How can I set up an AWS Backup vault access policy?

2 minute read

I want to assign policies to AWS Backup vaults and the resources that the vaults contain.

Resolution

A vault access policy can help deny access to the specified API operations for a specific type of recovery point. For example, you can deny access to Amazon Elastic Block Store (Amazon EBS) snapshots.

A vault access policy can deny access to the API operations that target a backup vault and the ability to delete the stored recovery points.

Set up an access policy

Use the AWS Backup console to set up an access policy:

Open the AWS Backup console.
In the navigation pane, choose Backup vaults.
Select the vault that you want to add the access policy to.
For Access Policy, choose Add permissions. Then, add the policy.

Or, you can use the AWS Command Line Interface (AWS CLI) put-backup-vault-access-policy command to programmatically set up a policy.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

Example policies

The following example policy denies access to delete recovery points and allows only specified users to delete recovery points in a backup vault:

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Sid": "statement ID",  
        "Effect": "Deny",  
        "Principal": "*",  
        "Action": "backup:DeleteRecoveryPoint",  
        "Resource": "*",  
        "Condition": {  
            "StringNotEquals": {  
                "aws:userId": ["AAAAAAAAAAAAAAAAAAAAA:*", "112233445566"]  
            }  
        }  
    }]  
}

The following example policy denies a particular user from performing a restore operation on all Amazon EBS snapshots:

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Sid": "statement ID",  
        "Effect": "Deny",  
        "Principal": {  
            "AWS": "arn:aws:iam::AccountID:role/RoleName"  
        },  
        "Action": ["backup:StartRestoreJob"],  
        "Resource": ["arn:aws:ec2:Region::snapshot/*"]  
    }]  
}

The following example policy denies modifying the lifecycle configuration of all recovery points in a vault and prevents the removal of a vault lock configuration:

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Sid": "statement ID",  
        "Effect": "Deny",  
        "Principal": "*",  
        "Action": ["backup:UpdateRecoveryPointLifecycle",  
            "backup:DeleteBackupVaultLockConfiguration"  
        ],  
        "Resource": "*"  
    }]  
}

Note: Vault access policies don't support a wildcard in the Action element.

Topics

Storage

Relevant content

Efficiencies with Backup Vaults for AWS Backups
Accepted Answer
AWS-User-6328292
asked 2 years ago
Import existing Backup Vault with Vault lock in Cloudformation stack
Accepted Answer
David
asked 10 months ago
Clarification: Deleting an AWS Backup Vault with a Backup Vault Lock in Compliance Mode
Mat Werber
asked 7 months ago
Backups Vault not seeing Backup Rule Configuration
AWS-User-6514334
asked 2 years ago
AWS Backup, backup vault underlying storage
rePost-User-5870102
asked 2 years ago
How do I remove an AWS Backup Vault Lock?
AWS OFFICIALUpdated a year ago
Why do I get an Access Denied error when I try to create an AWS Backup vault?
AWS OFFICIALUpdated 9 months ago
How do I configure an AWS Backup Vault Lock?
AWS OFFICIALUpdated a year ago
How can I delete a default vault and Amazon EFS automatic backup vault in AWS Backup?
AWS OFFICIALUpdated 7 months ago
IAM Access Analyzer introduces custom policy checks powered by automated reasoning
EXPERT
Nini Ren
published 5 months ago