We use AWS Backup in multiple member accounts in an organization, with Backup Plans set to copy to a master vault in a central account.
When we want to recover by copying from the master back to a member account, we notice that you can change to copy recovery points to a different AWS account.
Do you know if there is a way that we can use IAM conditions to define a list of AWS accounts that can only be used as target vaults?
For example, the central account has the 'backup:copy*' IAM permissions, but there is a condition in that it can only do so to accounts 111111111, 2222222 and 3333333. Any attempt to set the destination vault with a different account will be denied. In essence, we are looking to see how we can use IAM conditions as a whitelist of approved account numbers when initiating a copy job.
We want to use this as a way to mitigate data exfiltration to a non-trusted account.
Do you know how we would do this in IAM, or is another method recommended?
Thanks