IAM permissions for AWS Backup Lock in governance mode

Question

Hello

According to what we can read in the documentation (Vaults locked in governance mode can have the lock removed by users with sufficient IAM permissions), I would like to create a user account that will have permissions to remove the lock while ensuring that none of the other administrator accounts have such permissions.

How should I configure permissions on the privileged account and on the other administrator accounts?

https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html

Answer

Short answer is to restrict which can "backup:DeleteBackupVaultLockConfiguration"
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html#:~:text=DeleteBackupVaultLockConfiguration

Probably want to layer an Organizational SCP with DENY with condition ArnNotEquals for the arn of the user who you allow to delete the vault lock.

IAM permissions for AWS Backup Lock in governance mode

相关内容