Limiting users to restore rds backup


I have created an AWS Backup to backup a RDS DB instance. I use the default IAM role when I setup the Backup plan. After a few backups were created, I asked an AWS user in the same account to try restoring a backup from the Backup vault, and he was able to restore without hitting any permission error.

What is the best way to limit which user can restore the backups? Should I use a custom IAM role and apply to the Backup plan instead of using the default IAM role so that not any user can restore backup?

Should I apply the managed poilicy for AWS backup AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores to the custom role?

How should I go about denying backup and restore permissions to users/group and allowing restore permissions to specific users?

profile picture
已提问 6 个月前227 查看次数
1 回答


AWS Backup's IAM role is only used for backing up resources, so it cannot be used to control restoration.
You can restrict restores from AWS Backup by restricting "backup:StartRestoreJob" in the backup vault access policy.

If you are using IAM users, I think it would be effective to create an IAM group that allows restores and control the users who can restore.

profile picture
已回答 6 个月前
profile picture
已审核 6 个月前

您未登录。 登录 发布回答。

