Actions, resources, and condition keys for AWS Backup

AWS Backup (service prefix: backup) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Actions defined by AWS Backup

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
CancelLegalHold	Grants permission to cancel a legal hold	Write	legalHold*
CopyFromBackupVault [permission only]	Grants permission to copy from a backup vault	Write	recoveryPoint*
CopyFromBackupVault [permission only]	Grants permission to copy from a backup vault	Write		backup:CopyTargets backup:CopyTargetOrgPaths
CopyIntoBackupVault [permission only]	Grants permission to copy into a backup vault	Write	backupVault*
CopyIntoBackupVault [permission only]	Grants permission to copy into a backup vault	Write		aws:RequestTag/${TagKey}
CreateBackupPlan	Grants permission to create a new backup plan	Write	backupPlan*
CreateBackupPlan	Grants permission to create a new backup plan	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateBackupSelection	Grants permission to create a new resource assignment in a backup plan	Write	backupPlan*		iam:PassRole
CreateBackupVault	Grants permission to create a new backup vault	Write	backupVault*
CreateBackupVault	Grants permission to create a new backup vault	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateFramework	Grants permission to create a new framework	Write	framework*
CreateFramework	Grants permission to create a new framework	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateLegalHold	Grants permission to create a new legal hold	Write	legalHold*
CreateLegalHold	Grants permission to create a new legal hold	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateLogicallyAirGappedBackupVault	Grants permission to create a new logically air-gapped backup vault, a logical container where backups are stored	Write	backupVault*
CreateLogicallyAirGappedBackupVault		Write		aws:RequestTag/${TagKey} aws:TagKeys backup:MinRetentionDays backup:MaxRetentionDays
CreateReportPlan	Grants permission to create a new report plan	Write	reportPlan*
CreateReportPlan	Grants permission to create a new report plan	Write		aws:RequestTag/${TagKey} aws:TagKeys backup:FrameworkArns
CreateRestoreTestingPlan	Grants permission to create a new restore testing plan	Write	restoreTestingPlan*
CreateRestoreTestingPlan	Grants permission to create a new restore testing plan	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateRestoreTestingSelection	Grants permission to create a new resource assignment in a restore testing plan	Write	restoreTestingPlan*		iam:PassRole
DeleteBackupPlan	Grants permission to delete a backup plan	Write	backupPlan*
DeleteBackupSelection	Grants permission to delete a resource assignment from a backup plan	Write	backupPlan*
DeleteBackupVault	Grants permission to delete a backup vault	Write	backupVault*
DeleteBackupVaultAccessPolicy	Grants permission to delete backup vault access policy	Permissions management	backupVault*
DeleteBackupVaultLockConfiguration	Grants permission to remove the lock configuration from a backup vault	Write	backupVault*
DeleteBackupVaultNotifications	Grants permission to remove the notifications from a backup vault	Write	backupVault*
DeleteBackupVaultSharingPolicy [permission only]	Grants permission to delete backup vault sharing policy	Permissions management	backupVault*
DeleteFramework	Grants permission to delete a framework	Write	framework*
DeleteRecoveryPoint	Grants permission to delete a recovery point from a backup vault	Write	recoveryPoint*
DeleteReportPlan	Grants permission to delete a report plan	Write	reportPlan*
DeleteRestoreTestingPlan	Grants permission to delete a restore testing plan	Write	restoreTestingPlan*
DeleteRestoreTestingSelection	Grants permission to delete a resource assignment from a restore testing plan	Write	restoreTestingPlan*
DescribeBackupJob	Grants permission to describe a backup job	Read
DescribeBackupVault	Grants permission to describe a new backup vault with the specified name	Read	backupVault*
DescribeCopyJob	Grants permission to describe a copy job	Read
DescribeFramework	Grants permission to describe a framework with the specified name	Read	framework*
DescribeGlobalSettings	Grants permission to describe global settings	Read
DescribeProtectedResource	Grants permission to describe a protected resource	Read
DescribeRecoveryPoint	Grants permission to describe a recovery point	Read	recoveryPoint*
DescribeRegionSettings	Grants permission to describe region settings	Read
DescribeReportJob	Grants permission to describe a report job	Read
DescribeReportPlan	Grants permission to describe a report plan with the specified name	Read	reportPlan*
DescribeRestoreJob	Grants permission to describe a restore job	Read
DisassociateRecoveryPoint	Grants permission to disassociate a recovery point from a backup vault	Write	recoveryPoint*
DisassociateRecoveryPointFromParent	Grants permission to disassociate a recovery point from its parent	Write	recoveryPoint*
ExportBackupPlanTemplate	Grants permission to export a backup plan as a JSON	Read
GetBackupPlan	Grants permission to get a backup plan	Read	backupPlan*
GetBackupPlanFromJSON	Grants permission to transform a JSON to a backup plan	Read
GetBackupPlanFromTemplate	Grants permission to transform a template to a backup plan	Read
GetBackupSelection	Grants permission to get a backup plan resource assignment	Read	backupPlan*
GetBackupVaultAccessPolicy	Grants permission to get backup vault access policy	Read	backupVault*
GetBackupVaultNotifications	Grants permission to get backup vault notifications	Read	backupVault*
GetBackupVaultSharingPolicy [permission only]	Grants permission to get backup vault sharing policy	Read	backupVault*
GetLegalHold	Grants permission to get a legal hold	Read	legalHold*
GetRecoveryPointRestoreMetadata	Grants permission to get recovery point restore metadata	Read	recoveryPoint*
GetRestoreJobMetadata	Grants permission to get the restore metadata associated with a restore job	Read
GetRestoreTestingInferredMetadata	Grants permission to get inferred metadata generated by restore testing	Read
GetRestoreTestingPlan	Grants permission to get a restore testing plan	Read	restoreTestingPlan*
GetRestoreTestingSelection	Grants permission to get a restore testing plan resource assignment	Read	restoreTestingPlan*
GetSupportedResourceTypes	Grants permission to get supported resource types	Read
ListBackupJobSummaries	Grants permission to list backup job summaries	List
ListBackupJobs	Grants permission to list backup jobs	List
ListBackupPlanTemplates	Grants permission to list backup plan templates provided by AWS Backup	List
ListBackupPlanVersions	Grants permission to list backup plan versions	List	backupPlan*
ListBackupPlans	Grants permission to list backup plans	List
ListBackupSelections	Grants permission to list resource assignments for a specific backup plan	List	backupPlan*
ListBackupVaults	Grants permission to list backup vaults	List
ListCopyJobSummaries	Grants permission to list copy job summaries	List
ListCopyJobs	Grants permission to list copy jobs	List
ListFrameworks	Grants permission to list frameworks	List
ListLegalHolds	Grants permission to list legal holds	List
ListProtectedResources	Grants permission to list protected resources by AWS Backup	List
ListProtectedResourcesByBackupVault	Grants permission to list protected resources inside a backup vault	List	backupVault*
ListRecoveryPointsByBackupVault	Grants permission to list recovery points inside a backup vault	List	backupVault*
ListRecoveryPointsByLegalHold	Grants permission to list recovery points by legal hold	List	legalHold*
ListRecoveryPointsByResource	Grants permission to list recovery points for a resource	List
ListReportJobs	Grants permission to list report jobs	List
ListReportPlans	Grants permission to list report plans	List
ListRestoreJobSummaries	Grants permission to list restore job summaries	List
ListRestoreJobs	Grants permission to list restore jobs	List
ListRestoreJobsByProtectedResource	Grants permission to list restore jobs for a protected resource	List
ListRestoreTestingPlans	Grants permission to list restore testing plans	List
ListRestoreTestingSelections	Grants permission to list resource assignments for a specific restore testing plan	List	restoreTestingPlan*
ListTags	Grants permission to list tags for a resource	Read	backupPlan
			backupVault
			framework
			legalHold
			recoveryPoint
			reportPlan
			restoreTestingPlan
PutBackupVaultAccessPolicy	Grants permission to add an access policy to the backup vault	Permissions management	backupVault*
PutBackupVaultLockConfiguration	Grants permission to add a lock configuration to the backup vault	Write	backupVault*
PutBackupVaultLockConfiguration		Write		backup:ChangeableForDays backup:MinRetentionDays backup:MaxRetentionDays
PutBackupVaultNotifications	Grants permission to add an SNS topic to the backup vault	Write	backupVault*
PutBackupVaultSharingPolicy [permission only]	Grants permission to add a sharing policy to the backup vault	Permissions management	backupVault*
PutRestoreValidationResult	Grants permission to put a restore validation result	Write
StartBackupJob	Grants permission to start a new backup job	Write	backupVault*		iam:PassRole
StartCopyJob	Grants permission to copy a backup from a source backup vault to a destination backup vault	Write	recoveryPoint*		iam:PassRole
StartReportJob	Grants permission to start a new report job	Write	reportPlan*
StartRestoreJob	Grants permission to start a new restore job	Write	recoveryPoint*		iam:PassRole
StopBackupJob	Grants permission to stop a backup job	Write
TagResource	Grants permission to tag a resource	Tagging	backupPlan
			backupVault
			framework
			legalHold
			recoveryPoint
			reportPlan
			restoreTestingPlan
				aws:RequestTag/${TagKey} aws:TagKeys
UntagResource	Grants permission to untag a resource	Tagging	backupPlan
			backupVault
			framework
			legalHold
			recoveryPoint
			reportPlan
			restoreTestingPlan
				aws:TagKeys
UpdateBackupPlan	Grants permission to update a backup plan	Write	backupPlan*
UpdateFramework	Grants permission to update a framework	Write	framework*
UpdateGlobalSettings	Grants permission to update the current global settings for the AWS Account	Write
UpdateRecoveryPointLifecycle	Grants permission to update the lifecycle of the recovery point	Write	recoveryPoint*
UpdateRegionSettings	Grants permission to update the current service opt-in settings for the Region	Write
UpdateReportPlan	Grants permission to update a report plan	Write	reportPlan*
UpdateReportPlan	Grants permission to update a report plan	Write		backup:FrameworkArns
UpdateRestoreTestingPlan	Grants permission to update a restore testing plan	Write	restoreTestingPlan*
UpdateRestoreTestingSelection	Grants permission to update a resource assignment in a restore testing plan	Write	restoreTestingPlan*		iam:PassRole

Resource types defined by AWS Backup

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
backupVault	`arn:${Partition}:backup:${Region}:${Account}:backup-vault:${BackupVaultName}`	aws:ResourceTag/${TagKey}
backupPlan	`arn:${Partition}:backup:${Region}:${Account}:backup-plan:${BackupPlanId}`	aws:ResourceTag/${TagKey}
recoveryPoint	`arn:${Partition}:${Vendor}:${Region}:*:${ResourceType}:${RecoveryPointId}`	aws:ResourceTag/${TagKey}
framework	`arn:${Partition}:backup:${Region}:${Account}:framework:${FrameworkName}-${FrameworkId}`	aws:ResourceTag/${TagKey}
reportPlan	`arn:${Partition}:backup:${Region}:${Account}:report-plan:${ReportPlanName}-${ReportPlanId}`	aws:ResourceTag/${TagKey}
legalHold	`arn:${Partition}:backup:${Region}:${Account}:legal-hold:${LegalHoldId}`	aws:ResourceTag/${TagKey}
restoreTestingPlan	`arn:${Partition}:backup:${Region}:${Account}:restore-testing-plan:${RestoreTestingPlanName}-${RestoreTestingPlanId}`	aws:ResourceTag/${TagKey}

Condition keys for AWS Backup

AWS Backup defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by the allowed set of values for each of the tags	String
aws:ResourceTag/${TagKey}	Filters access by the tags associated with the resource	String
aws:TagKeys	Filters access by the presence of mandatory tags in the request	ArrayOfString
backup:ChangeableForDays	Filters access by the value of the ChangeableForDays parameter	Numeric
backup:CopyTargetOrgPaths	Filters access by the organization unit	ArrayOfString
backup:CopyTargets	Filters access by the ARN of an backup vault	ArrayOfARN
backup:FrameworkArns	Filters access by the Framework ARNs	ArrayOfARN
backup:MaxRetentionDays	Filters access by the value of the MaxRetentionDays parameter	Numeric
backup:MinRetentionDays	Filters access by the value of the MinRetentionDays parameter	Numeric

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS B2B Data Interchange

AWS Backup Gateway