Limiting users to restore rds backup
I have created an AWS Backup to backup a RDS DB instance. I use the default IAM role when I setup the Backup plan. After a few backups were created, I asked an AWS user in the same account to try restoring a backup from the Backup vault, and he was able to restore without hitting any permission error.
What is the best way to limit which user can restore the backups? Should I use a custom IAM role and apply to the Backup plan instead of using the default IAM role so that not any user can restore backup?
Should I apply the managed poilicy for AWS backup AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores to the custom role?
How should I go about denying backup and restore permissions to users/group and allowing restore permissions to specific users?
- 최신
- 최다 투표
- 가장 많은 댓글
Hello.
AWS Backup's IAM role is only used for backing up resources, so it cannot be used to control restoration.
You can restrict restores from AWS Backup by restricting "backup:StartRestoreJob" in the backup vault access policy.
https://docs.aws.amazon.com/aws-backup/latest/devguide/create-a-vault-access-policy.html
If you are using IAM users, I think it would be effective to create an IAM group that allows restores and control the users who can restore.
관련 콘텐츠
AWS 공식업데이트됨 3년 전- AWS 공식업데이트됨 일 년 전
- AWS 공식업데이트됨 일 년 전
- AWS 공식업데이트됨 9달 전
