How can I restrict certain IAM users from restoring recovery points in AWS Backup?

Resolution

To restrict IAM users or roles from restoring recovery points in AWS Backup, create a backup vault policy or IAM policy that denies access permissions. To restrict users or a group of users at the AWS Organizations level, the policy must deny the StartRestoreJob action.

In AWS Organizations, you can also use service control policies (SCPs) to restrict IAM users.

Use a backup vault policy to prevent IAM identities from restoring

Complete the following steps:

1.    Open the AWS Backup console.

2.    In the navigation pane, choose Backup vaults.

3.    Choose the backup vault that you want to apply the policy to.

4.    For Access policy, choose Edit, and then update the policy with the following attributes:

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Effect": "Deny",  
        "Principal": "*",  
        "Action": "backup:StartRestoreJob",  
        "Resource": "*",  
        "Condition": {  
            "ArnNotEquals": {  
                "aws:PrincipalArn": "arn:aws:iam::11111111111:user/Admin"  
            }  
        }  
    }]  
}

This vault access policy denies access to the StartRestoreJob action for all users except the IAM user arn:aws:iam::11111111111:user/Admin.

For additional policy examples, see Setting access policies on backup vaults.

Use an IAM policy to prevent IAM identities from restoring

You can edit a customer managed policy, or attach a policy to an IAM user.

Edit a customer managed policy

1.    Open the AWS Backup console.

2.    In the navigation pane, choose Policies.

3.    Choose Create policy.

4.    Choose the JSON tab.

5.    Enter or paste a JSON policy document. For more information on IAM policy language, see IAM JSON policy reference.

6.    Choose Next: Tags.

7.    For Review policy, enter a name and a description for the policy that you created. You can review the policy Summary to see the granted permissions.

8.    Choose Create policy.

Attach a policy to an IAM user

Complete the following steps:

1.    Open the IAM console.

2.    In the navigation pane, choose User groups, and then choose the name of the group.

3.    Choose the Permissions tab.

4.    Choose Add permissions, and then choose Attach policy. The current policies that are attached to the user group are displayed in the Current permissions policies list.

5.    In Other permissions policies, select the name of the policy that you created in the previous step.
Note: You can use the Search box to filter the list of policies by name and type.

6.    Choose Add Permissions, and then update the policy with the following attributes:

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Effect": "Deny",  
        "Action": "backup:StartRestoreJob",  
        "Resource": "*",  
        "Condition": {  
            "ArnNotEquals": {  
                "aws:PrincipalArn": "arn:aws:iam::11111111111:user/Admin"  
            }  
        }  
    }]  
}

Create an SCP for Organizations

In Organizations, you can create an SCP to restrict IAM users from restoring recovery points.

Use the following example SCP to deny access to the backup:StartRestoreJob action:

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Effect": "Deny",  
        "Action": "backup:StartRestoreJob",  
        "Resource": "*",  
        "Condition": {  
            "ArnNotEquals": {  
                "aws:PrincipalArn": "arn:aws:iam::11111111111:user/Admin"  
            }  
        }  
    }]  
}

This SCP denies the StartRestoreJob action for all users except the IAM user arn:aws:iam::11111111111:user/Admin.