:ModifyDBClusterSnapshotAttribute" ], "Resource": [ "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Action":"kms:DescribeKey", "Effect":"Allow", "Resource":"*" } ] }
Amazon RDS Restore Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:DescribeDBInstances", "rds:DescribeDBSnapshots", "rds:ListTagsForResource", "rds:RestoreDBInstanceFromDBSnapshot", "rds:DeleteDBInstance", "rds:AddTagsToResource" ], "Resource":"*" } ] }
Amazon Aurora Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:CreateDBClusterSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:CopyDBClusterSnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "rds:DeleteDBClusterSnapshot" ], "Resource":[ "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Action":"kms:DescribeKey", "Effect":"Allow", "Resource":"*" } ] }
Amazon Aurora Restore Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "rds:DeleteDBCluster", "rds:DescribeDBClusters", "rds:RestoreDBClusterFromSnapshot", "rds:ListTagsForResource", "rds:AddTagsToResource" ], "Resource":"*" } ] }
Storage Gateway Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "storagegateway:CreateSnapshot", "storagegateway:ListTagsForResource" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots" ], "Resource":"*" }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Storage Gateway Restore Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "storagegateway:DeleteVolume", "storagegateway:DescribeCachediSCSIVolumes", "storagegateway:DescribeStorediSCSIVolumes" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Effect":"Allow", "Action":[ "storagegateway:DescribeGatewayInformation", "storagegateway:CreateStorediSCSIVolume", "storagegateway:CreateCachediSCSIVolume" ], "Resource":"arn:aws:storagegateway:*:*:gateway/*" }, { "Effect":"Allow", "Action":[ "storagegateway:ListVolumes" ], "Resource":"arn:aws:storagegateway:*:*:*" } ] }
Amazon FSx Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Action": "fsx:DescribeBackups", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Action": "fsx:CreateBackup", "Effect": "Allow", "Resource": [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:backup/*" ] }, { "Action": "fsx:DescribeFileSystems", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:ListTagsForResource", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:DeleteBackup", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Effect": "Allow", "Action": [ "fsx:ListTagsForResource", "fsx:ManageBackupPrincipalAssociations", "fsx:CopyBackup", "fsx:TagResource" ], "Resource": "arn:aws:fsx:*:*:backup/*" } ] }
Amazon FSx Restore Policy
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "fsx:CreateFileSystemFromBackup" ], "Effect": "Allow", "Resource": [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:backup/*" ] }, { "Action": "fsx:DescribeFileSystems", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "fsx:DescribeBackups", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Action": [ "fsx:DeleteFileSystem", "fsx:UntagResource" ], "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*", "Condition": { "Null": { "aws:ResourceTag/aws:backup:source-resource": "false" } } }, { "Action": "ds:DescribeDirectories", "Effect": "Allow", "Resource": "*" } ] }
Amazon EC2 Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateImage", "ec2:DeregisterImage" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CopyImage", "ec2:CopySnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:image/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeNetworkInterfaces", "ec2:DescribeElasticGpus", "ec2:DescribeSpotInstanceRequests" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" } ] }
Amazon EC2 Restore Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateVolume", "ec2:DeleteVolume" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeVolumes" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeImages", "ec2:DescribeInstances" ], "Resource":"*" }, { "Action":[ "ec2:RunInstances" ], "Effect":"Allow", "Resource":"*" }, { "Action":[ "ec2:TerminateInstances" ], "Effect":"Allow", "Resource":"arn:aws:ec2:*:*:instance/*" }, { "Action":"iam:PassRole", "Resource":"arn:aws:iam::<account-id>:role/<role-name>", "Effect":"Allow" } ] }
Windows VSS (Volume Shadow Copy Service) Backup Policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource":"arn:aws:ec2:*::snapshot/*" }, { "Effect":"Allow", "Action":[ "ec2:CreateImage", "ec2:DeregisterImage" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CopyImage", "ec2:CopySnapshot" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:image/*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeNetworkInterfaces", "ec2:DescribeElasticGpus", "ec2:DescribeSpotInstanceRequests" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource":[ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Action":[ "tag:GetResources" ], "Resource":"*", "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource":"arn:aws:backup:*:*:backup-vault:*" }, { "Effect":"Allow", "Action":[ "ssm:CancelCommand", "ssm:GetCommandInvocation" ], "Resource":"*" }, { "Effect":"Allow", "Action":"ssm:SendCommand", "Resource":[ "arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot", "arn:aws:ec2:*:*:instance/*" ] } ] }

To restore an encrypted backup, do one of the following:

  • Add you role to the allowlist for the AWS Key Management Service (AWS KMS) key policy, or

  • Attach this policy to your IAM role for restores:

    { "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncrypt", ], "Effect": "Allow", "Resource": "*" }