By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restrict vault copy destination

0

We use AWS Backup in multiple member accounts in an organization, with Backup Plans set to copy to a master vault in a central account. When we want to recover by copying from the master back to a member account, we notice that you can change to copy recovery points to a different AWS account. Do you know if there is a way that we can use IAM conditions to define a list of AWS accounts that can only be used as target vaults? For example, the central account has the 'backup:copy*' IAM permissions, but there is a condition in that it can only do so to accounts 111111111, 2222222 and 3333333. Any attempt to set the destination vault with a different account will be denied. In essence, we are looking to see how we can use IAM conditions as a whitelist of approved account numbers when initiating a copy job. We want to use this as a way to mitigate data exfiltration to a non-trusted account.

Do you know how we would do this in IAM, or is another method recommended?

Thanks

Topics
StorageSecurity, Identity, & Compliance
Tags
AWS BackupIAM Policies
Language
English
rePost-User-0529671
asked 9 months ago205 views
1 Answer
0

Perhaps putting something like this in the "Conditions" section of your policy could work:

"Condition": { "StringEquals": { "aws:ResourceAccount": [ "222222222222" ] } }

You can let me know if that works. Thanks.

profile pictureAWS
EXPERT
lmessier
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content