Limiting users to restore rds backup
I have created an AWS Backup to backup a RDS DB instance. I use the default IAM role when I setup the Backup plan. After a few backups were created, I asked an AWS user in the same account to try restoring a backup from the Backup vault, and he was able to restore without hitting any permission error.
What is the best way to limit which user can restore the backups? Should I use a custom IAM role and apply to the Backup plan instead of using the default IAM role so that not any user can restore backup?
Should I apply the managed poilicy for AWS backup AWSBackupServiceRolePolicyForBackup and AWSBackupServiceRolePolicyForRestores to the custom role?
How should I go about denying backup and restore permissions to users/group and allowing restore permissions to specific users?
- Newest
- Most votes
- Most comments
Hello.
AWS Backup's IAM role is only used for backing up resources, so it cannot be used to control restoration.
You can restrict restores from AWS Backup by restricting "backup:StartRestoreJob" in the backup vault access policy.
https://docs.aws.amazon.com/aws-backup/latest/devguide/create-a-vault-access-policy.html
If you are using IAM users, I think it would be effective to create an IAM group that allows restores and control the users who can restore.
Relevant content
- asked 4 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 8 months ago
