En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

IAM permissions for AWS Backup Lock in governance mode

1

Hello

According to what we can read in the documentation (Vaults locked in governance mode can have the lock removed by users with sufficient IAM permissions), I would like to create a user account that will have permissions to remove the lock while ensuring that none of the other administrator accounts have such permissions.

How should I configure permissions on the privileged account and on the other administrator accounts?

https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html

Sujets
StockageSécurité, identité et conformité
Balises
AWS BackupPolitiques IAM
Langue
English
Paul
demandé il y a un an681 vues
1 réponse
0

Short answer is to restrict which can "backup:DeleteBackupVaultLockConfiguration" https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html#:~:text=DeleteBackupVaultLockConfiguration

Probably want to layer an Organizational SCP with DENY with condition ArnNotEquals for the arn of the user who you allow to delete the vault lock.

rePost-User-1635376
répondu il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents