Service-linked roles for AWS Backup - AWS Backup

Service-linked roles for AWS Backup

AWS Backup uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to AWS Backup. Do not confuse the service-linked role with the similar-sounding service role, such as the role the AWS Backup Console creates when creating a new backup plan.

The AWS Backup service-linked role is AWSBackupServiceLinkedRolePolicyForBackup.

AWS Backup uses that service-linked role in only two situations:

  • For cross-account backup, the destination account uses a service-linked role to pull backups into the destination vault.

  • For Amazon EFS automatic backup.

Service-linked roles are predefined by AWS Backup and include all the permissions that the service requires to call other AWS services on your behalf. For updates AWS Backup makes to its service-linked role permissions, see Policy updates. You cannot edit service-linked role permissions.

A service-linked role makes setting up AWS Backup easier because you don't have to manually add the necessary permissions. AWS Backup defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Backup can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

Creating a service-linked role for AWS Backup

You don't need to manually create a service-linked role. When you set up cross-account management or Amazon EFS automatic backup in the AWS Management Console, the AWS CLI, or the AWS API, AWS Backup creates the service-linked role for you.

Editing a service-linked role for AWS Backup

AWS Backup does not allow you to edit the Backup service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.

Deleting a service-linked role for AWS Backup

You can use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first use the Amazon EFS console or API to clear the Automatic backup checkbox to disable automatic backup of Amazon EFS file systems.

Note

If the AWS Backup service is using the service-linked role when you try to delete the resources, the deletion might fail. If that happens, wait for a few minutes and try the operation again.

To delete the Backup service-linked role

  1. Use the Amazon EFS console to clear the Automatic backup checkbox to disable the automatic backup of Amazon EFS file systems. Or use the Amazon EFS PutBackupPolicy API to disable automatic backups.

    When there are no more Amazon EFS file systems selected to be backed up automatically, you can delete the service-linked role.

  2. Use the IAM console, the AWS CLI, or the AWS API to delete the Backup service-linked role. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

    Once the service-linked role is deleted, AWS Backup will remove the backup selection for those resources.

Supported Regions for AWS Backup service-linked roles

AWS Backup supports using service-linked roles in all of the Regions where the service is available. For more information, see AWS Backup Regions and Endpoints in the AWS General Reference.