Service-Linked Roles for AWS Backup - AWS Backup

Service-Linked Roles for AWS Backup

AWS Backup uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to AWS Backup. Service-linked roles are predefined by AWS Backup and include all the permissions that the service requires to call other AWS services on your behalf.

A service-linked role makes setting up AWS Backup easier because you don't have to manually add the necessary permissions. AWS Backup defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Backup can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

For information about other services that support service-linked roles, see AWS Services That Work with IAM, and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.

Service-Linked Role Permissions for AWS Backup

AWS Backup uses the service-linked role named AWSServiceRoleForBackup – Provides AWS Backup permission to create backups on your behalf across AWS services.

The Backup service-linked role trusts the following services to perform backups on your behalf:

  • backup.amazonaws.com

The role permissions policy allows AWS Backup to complete the following actions on the specified resources:

  • Actions: "elasticfilesystem:Backup", "elasticfilesystem:DescribeTags" on arn:aws:elasticfilesystem:*:*:file-system/*

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.

Creating a Service-Linked Role for AWS Backup

You don't need to manually create a service-linked role. When you select the check box to protect the resource by creating an automatic backup in the AWS Management Console, the AWS CLI, or the AWS API, AWS Backup creates the service-linked role for you.

Important

This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the AWS Backup service before June 17, 2020, when it began supporting service-linked roles, then AWS Backup created the Backup role in your account. To learn more, see A New Role Appeared in My IAM Account.

If you delete this service-linked role and then need to create it again, you can use the same process to re-create the role in your account. When you select the check box to protect the resource by creating an automatic backup, AWS Backup creates the service-linked role for you again.

You can also use the IAM console to create a service-linked role with the AWS Backup use case. In the AWS CLI or the AWS API, create a service-linked role with the backup.amazonaws.com service name. For more information, see Creating a Service-Linked Role in the IAM User Guide. If you delete this service-linked role, you can use this same process to create the role again.

Editing a Service-Linked Role for AWS Backup

AWS Backup does not allow you to edit the Backup service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.

Deleting a Service-Linked Role for AWS Backup

You can use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first use the Amazon EFS console or API to clear the Automatic backup checkbox to disable automatic backup of Amazon EFS file systems.

Note

If the AWS Backup service is using the service-linked role when you try to delete the resources, the deletion might fail. If that happens, wait for a few minutes and try the operation again.

To delete the Backup service-linked role

  1. Use the Amazon EFS console to clear the Automatic backup checkbox to disable the automatic backup of Amazon EFS file systems. Or use the Amazon EFS PutBackupPolicy API to disable automatic backups.

    When there are no more Amazon EFS file systems selected to be backed up automatically, you can delete the service-linked role.

  2. Use the IAM console, the AWS CLI, or the AWS API to delete the Backup service-linked role. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

    Once the service-linked role is deleted, AWS Backup will remove the backup selection for those resources.

Supported Regions for AWS Backup Service-Linked Roles

AWS Backup supports using service-linked roles in all of the Regions where the service is available. For more information, see AWS Backup Regions and Endpoints in the AWS General Reference.