why is role needed for On Demand Backup up for EC2
When I was creating an on demand backup for an EC2 using AWS Backup, I noticed that there are two options for IAM role: default and custom. I am wondering since I have the permission to backup EC2, why do I need to specify a role for the backup (or using a default role).
Does it mean that, the role helps to prevent users from restoring the EC2 snapshot?
- Newest
- Most votes
- Most comments
Hello.
Backup acquisition from AWS Backup is not done directly by IAM users, but AWS Backup performs the backup acquisition on behalf of the user.
Therefore, it is necessary for AWS Backup to assume the IAM role and obtain snapshots etc.
https://docs.aws.amazon.com/aws-backup/latest/devguide/iam-service-roles.html
An AWS Identity and Access Management (IAM) role is similar to a user, in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A service role is a role that an AWS service assumes to perform actions on your behalf. As a service that performs backup operations on your behalf, AWS Backup requires that you pass it a role to assume when performing backup operations on your behalf. For more information about IAM roles, see IAM Roles in the IAM User Guide.
Relevant content
- asked a year ago
- asked 5 years ago
- asked a year ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 10 months ago
The default role used for AWS Backup is probably AWSBackupDefaultServiceRole
Yes, by default it uses "AWSBackupDefaultServiceRole". https://docs.aws.amazon.com/aws-backup/latest/devguide/iam-service-roles.html