Step 4. Implement access control mechanisms - AWS Prescriptive Guidance

Step 4. Implement access control mechanisms

When thinking about security in the cloud, your foundational strategy should begin with a strong identity foundation to ensure a user has the right permissions to access data. Appropriate authentication and authorization can mitigate the risk of security events. The shared responsibility model requires AWS customers to implement access control policies. To create and manage access policies at scale, you can use AWS Identity and Access Management (IAM).

When configuring access rights and permissions, implement the principle of least privilege by ensuring each user or system accessing your backup data or vault is given only the permissions necessary to fulfill their job duties. Use AWS Backup to set access policies on backup vaults to protect your cloud workloads.

For example, by implementing access control policies, you can grant users access to create backup plans and on-demand backups while limiting their ability to delete recovery points. Using vault access policies, you can share a destination backup vault with a source AWS account or IAM role, as required by your business needs. You can also use access policies to share a backup vault with one or multiple accounts, or with your entire organization in AWS Organizations. For more information, see the AWS Backup documentation.

As you scale your workloads or migrate into AWS, you might need to centrally manage permissions to your backup vaults and operations. Use service control policies (SCPs) to implement centralized control over the maximum available permissions for all accounts in your organization. SCPs offer defense in depth, and they ensure that your users stay within the defined access control guidelines. For more information, see Managing access to backups using service control policies with AWS Backup.

To mitigate security risks such as unintended access to your backup resources and data, use IAM Access Analyzer to identify any AWS Backup IAM role shared with the following:

  • An external entity such as an AWS account

  • A root user

  • An IAM user or role

  • A federated user

  • An AWS service

  • An anonymous user

  • Any other entity that could be used to create a filter