# Identity and access management in AWS Backup
<a name="backup-iam"></a>

Access to AWS Backup requires credentials. Those credentials must have permissions to access AWS resources, such as an Amazon DynamoDB database or an Amazon EFS file system. Moreover, recovery points created by AWS Backup for some AWS Backup-supported services cannot be deleted using the source service (such as Amazon EFS). You can delete those recovery points using AWS Backup.

The following sections provide details on how you can use [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) and AWS Backup to help secure access to your resources.

**Warning**  
AWS Backup uses the same IAM role that you chose when assigning resources to manage your recovery point lifecycle. If you delete or modify that role, AWS Backup cannot manage your recovery point lifecycle. When this occurs, it will attempt to use a service-linked role to manage your lifecycle. In a small percentage of cases, this might also not work, leaving `EXPIRED` recovery points on your storage, which might create unwanted costs. To delete `EXPIRED` recovery points, manually delete them using the procedure in [Deleting backups](https://docs.aws.amazon.com/aws-backup/latest/devguide/deleting-backups.html).

**Topics**
+ [Authentication](authentication.md)
+ [Access control](access-control.md)
+ [IAM service roles](iam-service-roles.md)
+ [Managed policies for AWS Backup](security-iam-awsmanpol.md)
+ [Using service-linked roles for AWS Backup](using-service-linked-roles.md)
+ [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md)

# Authentication
<a name="authentication"></a>

Access to AWS Backup or the AWS services that you are backing up requires credentials that AWS can use to authenticate your requests. You can access AWS as any of the following types of identities:
+ **AWS account root user** – When you sign up for AWS, you provide an email address and password that is associated with your AWS account. This is your *AWS account root user*. Its credentials provide complete access to all of your AWS resources.
**Important**  
For security reasons, we recommend that you use the root user only to create an *administrator*. The administrator is an *IAM user* with full permissions to your AWS account. You can then use this admin user to create other IAM users and roles with limited permissions. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) and [Creating Your First IAM Admin User and Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*.
+ **IAM user** – An [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) is an identity within your AWS account that has specific custom permissions (for example, permissions to create a backup vault to store your backups in). You can use an IAM user name and password to sign in to secure AWS webpages like the [AWS Management Console](https://console.aws.amazon.com/), [AWS Discussion Forums](https://forums.aws.amazon.com/), or the [AWS Support Center](https://console.aws.amazon.com/support/home#/).

  In addition to a user name and password, you can also generate [access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for each user. You can use these keys when you access AWS services programmatically, either through [one of the several SDKs](https://aws.amazon.com/developer/tools/) or by using the [AWS Command Line Interface (AWS CLI)](https://aws.amazon.com/cli/). The SDK and AWS CLI tools use the access keys to cryptographically sign your request. If you don't use the AWS tools, you must sign the request yourself. For more information about authenticating requests, see [Signature Version 4 Signing Process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) in the *AWS General Reference*.
+ **IAM role** – An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is another IAM identity that you can create in your account that has specific permissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access AWS services and resources. IAM roles with temporary credentials are useful in the following situations:
  + Federated user access – Instead of creating an IAM user, you can use pre-existing user identities from Directory Service, your enterprise user directory, or a web identity provider. These are known as *federated users*. AWS assigns a role to a federated user when access is requested through an [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html). For more information about federated users, see [Federated Users and Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html#intro-access-roles) in the *IAM User Guide*.
  + Cross-account administration – You can use an IAM role in your account to grant another AWS account permissions to administer your account's resources. For an example, see [Tutorial: Delegate Access Across AWS accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*.
  + AWS service access – You can use an IAM role in your account to grant an AWS service permissions to access your account's resources. For more information, see [Creating a Role to Delegate Permissions to an AWS Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
  + Applications running on Amazon Elastic Compute Cloud (Amazon EC2) – You can use an IAM role to manage temporary credentials for applications running on an Amazon EC2 instance and making AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs running on the EC2 instance to get temporary credentials. For more information, see [Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) in the *IAM User Guide*.

    

# Access control
<a name="access-control"></a>

You can have valid credentials to authenticate your requests, but unless you have the appropriate permissions, you can't access AWS Backup resources such as backup vaults. You also can't back up AWS resources such as Amazon Elastic Block Store (Amazon EBS) volumes.

Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to AWS Identity and Access Management (IAM) identities (that is, users, groups, and roles). And some services also support attaching permissions policies to resources. 

An *account administrator* (or administrator user) is a user with administrator permissions. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.

When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources.

The following sections cover how access policies work and how you use them to protect your backups. 

**Topics**
+ [Resources and operations](#access-control-resources)
+ [Resource ownership](#access-control-owner)
+ [Specifying policy elements: actions, effects, and principals](#access-control-specify-backup-actions)
+ [Specifying conditions in a policy](#specifying-conditions)
+ [API permissions: actions, resources, and conditions reference](#backup-api-permissions-ref)
+ [Copy tags permissions](#copy-tags)
+ [Access policies](#access-policies)

## Resources and operations
<a name="access-control-resources"></a>

A resource is an object that exists within a service. AWS Backup resources include backup plans, backup vaults, and backups. *Backup* is a general term that refers to the various types of backup resources that exist in AWS. For example, Amazon EBS snapshots, Amazon Relational Database Service (Amazon RDS) snapshots, and Amazon DynamoDB backups are all types of backup resources. 

In AWS Backup, backups are also referred to as *recovery points*. When using AWS Backup, you also work with the resources from other AWS services that you are trying to protect, such as Amazon EBS volumes or DynamoDB tables. These resources have unique Amazon Resource Names (ARNs) associated with them. ARNs uniquely identify AWS resources. You must have an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies or API calls. 

The following table lists resources, subresources, ARN format, and an example unique ID.


**AWS Backup resource ARNs**  

| Resource type | ARN format | Example unique ID | 
| --- | --- | --- | 
| Backup plan | arn:aws:backup:region:account-id:backup-plan:\$1 |  | 
| Backup vault | arn:aws:backup:region:account-id:backup-vault:\$1 |  | 
| Recovery point for Amazon EBS | arn:aws:ec2:region::snapshot/\$1 | snapshot/snap-05f426fd8kdjb4224 | 
| Recovery point for Amazon EC2 images | arn:aws:ec2:region::image/ami-\$1 | image/ami-1a2b3e4f5e6f7g890 | 
| Recovery point for Amazon RDS | arn:aws:rds:region:account-id:snapshot:awsbackup:\$1 | awsbackup:job-be59cf2a-2343-4402-bd8b-226993d23453 | 
| Recovery point for Aurora | arn:aws:rds:region:account-id:cluster-snapshot:awsbackup:\$1 | awsbackup:job-be59cf2a-2343-4402-bd8b-226993d23453 | 
| Recovery point for Aurora DSQL | arn:aws-partition:backup:region:account-id:recovery-point:recovery-point-id | arn:aws:backup:us-east-1:012345678901:recovery-point:8a92c3f1-b475-4d9e-95e6-7c138f2d4b0a | 
| Recovery point for Storage Gateway | arn:aws:ec2:region::snapshot/\$1 | snapshot/snap-0d40e49137e31d9e0 | 
| Recovery point for DynamoDB without [Advanced DynamoDB backup](advanced-ddb-backup.md) | arn:aws:dynamodb:region:account-id:table/\$1/backup/\$1 | table/MyDynamoDBTable/backup/01547087347000-c8b6kdk3 | 
| Recovery point for DynamoDB with [Advanced DynamoDB backup](advanced-ddb-backup.md) enabled | arn:aws:backup:region:account-id:recovery-point:\$1 | 12a34a56-7bb8-901c-cd23-4567d8e9ef01 | 
| Recovery point for Amazon EFS | arn:aws:backup:region:account-id:recovery-point:\$1 | d99699e7-e183-477e-bfcd-ccb1c6e5455e | 
| Recovery point for Amazon FSx | arn:aws:fsx:region:account-id:backup/backup-\$1 | backup/backup-1a20e49137e31d9e0 | 
| Recovery point for virtual machine | arn:aws:backup:region:account-id:recovery-point:\$1 | 1801234a-5b6b-7dc8-8032-836f7ffc623b | 
| Recovery point for Amazon S3 continuous backup | arn:aws:backup:region:account-id:recovery-point:\$1 | amzn-s3-demo-bucket-5ec207d0 | 
| Recovery point for S3 periodic backup | arn:aws:backup:region:account-id:recovery-point:\$1 | amzn-s3-demo-bucket-20211231900000-5ec207d0 | 
| Recovery point for Amazon DocumentDB | arn:aws:rds:region:account-id:cluster-snapshot:awsbackup:\$1 | awsbackup:job-ab12cd3e-4567-8901-fg1h-234567i89012 | 
| Recovery point for Neptune | arn:aws:rds:region:account-id:cluster-snapshot:awsbackup:\$1 | awsbackup:job-ab12cd3e-4567-8901-fg1h-234567i89012 | 
| Recovery point for Amazon Redshift | arn:aws:redshift:region:account-id:snapshot:resource/awsbackup:\$1 | awsbackup:job-ab12cd3e-4567-8901-fg1h-234567i89012 | 
| Recovery point for Amazon Redshift Serverless | arn:aws:redshift-serverless:region:account-id:snapshot:resource/awsbackup:\$1 | awsbackup:job-ab12cd3e-4567-8901-fg1h-234567i89012 | 
| Recovery point for Amazon Timestream | arn:aws:backup:region:account-id:recovery-point:\$1 | recovery-point:1a2b3cde-f405-6789-012g-3456hi789012\$1beta | 
| Recovery point for AWS CloudFormation template | arn:aws:backup:region:account-id:recovery-point:\$1 | recovery-point:1a2b3cde-f405-6789-012g-3456hi789012 | 
| Recovery point for SAP HANA database on Amazon EC2 instance | arn:aws:backup:region:account-id:recovery-point:\$1 | recovery-point:1a2b3cde-f405-6789-012g-3456hi789012 | 

Resources that support full AWS Backup management all have recovery points in the format `arn:aws:backup:region:account-id::recovery-point:*`. making it easier for you to apply permissions policies to protect those recovery points. To see which resources support full AWS Backup management, see that section of the [Feature availability by resource](backup-feature-availability.md#features-by-resource) table.

AWS Backup provides a set of operations to work with AWS Backup resources. For a list of available operations, see AWS Backup [Actions](API_Operations.md).

## Resource ownership
<a name="access-control-owner"></a>

The AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the [principal entity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) (that is, the AWS account root user, an IAM user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works:
+ If you use the AWS account root user credentials of your AWS account to create a backup vault, your AWS account is the owner of the vault.
+ If you create an IAM user in your AWS account and grant permissions to create a backup vault to that user, the user can create a backup vault. However, your AWS account, to which the user belongs, owns the backup vault resource.
+ If you create an IAM role in your AWS account with permissions to create a backup vault, anyone who can assume the role can create a vault. Your AWS account, to which the role belongs, owns the backup vault resource. 

## Specifying policy elements: actions, effects, and principals
<a name="access-control-specify-backup-actions"></a>

For each AWS Backup resource (see [Resources and operations](#access-control-resources)), the service defines a set of API operations (see [Actions](API_Operations.md)). To grant permissions for these API operations, AWS Backup defines a set of actions that you can specify in a policy. Performing an API operation can require permissions for more than one action.

The following are the most basic policy elements:
+ Resource – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. For more information, see [Resources and operations](#access-control-resources).
+ Action – You use action keywords to identify resource operations that you want to allow or deny.
+ Effect – You specify the effect when the user requests the specific action—this can be either allow or deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.
+ Principal – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only).

To learn more about IAM policy syntax and descriptions, see [IAM JSON Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.

For a table showing all of the AWS Backup API actions, see [API permissions: actions, resources, and conditions reference](#backup-api-permissions-ref).

## Specifying conditions in a policy
<a name="specifying-conditions"></a>

When you grant permissions, you can use the IAM policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. 

AWS supports global condition keys and service-specific condition keys. To see all global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.

AWS Backup defines its own set of condition keys. To see a list of AWS Backup condition keys, see [Condition keys for AWS Backup](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html#awsbackup-policy-keys) in the *Service Authorization Reference*.

## API permissions: actions, resources, and conditions reference
<a name="backup-api-permissions-ref"></a>

When you are setting up [Access control](#access-control) and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each AWS Backup API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's `Action` field, and you specify the resource value in the policy's `Resource` field. If `Resource` field is blank, you can use the wildcard (`*`) to include all resources.

You can use AWS-wide condition keys in your AWS Backup policies to express conditions. For a complete list of AWS-wide keys, see [Available Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*. 

Use the scroll bars to see the rest of the table.


**AWS Backup API and required permissions for actions**  

| AWS Backup API operations | Required permissions (API actions) | Resources | 
| --- | --- | --- | 
|  [CreateBackupPlan](API_CreateBackupPlan.md)  | backup:CreateBackupPlan | arn:aws:backup:region:account-id:backup-plan:\$1 | 
|  [CreateBackupSelection](API_CreateBackupSelection.md)  | backup:CreateBackupSelection | arn:aws:backup:region:account-id:backup-plan:\$1 | 
|  [CreateBackupVault](API_CreateBackupVault.md)  |  `backup:CreateBackupVault` `backup-storage:MountCapsule` `kms:CreateGrant` `kms:GenerateDataKey` `kms:Decrypt` `kms:RetireGrant` `kms:DescribeKey`  |  arn:aws:backup:region:account-id:backup-vault:\$1 For `backup-storage`: \$1 For `kms`: `arn:aws:kms:region:account-id:key/keystring` | 
|  [DeleteBackupPlan](API_DeleteBackupPlan.md)  | backup:DeleteBackupPlan | arn:aws:backup:region:account-id:backup-plan:\$1 | 
|  [DeleteBackupSelection](API_DeleteBackupSelection.md)  | backup:DeleteBackupSelection | arn:aws:backup:region:account-id:backup-plan:\$1 | 
|  [DeleteBackupVault](API_DeleteBackupVault.md)  | backup:DeleteBackupVault 1 | arn:aws:backup:region:account-id:backup-vault:\$1 | 
|  [DeleteBackupVaultAccessPolicy](API_DeleteBackupVaultAccessPolicy.md)  | backup:DeleteBackupVaultAccessPolicy | arn:aws:backup:region:account-id:backup-vault:\$1 | 
|  [DeleteBackupVaultNotifications](API_DeleteBackupVaultNotifications.md)  |  backup:DeleteBackupVaultNotifications 1  |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [DeleteRecoveryPoint](API_DeleteRecoveryPoint.md)  |  backup:DeleteRecoveryPoint 1  | 2 | 
|  [DescribeBackupJob](API_DescribeBackupJob.md)  | backup:DescribeBackupJob |  | 
|  [DescribeBackupVault](API_DescribeBackupVault.md)  |  backup:DescribeBackupVault 1  |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [DescribeProtectedResource](API_DescribeProtectedResource.md)  | backup:DescribeProtectedResource |  | 
|  [DescribeRecoveryPoint](API_DescribeRecoveryPoint.md)  |  backup:DescribeRecoveryPoint 1  |  arn:aws:backup:region:account-id:backup-vault:\$1 2  | 
|  [DescribeRestoreJob](API_DescribeRestoreJob.md)  | backup:DescribeRestoreJob |  | 
|  [DescribeRegionSettings](API_DescribeRegionSettings.md)  |  backup:DescribeRegionSettings  |  | 
|  [ExportBackupPlanTemplate](API_ExportBackupPlanTemplate.md)  | backup:ExportBackupPlanTemplate |  | 
|  [GetBackupPlan](API_GetBackupPlan.md)  | backup:GetBackupPlan |  arn:aws:backup:region:account-id:backup-plan:\$1  | 
|  [GetBackupPlanFromJSON](API_GetBackupPlanFromJSON.md)  | backup:GetBackupPlanFromJSON |  | 
|  [GetBackupPlanFromTemplate](API_GetBackupPlanFromTemplate.md)  | backup:GetBackupPlanFromTemplate |  arn:aws:backup:region:account-id:backup-plan:\$1  | 
|  [GetBackupSelection](API_GetBackupSelection.md)  | backup:GetBackupSelection |  arn:aws:backup:region:account-id:backup-plan:\$1  | 
|  [GetBackupVaultAccessPolicy](API_GetBackupVaultAccessPolicy.md)  |  backup:GetBackupVaultAccessPolicy 1  |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [GetBackupVaultNotifications](API_GetBackupVaultNotifications.md)  |  backup:GetBackupVaultNotifications 1  |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [GetRecoveryPointRestoreMetadata](API_GetRecoveryPointRestoreMetadata.md)  |  backup:GetRecoveryPointRestoreMetadata 1  |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [GetSupportedResourceTypes](API_GetSupportedResourceTypes.md)  | backup:GetSupportedResourceTypes |  | 
|  [ListBackupJobs](API_ListBackupJobs.md)  | backup:ListBackupJobs |  | 
|  [ListBackupPlans](API_ListBackupPlans.md)  | backup:ListBackupPlans |  | 
|  [ListBackupPlanTemplates](API_ListBackupPlanTemplates.md)  | backup:ListBackupPlanTemplates |  | 
|  [ListBackupPlanVersions](API_ListBackupPlanVersions.md)  | backup:ListBackupPlanVersions |  arn:aws:backup:region:account-id:backup-plan:\$1  | 
|  [ListBackupSelections](API_ListBackupSelections.md)  | backup:ListBackupSelections |  arn:aws:backup:region:account-id:backup-plan:\$1  | 
|  [ListBackupVaults](API_ListBackupVaults.md)  | backup:ListBackupVaults |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [ListProtectedResources](API_ListProtectedResources.md)  | backup:ListProtectedResources |  | 
|  [ListRecoveryPointsByBackupVault](API_ListRecoveryPointsByBackupVault.md)  |  backup:ListRecoveryPointsByBackupVault 1  |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [ListRecoveryPointsByResource](API_ListRecoveryPointsByResource.md)  | backup:ListRecoveryPointsByResource |  | 
|  [ListRestoreJobs](API_ListRestoreJobs.md)  | backup:ListRestoreJobs |  | 
|  [ListTags](API_ListTags.md)  | backup:ListTags |  | 
|  [PutBackupVaultAccessPolicy](API_PutBackupVaultAccessPolicy.md)  |  backup:PutBackupVaultAccessPolicy 1  |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [PutBackupVaultLockConfiguration](API_PutBackupVaultLockConfiguration.md)  |  backup:PutBackupVaultLockConfiguration 1  |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [PutBackupVaultNotifications](API_PutBackupVaultNotifications.md)  |  backup:PutBackupVaultNotifications 1  |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [StartBackupJob](API_StartBackupJob.md)  | backup:StartBackupJob |  arn:aws:backup:region:account-id:backup-vault:\$1  | 
|  [StartRestoreJob](API_StartRestoreJob.md)  | backup:StartRestoreJob |  `arn:aws:backup:region:account-id:backup-vault:*` `arn:aws:backup:region:account-id:recovery-point:*` 3  | 
|  [StopBackupJob](API_StopBackupJob.md)  | backup:StopBackupJob |  | 
|  [TagResource](API_TagResource.md)  | backup:TagResource | arn:aws:backup:region:account-id:recovery-point:\$1 | 
|  [UntagResource](API_UntagResource.md)  | backup:UntagResource |  | 
|  [UpdateBackupPlan](API_UpdateBackupPlan.md)  | backup:UpdateBackupPlan |  arn:aws:backup:region:account-id:backup-plan:\$1  | 
|  [UpdateRecoveryPointLifecycle](API_UpdateRecoveryPointLifecycle.md)  |  backup:UpdateRecoveryPointLifecycle 1  |  arn:aws:backup:region:account-id:backup-vault:\$1 2  | 
|  [UpdateRegionSettings](API_UpdateRegionSettings.md)  |  `backup:UpdateRegionSettings` `backup:DescribeRegionSettings`  |  | 

1 Uses the existing vault access policy.

2 See [AWS Backup resource ARNs](#resource-arns-table) for resource-specific recovery point ARNs.

3 `StartRestoreJob` must have the key-value pair in the metadata for the resource. To get the metadata of the resource, call the `GetRecoveryPointRestoreMetadata` API.

For more information, see [Actions, resources, and condition keys for AWS Backup](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html) in the *Service Authorization Reference*.

## Copy tags permissions
<a name="copy-tags"></a>

When AWS Backup performs a backup or copy job, it attempts to copy the tags from your source resource (or recovery point in the case of copy) to your recovery point.

**Note**  
AWS Backup does **not** natively copy tags during restore jobs. For an event-driven architecture that will copy tags during restore jobs, see [How to retain resource tags in AWS Backup restore jobs](https://aws.amazon.com/blogs/storage/how-to-retain-resource-tags-in-aws-backup-restore-jobs/).

During a backup or copy job, AWS Backup aggregates the tags you specify in your backup plan (or copy plan, or on-demand backup) with the tags from your source resource. However, AWS enforces a limit of 50 tags per resource, which AWS Backup cannot exceed. When a backup or copy job aggregates tags from the plan and the source resource, it might discover more than 50 total tags, it will be unable to complete the job, and will fail the job. This is consistent with AWS-wide tagging best practices.
+ Your resource has more than 50 tags after aggregating your backup job tags with your source resource tags. AWS supports up to 50 tags per resource.
+ The IAM role you provide to AWS Backup lacks permissions to read the source tags or set the destination tags. For more information and sample IAM role policies, see [Managed Policies](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#managed-policies).

You can use your backup plan (tags added to recovery points) to create tags that contradict your source resource tags. When the two conflict, the tags from your backup plan take precedence. Use this technique if you prefer not to copy a tag value from your source resource. Specify the same tag key, but different or empty value, using your backup plan.


**Permissions Required to assign tags to backups**  

| Resource type | Required permission | 
| --- | --- | 
| Amazon EFS file system | `elasticfilesystem:DescribeTags` | 
| Amazon FSx file system | `fsx:ListTagsForResource` | 
| Amazon RDS database and Amazon Aurora cluster |  `rds:AddTagsToResource` `rds:ListTagsForResource`  | 
| Storage Gateway volume | `storagegateway:ListTagsForResource` | 
| Amazon EC2 instance and Amazon EBS volume |  `EC2:CreateTags` `EC2:DescribeTags`  | 

DynamoDB does not support assigning tags to backups unless you first enable [Advanced DynamoDB backup](advanced-ddb-backup.md).

When an Amazon EC2 backup creates an Image Recovery Point and a set of snapshots, AWS Backup copies tags to the resulting AMI. AWS Backup also copies the tags from the volumes associated with the Amazon EC2 instance to the resulting snapshots.

## Access policies
<a name="access-policies"></a>

A *permissions* policy describes who has access to what. Policies attached to an IAM identity are referred to as *identity-based* policies (IAM policies). Policies attached to a resource are referred to as *resource-based* policies. AWS Backup supports both identity-based policies and resource-based policies.

**Note**  
This section discusses using IAM in the context of AWS Backup. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [IAM JSON Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.

### Identity-based policies (IAM policies)
<a name="identity-based-policies"></a>

Identity-based policies are policies that you can attach to IAM identities, such as users or roles. For example, you can define a policy that allows a user to view and back up AWS resources, but prevents them from restoring backups.

For more information about users, groups, roles, and permissions, see [Identities (Users, Groups, and Roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.

For information about how to use IAM policies to control access to backups, see [Managed policies for AWS Backup](security-iam-awsmanpol.md).

### Resource-based policies
<a name="resource-based-policies"></a>

AWS Backup supports resource-based access policies for backup vaults. This enables you to define an access policy that can control which users have what kind of access to any of the backups organized in a backup vault. Resource-based access policies for backup vaults provide an easy way to control access to your backups. 

Backup vault access policies control user access when you use AWS Backup APIs. Some backup types, such as Amazon Elastic Block Store (Amazon EBS) and Amazon Relational Database Service (Amazon RDS) snapshots, can also be accessed using those services' APIs. You can create separate access policies in IAM that control access to those APIs in order to fully control access to backups.

To learn how to create an access policy for backup vaults, see [Vault access policies](create-a-vault-access-policy.md).

# IAM service roles
<a name="iam-service-roles"></a>

An AWS Identity and Access Management (IAM) role is similar to a user, in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A service role is a role that an AWS service assumes to perform actions on your behalf. As a service that performs backup operations on your behalf, AWS Backup requires that you pass it a role to assume when performing backup operations on your behalf. For more information about IAM roles, see [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *IAM User Guide*. 

The role that you pass to AWS Backup must have an IAM policy with the permissions that enable AWS Backup to perform actions associated with backup operations, such as creating, restoring, or expiring backups. Different permissions are required for each of the AWS services that AWS Backup supports. The role must also have AWS Backup listed as a trusted entity, which enables AWS Backup to assume the role. 

When you assign resources to a backup plan, or if you perform an on-demand backup, copy, or restore, you must pass a service role that has access to perform the underlying operations on the specified resources. AWS Backup uses this role to create, tag, and delete resources in your account.

## Using AWS roles to control access to backups
<a name="using-roles-to-control-access"></a>

You can use roles to control access to your backups by defining narrowly scoped roles and by specifying who can pass that role to AWS Backup. For example, you could create a role that only grants permissions to back up Amazon Relational Database Service (Amazon RDS) databases and only grant Amazon RDS database owners permission to pass that role to AWS Backup. AWS Backup provides several predefined managed policies for each of the supported services. You can attach these managed policies to roles that you create. This makes it easier to create service-specific roles that have the correct permissions that AWS Backup needs. 

For more information about AWS managed policies for AWS Backup, see [Managed policies for AWS Backup](security-iam-awsmanpol.md).

## Default service role for AWS Backup
<a name="default-service-roles"></a>

When using the AWS Backup console for the first time, you can choose to have AWS Backup create a default service role for you. This role has the permissions that AWS Backup needs to create and restore backups on your behalf.

**Note**  
The default role is automatically created when you use the AWS Management Console. You can create the default role using the AWS Command Line Interface (AWS CLI), but it must be done manually.

If you prefer to use custom roles, such as separate roles for different resource types, you can also do that and pass your custom roles to AWS Backup. To view examples of roles that enable backup and restore for individual resource types, see the [Customer managed policies](security-iam-awsmanpol.md#customer-managed-policies) table.

The default service role is named `AWSBackupDefaultServiceRole`. This service role contains two managed policies, [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html) and [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).

`AWSBackupServiceRolePolicyForBackup` includes an IAM policy that grants AWS Backup permissions to describe the resource being backed up, the ability to create, delete, describe, or add tags to a backup regardless of the AWS KMS key with which it is encrypted. 

`AWSBackupServiceRolePolicyForRestores` includes an IAM policy that grants AWS Backup permissions to create, delete, or describe the new resource being created from a backup, regardless of the AWS KMS key with which it is encrypted. It also includes permissions to tag the newly created resource.

To restore an Amazon EC2 instance, you must launch a new instance. 

## Creating the default service role in the console
<a name="creating-default-service-role-console"></a>

 Specific actions you take in the AWS Backup Console create the AWS Backup default service role. 

**To create the AWS Backup default service role in your AWS account**

1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).

1. To create the role for your account, either assign resources to a backup plan or create an on-demand backup.

   1. Create a backup plan and assign resources to the backup. See [Create a backup plan](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-backup-plan.html).

   1. Alternatively, create an on-demand backup. See [Create an on-demand backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-on-demand-backup.html).

1.  Verify that you have created the `AWSBackupDefaultServiceRole` in your account by following these steps: 

   1. Wait a few minutes. For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide.*

   1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

   1. In the left navigation menu, choose **Roles**.

   1. In the search bar, type `AWSBackupDefaultServiceRole`. If this selection exists, you have created the AWS Backup default role and completed this procedure.

   1. If `AWSBackupDefaultServiceRole` still does not appear, add the following permissions to either the IAM user or IAM role you use to access the console.

------
#### [ JSON ]

****  

      ```
      {
        "Version":"2012-10-17",		 	 	 
        "Statement":[
          {
            "Effect":"Allow",
            "Action":[
              "iam:CreateRole",
              "iam:AttachRolePolicy",
              "iam:PassRole"
            ],
            "Resource":"arn:aws:iam::*:role/service-role/AWSBackupDefaultServiceRole"
          },
          {
            "Effect":"Allow",
            "Action":[
              "iam:ListRoles"
            ],
            "Resource":"*"
          }
        ]
      }
      ```

------

      For China Regions, replace *aws* with *aws-cn*. For AWS GovCloud (US) Regions, replace *aws* with *aws-us-gov*.

   1. If you cannot add permissions to your IAM user or IAM role, ask your administrator to manually create a role with a name *other than* `AWSBackupDefaultServiceRole` and attach that role to these managed policies:
      + `AWSBackupServiceRolePolicyForBackup`
      + `AWSBackupServiceRolePolicyForRestores`

# Managed policies for AWS Backup
<a name="security-iam-awsmanpol"></a>

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.

*AWS managed policies* are created and administered by AWS. You can't change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to.

*Customer managed policies* give you fine-grained controls to set access to backups in AWS Backup. For example, you can use them to give your database backup administrator access to Amazon RDS backups but not Amazon EFS ones.

For more information, see [Managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.

## AWS managed policies
<a name="aws-managed-policies"></a>

AWS Backup provides the following AWS managed policies for common use cases. These policies make it easier to define the right permissions and control access to your backups. There are two types of managed policies. One type is designed to be assigned to users to control their access to AWS Backup. The other type of managed policy is designed to be attached to roles that you pass to AWS Backup. The following table lists all the managed policies that AWS Backup provides and describes how they are defined. You can find these managed policies in the **Policies** section of the IAM console.

**Topics**
+ [AWSBackupAuditAccess](#AWSBackupAuditAccess)
+ [AWSBackupDataTransferAccess](#AWSBackupDataTransferAccess)
+ [AWSBackupFullAccess](#AWSBackupFullAccess)
+ [AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync](#AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync)
+ [AWSBackupGuardDutyRolePolicyForScans](#AWSBackupGuardDutyRolePolicyForScans)
+ [AWSBackupOperatorAccess](#AWSBackupOperatorAccess)
+ [AWSBackupOrganizationAdminAccess](#AWSBackupOrganizationAdminAccess)
+ [AWSBackupRestoreAccessForSAPHANA](#AWSBackupRestoreAccessForSAPHANA)
+ [AWSBackupSearchOperatorAccess](#AWSBackupSearchOperatorAccess)
+ [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup)
+ [AWSBackupServiceLinkedRolePolicyForBackupTest](#AWSBackupServiceLinkedRolePolicyForBackupTest)
+ [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup)
+ [AWSBackupServiceRolePolicyForItemRestores](#AWSBackupServiceRolePolicyForItemRestores)
+ [AWSBackupServiceRolePolicyForIndexing](#AWSBackupServiceRolePolicyForIndexing)
+ [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores)
+ [AWSBackupServiceRolePolicyForS3Backup](#AWSBackupServiceRolePolicyForS3Backup)
+ [AWSBackupServiceRolePolicyForS3Restore](#AWSBackupServiceRolePolicyForS3Restore)
+ [AWSBackupServiceRolePolicyForScans](#AWSBackupServiceRolePolicyForScans)
+ [AWSServiceRolePolicyForBackupReports](#AWSServiceRolePolicyForBackupReports)
+ [AWSServiceRolePolicyForBackupRestoreTesting](#AWSServiceRolePolicyForBackupRestoreTesting)

### AWSBackupAuditAccess
<a name="AWSBackupAuditAccess"></a>

This policy grants permissions for users to create controls and frameworks that define their expectations for AWS Backup resources and activities, and to audit AWS Backup resources and activities against their defined controls and frameworks. This policy grants permissions to AWS Config and similar services to describe user expectations perform the audits.

This policy also grants permissions to deliver audit reports to Amazon S3 and similar services, and enables users to find and open their audit reports.

To view the permissions for this policy, see [AWSBackupAuditAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupAuditAccess.html) in the *AWS Managed Policy Reference*.

### AWSBackupDataTransferAccess
<a name="AWSBackupDataTransferAccess"></a>

This policy provides permissions for the AWS Backup storage plane data transfer APIs, allowing the AWS Backint agent to complete backup data transfer with the AWS Backup storage plane. You can attach this policy to roles assumed by Amazon EC2 instances running SAP HANA with the Backint agent.

To view the permissions for this policy, see [AWSBackupDataTransferAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupDataTransferAccess.html) in the *AWS Managed Policy Reference*.

### AWSBackupFullAccess
<a name="AWSBackupFullAccess"></a>

The backup administrator has full access to AWS Backup operations, including creating or editing backup plans, assigning AWS resources to backup plans, and restoring backups. Backup administrators are responsible for determining and enforcing backup compliance by defining backup plans that meet their organization's business and regulatory requirements. Backup administrators also ensure that their organization's AWS resources are assigned to the appropriate plan.

To view the permissions for this policy, see [AWSBackupFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupFullAccess.html) in the *AWS Managed Policy Reference*.

### AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync
<a name="AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync"></a>

This policy provides Backup gateway permission to sync the metadata of Virtual Machines on your behalf

To view the permissions for this policy, see [AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync.html) in the *AWS Managed Policy Reference*.

### AWSBackupGuardDutyRolePolicyForScans
<a name="AWSBackupGuardDutyRolePolicyForScans"></a>

This policy must be added to a new scanning role that grants Amazon GuardDuty permission to read and scan your backups. You'll need to attach this scanning role to your backup plan within the malware protection or scan settings. When AWS Backup initiates a scan, it passes this scanning role to Amazon GuardDuty.

To view the permissions for this policy, see [AWSBackupGuardDutyRolePolicyForScans](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupGuardDutyRolePolicyForScans.html) in the *AWS Managed Policy Reference*.

### AWSBackupOperatorAccess
<a name="AWSBackupOperatorAccess"></a>

Backup operators are users that are responsible for ensuring the resources that they are responsible for are properly backed up. Backup operators have permissions to assign AWS resources to the backup plans that the backup administrator creates. They also have permissions to create on-demand backups of their AWS resources and to configure the retention period of on-demand backups. Backup operators do not have permissions to create or edit backup plans or to delete scheduled backups after they are created. Backup operators can restore backups. You can limit the resource types that a backup operator can assign to a backup plan or restore from a backup. You do this by allowing only certain service roles to be passed to AWS Backup that have permissions for a certain resource type.

To view the permissions for this policy, see [AWSBackupOperatorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupOperatorAccess.html) in the *AWS Managed Policy Reference*.

### AWSBackupOrganizationAdminAccess
<a name="AWSBackupOrganizationAdminAccess"></a>

The organization administrator has full access to AWS Organizations operations, including creating, editing, or deleting backup policies, assigning backup policies to accounts and organizational units, and monitoring backup activities within the organization. Organization administrators are responsible for protecting accounts in their organization by defining and assigning backup policies that meet their organization's business and regulatory requirements.

To view the permissions for this policy, see [AWSBackupOrganizationAdminAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupOrganizationAdminAccess.html) in the *AWS Managed Policy Reference*.

### AWSBackupRestoreAccessForSAPHANA
<a name="AWSBackupRestoreAccessForSAPHANA"></a>

This policy provides AWS Backup permission to restore a backup of SAP HANA on Amazon EC2.

To view the permissions for this policy, see [AWSBackupRestoreAccessForSAPHANA](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupRestoreAccessForSAPHANA.html) in the *AWS Managed Policy Reference*.

### AWSBackupSearchOperatorAccess
<a name="AWSBackupSearchOperatorAccess"></a>

The search operator role has access to create backup indexes and to create searches of indexed backup metadata.

This policy contains the necessary permissions for those functions.

To view the permissions for this policy, see [AWSBackupSearchOperatorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupSearchOperatorAccess.html) in the *AWS Managed Policy Reference*.

### AWSBackupServiceLinkedRolePolicyForBackup
<a name="AWSBackupServiceLinkedRolePolicyForBackup"></a>

This policy is attached to the service-linked role named AWSServiceRoleforBackup to allow AWS Backup to call AWS services on your behalf to manage your backups. For more information, see [Using roles to back up and copy](using-service-linked-roles-AWSServiceRoleForBackup.md).

To view the permissions for this policy, see [ AWSBackupServiceLinkedRolePolicyforBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceLinkedRolePolicyForBackup.html) in the *AWS Managed Policy Reference*.

### AWSBackupServiceLinkedRolePolicyForBackupTest
<a name="AWSBackupServiceLinkedRolePolicyForBackupTest"></a>

To view the permissions for this policy, see [AWSBackupServiceLinkedRolePolicyForBackupTest](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceLinkedRolePolicyForBackupTest.html) in the *AWS Managed Policy Reference*.

### AWSBackupServiceRolePolicyForBackup
<a name="AWSBackupServiceRolePolicyForBackup"></a>

Provides AWS Backup permissions to create backups of all supported resource types on your behalf.

To view the permissions for this policy, see [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html) in the *AWS Managed Policy Reference*.

### AWSBackupServiceRolePolicyForItemRestores
<a name="AWSBackupServiceRolePolicyForItemRestores"></a>

**Description**

This policy grants users permissions to restore individual files and items in a snapshot (periodic backup recovery point) to a new or existing Amazon S3 bucket or new Amazon EBS volume. These permissions include: read permissions to Amazon EBS for snapshots managed by AWS Backup read/write permissions to Amazon S3 buckets, and generate and describe permissions for AWS KMS keys.

**Using this policy**

You can attach `AWSBackupServiceRolePolicyForItemRestores` to your users, groups, and roles.

**Policy details**
+ **Type:** AWS managed policy
+ **Creation time:** 21 November 2024, 22:45 UTC
+ **Edited time:** First instance
+ **ARN:** `arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForItemRestores`

**Policy version:** v1 (default)

This policy’s version defines the permissions for the policy. When the user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request or not.

**JSON policy document:**

#### AWSBackupServiceRolePolicyForItemRestores JSON
<a name="AWSBackupServiceRolePolicyForItemRestoresJSON"></a>

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "EBSReadOnlyPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSnapshots"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "KMSReadOnlyPermissions",
            "Effect": "Allow",
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "EBSDirectReadAPIPermissions",
            "Effect": "Allow",
            "Action": [
                "ebs:ListSnapshotBlocks",
                "ebs:GetSnapshotBlock"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "S3ReadonlyPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "S3PermissionsForFileLevelRestore",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Sid": "KMSDataKeyForS3AndEC2Permissions",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:*:*:key/*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "ec2.*.amazonaws.com",
                        "s3.*.amazonaws.com"
                    ]
                }
            }
        }
    ]
}
```

------

### AWSBackupServiceRolePolicyForIndexing
<a name="AWSBackupServiceRolePolicyForIndexing"></a>

**Description**

This policy grants users permissions to index snapshot, also known as periodic, recovery points. These permissions include: read permissions to Amazon EBS for snapshots managed by AWS Backup read/write permissions to Amazon S3 buckets, and generate and describe permissions for AWS KMS keys.

**Using this policy**

You can attach `AWSBackupServiceRolePolicyForIndexing` to your users, groups, and roles.

**Policy details**
+ **Type:** AWS managed policy
+ **Edited time:** First instance
+ **ARN:** `arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForIndexing`

**Policy version:** v1 (default)

This policy’s version defines the permissions for the policy. When the user or or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request or not.

**JSON policy document:**

#### AWSBackupServiceRolePolicyForIndexing JSON
<a name="AWSBackupServiceRolePolicyForIndexingJSON"></a>

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "EBSReadOnlyPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSnapshots"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "KMSReadOnlyPermissions",
            "Effect": "Allow",
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "EBSDirectReadAPIPermissions",
            "Effect": "Allow",
            "Action": [
                "ebs:ListSnapshotBlocks",
                "ebs:GetSnapshotBlock"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "KMSDataKeyForEC2Permissions",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "arn:aws:kms:*:*:key/*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "ec2.*.amazonaws.com"
                    ]
                }
            }
        }
    ]
}
```

------

### AWSBackupServiceRolePolicyForRestores
<a name="AWSBackupServiceRolePolicyForRestores"></a>

Provides AWS Backup permissions to restore backups of all supported resource types on your behalf.

To view the permissions for this policy, see [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html) in the *AWS Managed Policy Reference*.

For EC2 instance restores, you must also include the following permissions to launch the EC2 instance:

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "AllowPassRole",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::123456789012:role/role-name",
      "Effect": "Allow"
    }
  ]
}
```

------

### AWSBackupServiceRolePolicyForS3Backup
<a name="AWSBackupServiceRolePolicyForS3Backup"></a>

This policy contains the permissions necessary for AWS Backup to back up any S3 bucket. This includes access to all objects in a bucket and any associated AWS KMS key.

To view the permissions for this policy, see [AWSBackupServiceRolePolicyForS3Backup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForS3Backup.html) in the *AWS Managed Policy Reference*.

### AWSBackupServiceRolePolicyForS3Restore
<a name="AWSBackupServiceRolePolicyForS3Restore"></a>

This policy contains permissions necessary for AWS Backup to restore an S3 backup to a bucket. This includes read and write permissions to the buckets and the usage of any AWS KMS key in regards to S3 operations.

To view the permissions for this policy, see [AWSBackupServiceRolePolicyForS3Restore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForS3Restore.html) in the *AWS Managed Policy Reference*.

### AWSBackupServiceRolePolicyForScans
<a name="AWSBackupServiceRolePolicyForScans"></a>

The policy should be attached to the IAM role that you use in your backup plan's resource selection. This role grants AWS Backup permission to initiate scans in Amazon GuardDuty. 

To view the permissions for this policy, see [AWSBackupServiceRolePolicyForScans](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForScans.html) in the *AWS Managed Policy Reference*.

### AWSServiceRolePolicyForBackupReports
<a name="AWSServiceRolePolicyForBackupReports"></a>

AWS Backup uses this policy for the [AWSServiceRoleForBackupReports](https://docs.aws.amazon.com/aws-backup/latest/devguide/using-service-linked-roles-AWSServiceRoleForBackupReports.html) service-linked role. This service-linked role gives AWS Backup permissions to monitor and report on the compliance of your backup settings, jobs, and resources with your frameworks.

To view the permissions for this policy, see [AWSServiceRolePolicyForBackupReports](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRolePolicyForBackupReports.html) in the *AWS Managed Policy Reference*.

### AWSServiceRolePolicyForBackupRestoreTesting
<a name="AWSServiceRolePolicyForBackupRestoreTesting"></a>

To view the permissions for this policy, see [AWSServiceRolePolicyForBackupRestoreTesting](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRolePolicyForBackupRestoreTesting.html) in the *AWS Managed Policy Reference*.

## Customer managed policies
<a name="customer-managed-policies"></a>

The following sections describe the recommended backup and restore permissions for the AWS services and third-party application supported by AWS Backup. You can use the existing AWS managed policies as a model as you create your own policy documents, and then customize them to further restrict access to your AWS resources.

**Important**  
When using custom IAM roles for AWS Backup, you must include resource-specific permissions in addition to AWS Backup permissions. For example, when calling `backup:ListTags` on an Amazon RDS resource, your custom IAM role must also include `rds:ListTagsForResource` permission. While these permissions are included in the default AWS Backup service role, they must be explicitly added to customer-managed policies. The underlying resource permissions required depend on the specific AWS service and operation being performed.

### Amazon Aurora
<a name="aurora-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DynamoDBBackupPermissions`
+ `RDSClusterModifyPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
+ `KMSPermissions`

**Restore**  
Start with the `RDSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).

### Amazon Aurora DSQL
<a name="aurora-dsql-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DSQLBackupPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
+ `KMSPermissions`

**Restore**  
Start with the `DSQLRestorePermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).

### Amazon DynamoDB
<a name="ddb-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DynamoDBPermissions`
+ `DynamoDBBackupResourcePermissions`
+ `DynamodbBackupPermissions`
+ `KMSDynamoDBPermissions`

**Restore**

Start with the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html):
+ `DynamoDBPermissions`
+ `DynamoDBBackupResourcePermissions`
+ `DynamoDBRestorePermissions`
+ `KMSPermissions`

### Amazon EBS
<a name="ebs-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `EBSResourcePermissions`
+ `EBSTagAndDeletePermissions`
+ `EBSCopyPermissions`
+ `EBSSnapshotTierPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`

**Restore**  
Start with the `EBSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).

Add the following statement.

```
{
      "Effect":"Allow",
      "Action": [
        "ec2:DescribeSnapshots",
        "ec2:DescribeVolumes"
      ],
      "Resource":"*"
},
```

### Amazon EC2
<a name="ec2-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `EBSCopyPermissions`
+ `EC2CopyPermissions`
+ `EC2Permissions`
+ `EC2TagPermissions`
+ `EC2ModifyPermissions`
+ `EBSResourcePermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`

**Restore**

Start with the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html):
+ `EBSPermissions`
+ `EC2DescribePermissions`
+ `EC2RunInstancesPermissions`
+ `EC2TerminateInstancesPermissions`
+ `EC2CreateTagsPermissions`

Add the following statement.

```
{
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::account-id:role/role-name"
},
```

Replace *role-name* with the name of the EC2 instance profile role that will be attached to the restored EC2 instance. This is not the AWS Backup service role, but rather the IAM role that provides permissions to applications running on the EC2 instance.

### Amazon EFS
<a name="efs-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `EFSPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`

**Restore**  
Start with the `EFSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).

### Amazon FSx
<a name="fsx-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `FsxBackupPermissions`
+ `FsxCreateBackupPermissions`
+ `FsxPermissions`
+ `FsxVolumePermissions`
+ `FsxListTagsPermissions`
+ `FsxDeletePermissions`
+ `FsxResourcePermissions`
+ `KMSPermissions`

**Restore**

Start with the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html):
+ `FsxPermissions`
+ `FsxTagPermissions`
+ `FsxBackupPermissions`
+ `FsxDeletePermissions`
+ `FsxDescribePermissions`
+ `FsxVolumeTagPermissions`
+ `FsxBackupTagPermissions`
+ `FsxVolumePermissions`
+ `DSPermissions`
+ `KMSDescribePermissions`

### Amazon Neptune
<a name="neptune-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DynamoDBBackupPermissions`
+ `RDSClusterModifyPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
+ `KMSPermissions`

**Restore**  
Start with the `RDSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).

### Amazon RDS
<a name="rds-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `DynamoDBBackupPermissions`
+ `RDSBackupPermissions`
+ `RDSClusterModifyPermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`
+ `KMSPermissions`

**Restore**  
Start with the `RDSPermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).

### Amazon S3
<a name="s3-customer-managed-policies"></a>

**Backup**  
Start with [AWSBackupServiceRolePolicyForS3Backup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForS3Backup.html).

Add the `BackupVaultPermissions` and `BackupVaultCopyPermissions` statements if you need to copy backups to a different account.

**Restore**  
Start with [AWSBackupServiceRolePolicyForS3Restore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForS3Restore.html).

### AWS Storage Gateway
<a name="storage-gateway-customer-managed-policies"></a>

**Backup**

Start with the following statements from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html):
+ `StorageGatewayPermissions`
+ `EBSTagAndDeletePermissions`
+ `GetResourcesPermissions`
+ `BackupVaultPermissions`

Add the following statement.

```
{
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSnapshots"
      ],
      "Resource":"*"
},
```

**Restore**

Start with the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html):
+ `StorageGatewayVolumePermissions`
+ `StorageGatewayGatewayPermissions`
+ `StorageGatewayListPermissions`

### Virtual machine
<a name="vm-customer-managed-policies"></a>

**Backup**  
Start with the `BackupGatewayBackupPermissions` statement from [AWSBackupServiceRolePolicyForBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForBackup.html).

**Restore**  
Start with the `GatewayRestorePermissions` statement from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html).

### Encrypted backup
<a name="customer-managed-policies-encrypted-backup"></a>

**To restore an encrypted backup, do one of the following**
+ Add your role to the allowlist for the AWS KMS key policy
+ Add the following statements from [AWSBackupServiceRolePolicyForRestores](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceRolePolicyForRestores.html) to your IAM role for restores:
  + `KMSDescribePermissions`
  + `KMSPermissions`
  + `KMSCreateGrantPermissions`

## Policy updates for AWS Backup
<a name="policy-updates"></a>

View details about updates to AWS managed policies for AWS Backup since this service began tracking these changes.


| Change | Description | Date | 
| --- | --- | --- | 
| [AWSServiceRolePolicyForBackupRestoreTesting](#AWSServiceRolePolicyForBackupRestoreTesting) – Update to an existing policy |  AWS Backup added the following permission to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup Restore Testing to delete RDS Tenant Databases after restore test completion.  | March 18, 2026 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to initiate malware scans on your recovery points.  | February 23, 2026 | 
| [AWSBackupGuardDutyRolePolicyForScans](#AWSBackupGuardDutyRolePolicyForScans) – New policy |  AWS Backup added a new AWS managed policy that provides Amazon GuardDuty permission to read and scan customer backups. AWS Backup passes a role with this policy to GuardDuty when initiating the operations `StartMalwareScan`. This is necessary to provide all necessary permissions needed for malware scans on recovery points of Amazon EC2,Amazon EBS, and Amazon S3 resources. For more information, see the managed policy [AWSBackupGuardDutyRolePolicyForScans](#AWSBackupGuardDutyRolePolicyForScans).  | November 19, 2025 | 
| [AWSBackupServiceRolePolicyForScans](#AWSBackupServiceRolePolicyForScans) – New policy |  AWS Backup added a new AWS managed policy that provides AWS Backup permission to initiate malware scans on your recovery points. This is necessary to provide all necessary permissions needed for malware scans on recovery points of Amazon EC2,Amazon EBS, and Amazon S3 resources. For more information, see the managed policy [AWSBackupServiceRolePolicyForScans](#AWSBackupServiceRolePolicyForScans).  | November 19, 2025 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy |  Added `malware-protection.guardduty.amazonaws.com` to `IamPassRolePermissions`, which is necessary to initiate malware scan jobs.   | November 19, 2025 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions are necessary to initiate malware scan jobs.  | November 19, 2025 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to backup and restore Amazon EKS clusters.  | November 10, 2025 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to backup and restore Amazon EKS clusters.  | November 10, 2025 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to create backups of Amazon EKS clusters and their associated resources on behalf of customers.  | November 10, 2025 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to create backups of Amazon EKS clusters and their associated resources on behalf of customers.  | November 10, 2025 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to perform restore operations for Amazon EKS clusters and their associated resources on behalf of customers.  | November 10, 2025 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy |  AWS Backup added the following permission to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) This permission allows AWS Backup to synchronize delegated administrator information with Organizations for cross-account management features.  | September 9, 2025 | 
| [AWSBackupGuardDutyRolePolicyForScans](#AWSBackupGuardDutyRolePolicyForScans) – New policy |  AWS Backup added a new AWS managed policy that provides Amazon GuardDuty permission to read and scan customer backups. AWS Backup passes a role with this policy to GuardDuty when initiating the operations `StartMalwareScan`. This is necessary to provide all necessary permissions needed for malware scans on recovery points of Amazon EC2,Amazon EBS, and Amazon S3 resources. For more information, see the managed policy [AWSBackupGuardDutyRolePolicyForScans](#AWSBackupGuardDutyRolePolicyForScans).  | November 24, 2025 | 
| [AWSBackupServiceRolePolicyForScans](#AWSBackupServiceRolePolicyForScans) – New policy |  AWS Backup added a new AWS managed policy that provides AWS Backup permission to initiate malware scans on your recovery points. This is necessary to provide all necessary permissions needed for malware scans on recovery points of Amazon EC2,Amazon EBS, and Amazon S3 resources. For more information, see the managed policy [AWSBackupServiceRolePolicyForScans](#AWSBackupServiceRolePolicyForScans).  | November 24, 2025 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions are necessary for AWS Backup to perform orchestrated multi-Region restore operations for DSQL resources on behalf of customers.  | July 17, 2025 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions are necessary for AWS Backup integration with AWS Account Management and AWS Organizations so customers have the option of Multi-party approval (MPA) as part of their logically air-gapped vaults.  | June 17, 2025 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy: |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions are necessary to allow customers to restore Amazon FSx for OpenZFS Multi-availability zone (Multi-AZ) snapshots through AWS Backup.  | May 27, 2025 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to backup and restore Amazon Aurora DSQL resources.  | May 21, 2025 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to backup and restore Amazon Aurora DSQL resources.  | May 21, 2025 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to create, delete, retrieve, and manage Amazon Aurora DSQL snapshots on behalf of customers.  | May 21, 2025 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to create, delete, retrieve, encrypt, decrypt, and manage Amazon Aurora DSQL snapshots on behalf of customers.  | May 21, 2025 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions allow AWS Backup to manage Aurora DSQL backups at customer-specified intervals.  | May 21, 2025 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions are necessary for designated customers to have full access to Amazon Redshift Serverless backups, including required read permissions as well as the ability to delete Amazon Redshift Serverless recovery points (snapshot backups).   | March 31, 2025 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions are necessary for designated customers to have all necessary backup permissions to Amazon Redshift Serverless, including required read permissions.  | March 31, 2025 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions are necessary for AWS Backup to manage Amazon Redshift Serverless snapshots at customer specified intervals.  | March 31, 2025 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions are necessary to allow AWS Backup to create, delete, retrieve, and manage Amazon Redshift Serverless snapshots on behalf of customers.  | March 31, 2025 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy |  AWS Backup added the following permissions to this policy: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) These permissions are necessary to allow AWS Backup to restore Amazon Redshift and Amazon Redshift Serverless snapshots on behalf of the customer.  | March 31, 2025 | 
| [AWSBackupSearchOperatorAccess](#AWSBackupSearchOperatorAccess) – Added a new AWS managed policy | AWS Backup added the AWSBackupSearchOperatorAccess AWS managed policy. | February 27, 2025 | 
|  [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  AWS Backup added the permission `rds:AddTagsToResource` to support Amazon RDS multi-tenant snapshot cross-account copy of backups. This permission is necessary to complete operations when a customer chooses to create a cross-account copy of a multi-tenant RDS snapshot.  | January 8, 2025 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy |  AWS Backup added the permissions `rds:CreateTenantDatabase` and `rds:DeleteTenantDatabase` to this policy to support the restore process of Amazon RDS resources. These permissions are necessary to complete customer operations for restoring multi-tenant snapshots.  | January 8, 2025 | 
| [AWSBackupServiceRolePolicyForItemRestores](#AWSBackupServiceRolePolicyForItemRestores) – Added a new AWS managed policy | AWS Backup added the AWSBackupServiceRolePolicyForItemRestores AWS managed policy. | November 26, 2024 | 
| [AWSBackupServiceRolePolicyForIndexing](#AWSBackupServiceRolePolicyForIndexing) – Added a new AWS managed policy | AWS Backup added the AWSBackupServiceRolePolicyForIndexing AWS managed policy. | November 26, 2024 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy |  AWS Backup added permission `backup:TagResource` to this policy. The permission is necessary to obtain tagging permissions during the creation of a recovery point.  | May 17, 2024 | 
|  [AWSBackupServiceRolePolicyForS3Backup](#AWSBackupServiceRolePolicyForS3Backup) – Update to an existing policy  |  AWS Backup added permission `backup:TagResource` to this policy. The permission is necessary to obtain tagging permissions during the creation of a recovery point.  | May 17, 2024 | 
|  [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  AWS Backup added permission `backup:TagResource` to this policy. The permission is necessary to obtain tagging permissions during the creation of a recovery point.  | May 17, 2024 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy | Added the permission `rds:DeleteDBInstanceAutomatedBackups`.  This permission is necessary for AWS Backup to support continuous backup and point-in-time-restore of Amazon RDS instances.  | May 1, 2024 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy | AWS Backup updated the Amazon Resource Name (ARN) in permission `storagegateway:ListVolumes` from `arn:aws:storagegateway:*:*:gateway/*` to `*` in order to accommodate a change in the Storage Gateway API model. | May 1, 2024 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy | AWS Backup updated the Amazon Resource Name (ARN) in permission `storagegateway:ListVolumes` from `arn:aws:storagegateway:*:*:gateway/*` to `*` in order to accommodate a change in the Storage Gateway API model. | May 1, 2024 | 
| [AWSServiceRolePolicyForBackupRestoreTesting](#AWSServiceRolePolicyForBackupRestoreTesting) – Update to an existing policy |  Added the following permissions to describe and list recovery points and protected resources in order to conduct restore testing plans: `backup:DescribeRecoveryPoint`, `backup:DescribeProtectedResource`, `backup:ListProtectedResources`, and `backup:ListRecoveryPointsByResource`. Added the permission `ec2:DescribeSnapshotTierStatus` to support Amazon EBS archive tier storage. Added the permission `rds:DescribeDBClusterAutomatedBackups` to support Amazon Aurora continuous backups. Added the following permissions to support restore testing of Amazon Redshift backups: `redshift:DescribeClusters` and `redshift:DeleteCluster`. Added the permission `timestream:DeleteTable` to support restore testing of Amazon Timestream backups.  | February 14, 2024 | 
|  [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy  |  Added the permissions `ec2:DescribeSnapshotTierStatus` and `ec2:RestoreSnapshotTier`. These permissions are necessary for users to have the option to restore Amazon EBS resources stored with AWS Backup from archive storage. For EC2 instance restores, you must also include permissions as shown in the following policy statement to launch the EC2 instance:  | November 27, 2023 | 
|  [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy  |  Added the permissions `ec2:DescribeSnapshotTierStatus` and `ec2:ModifySnapshotTier` to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier. These permissions are necessary for users to have the option to transition Amazon EBS resources stored with AWS Backup to archive storage.  | November 27, 2023 | 
|  [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  Added the permissions `ec2:DescribeSnapshotTierStatus` and `ec2:ModifySnapshotTier` to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier. These permissions are necessary for users to have the option to transition Amazon EBS resources stored with AWS Backup to archive storage. Added the permissions `rds:DescribeDBClusterSnapshots` and `rds:RestoreDBClusterToPointInTime`, which is necessary for PITR (point-in-time restores) of Aurora clusters.  | 
| [AWSServiceRolePolicyForBackupRestoreTesting](#AWSServiceRolePolicyForBackupRestoreTesting) – New policy |  Provides the permissions necessary to conduct restore testing. The permissions include the actions `list, read, and write` for the following services to be included in restore tests: Aurora, DocumentDB, DynamoDB, Amazon EBS, Amazon EC2, Amazon EFS, FSx for Lustre, FSx for Windows File Server, FSx for ONTAP, FSx for OpenZFS, Amazon Neptune, Amazon RDS, and Amazon S3.  | November 27, 2023 | 
|  [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy  |  Added `restore-testing.backup.amazonaws.com` to `IamPassRolePermissions` and `IamCreateServiceLinkedRolePermissions`. This addition is necessary for AWS Backup to conduct restore tests on behalf of customers.   | November 27, 2023 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy | Added the permissions `rds:DescribeDBClusterSnapshots` and `rds:RestoreDBClusterToPointInTime`, which is necessary for PITR (point-in-time restores) of Aurora clusters. | September 6, 2023 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy | Added the permission `rds:DescribeDBClusterAutomatedBackups`, which is necessary for continuous backup and point-in-time restore of Aurora clusters. | September 6, 2023 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy | Added the permission `rds:DescribeDBClusterAutomatedBackups`, which is necessary for continuous backup and point-in-time restore of Aurora clusters. | September 6, 2023 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy |  Added the permission `rds:DescribeDBClusterAutomatedBackups`. This permission is necessary for AWS Backup support of continuous backup and point-in-time restore of Aurora clusters. Added the permission `rds:DeleteDBClusterAutomatedBackups` to allow AWS Backup lifecycle to delete and disassociate Amazon Aurora continuous recovery points when a retention period finishes. This permission is necessary for the Aurora recovery point to avoid a transition into an `EXIPIRED` state. Added the permission `rds:ModifyDBCluster` which allows AWS Backup to interact with Aurora clusters. This addition allows users the ability to enable or disable continuous backups based on desired configurations.  | September 6, 2023 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy |  Added the action `ram:GetResourceShareAssociations` to grant the user permission to get resource share associations for new vault type.  | August 8, 2023 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy |  Added the action `ram:GetResourceShareAssociations` to grant the user permission to get resource share associations for new vault type.  | August 8, 2023 | 
|  [AWSBackupServiceRolePolicyForS3Backup](#AWSBackupServiceRolePolicyForS3Backup) – Update to an existing policy  |  Added the permission `s3:PutInventoryConfiguration` to enhance backup performance speeds by using a bucket inventory.  | August 1, 2023 | 
|  [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy  |  Added the following actions to grant the user permissions to add tags to restore resources: `storagegateway:AddTagsToResource`, `elasticfilesystem:TagResource`, `ec2:CreateTags` for only `ec2:CreateAction` that includes either `RunInstances` or `CreateVolume`, `fsx:TagResource`, and `cloudformation:TagResource`.  | May 22, 2023 | 
|  [AWSBackupAuditAccess](#AWSBackupAuditAccess) – Update to an existing policy  |  Replaced the resource selection within the API `config:DescribeComplianceByConfigRule` with a wildcard resource to make it easier for a user to select resources.  | April 11, 2023 | 
|  [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy  |  Added the following permission to restore Amazon EFS using a customer managed key: `kms:GenerateDataKeyWithoutPlaintext`. This helps to ensure users have required permissions to restore Amazon EFS resources.  | March 27, 2023 | 
|  [AWSServiceRolePolicyForBackupReports](#AWSServiceRolePolicyForBackupReports) – Update to an existing policy  |  Updated the `config:DescribeConfigRules` and `config:DescribeConfigRuleEvaluationStatus` actions to allow AWS Backup Audit Manager to access AWS Backup Audit Manager-managed AWS Config rules.  | March 9, 2023 | 
|  [AWSBackupServiceRolePolicyForS3Restore](#AWSBackupServiceRolePolicyForS3Restore) – Update to an existing policy  |  Added the following permissions: `kms:Decrypt`, `s3:PutBucketOwnershipControls`, and `s3:GetBucketOwnershipControls` to the policy `AWSBackupServiceRolePolicyForS3Restore`. These permissions are necessary to support restores of objects when KMS encryption is used in the original backup and for restoring objects when object ownership is configured on the original bucket instead of ACL.  | February 13, 2023 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy | Added the following permissions to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling: `backup-gateway:GetHypervisorPropertyMappings`, `backup-gateway:GetVirtualMachine`, `backup-gateway:PutHypervisorPropertyMappings`, `backup-gateway:GetHypervisor`, `backup-gateway:StartVirtualMachinesMetadataSync`, `backup-gateway:GetBandwidthRateLimitSchedule`, and `backup-gateway:PutBandwidthRateLimitSchedule`.  | December 15, 2022 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy | Added the following permissions to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling: `backup-gateway:GetHypervisorPropertyMappings`, `backup-gateway:GetVirtualMachine`, `backup-gateway:GetHypervisor`, and `backup-gateway:GetBandwidthRateLimitSchedule`.  | December 15, 2022 | 
| [AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync](#AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync) – New policy |  Provides permissions for AWS Backup Gateway to sync the metadata of virtual machines in on-premise networks with Backup Gateway.  | December 15, 2022 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy | Added the following permissions to support Timestream backup jobs: `timestream:StartAwsBackupJob`, `timestream:GetAwsBackupStatus`, `timestream:ListTables`, `timestream:ListDatabases`, `timestream:ListTagsForResource`, `timestream:DescribeTable`, `timestream:DescribeDatabase`, and `timestream:DescribeEndpoints`.  | December 13, 2022 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy | Added the following permissions to support Timestream restore jobs: `timestream:StartAwsRestoreJob`, `timestream:GetAwsRestoreStatus`, `timestream:ListTables`, `timestream:ListTagsForResource`, `timestream:ListDatabases`, `timestream:DescribeTable`, `timestream:DescribeDatabase`, `s3:GetBucketAcl`, and `timestream:DescribeEndpoints`.  | December 13, 2022 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy | Added the following permissions to support Timestream resources: `timestream:ListTables`, `timestream:ListDatabases`, `s3:ListAllMyBuckets` and `timestream:DescribeEndpoints`.  | December 13, 2022 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy | Added the following permissions to support Timestream resources: `timestream:ListDatabases`, `timestream:ListTables`, `s3:ListAllMyBuckets`, and `timestream:DescribeEndpoints`.  | December 13, 2022 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy | Added the following permissions to support Timestream resources: `timestream:ListDatabases`, `timestream:ListTables`, `timestream:ListTagsForResource`, `timestream:DescribeDatabase`, `timestream:DescribeTable`, `timestream:GetAwsBackupStatus`, `timestream:GetAwsRestoreStatus`, and `timestream:DescribeEndpoints`.  | December 13, 2022 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy | Added the following permissions to support Amazon Redshift resources: `redshift:DescribeClusters`, `redshift:DescribeClusterSubnetGroups`, `redshift:DescribeNodeConfigurationOptions`, `redshift:DescribeOrderableClusterOptions`, `redshift:DescribeClusterParameterGroups`, `redshift:DescribeClusterTracks`, `redshift:DescribeSnapshotSchedules`, and `ec2:DescribeAddresses`.  | November 27, 2022 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy | Added the following permissions to support Amazon Redshift resources: `redshift:DescribeClusters`, `redshift:DescribeClusterSubnetGroups`, `redshift:DescribeNodeConfigurationOptions`, `redshift:DescribeOrderableClusterOptions`, `redshift:DescribeClusterParameterGroups,`, `redshift:DescribeClusterTracks`. `redshift:DescribeSnapshotSchedules`, and `ec2:DescribeAddresses`.  | November 27, 2022 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy |  Added the following permissions to support Amazon Redshift restore jobs: `redshift:RestoreFromCluster Snapshot`, `redshift:RestoreTableFromClusterSnapshot`, `redshift:DescribeClusters`, and `redshift:DescribeTableRestoreStatus`.  | November 27, 2022 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy |  Added the following permissions to support Amazon Redshift backup jobs: `redshift:CreateClusterSnapshot`, `redshift:DescribeClusterSnapshots`, `redshift:DescribeTags`, `redshift:DeleteClusterSnapshot`, `redshift:DescribeClusters`, and `redshift:CreateTags`.  | November 27, 2022 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy | Added the following permission to support CloudFormation resources: `cloudformation:ListStacks`.  | November 27, 2022 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy | Added the following permission to support CloudFormation resources: `cloudformation:ListStacks`. | November 27, 2022 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy | Added the following permissions to support CloudFormation resources: `redshift:DescribeClusterSnapshots`, `redshift:DescribeTags`, `redshift:DeleteClusterSnapshot`, and `redshift:DescribeClusters`.  | November 27, 2022 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy | Added the following permissions to support CloudFormation application stack backup jobs: `cloudformation:GetTemplate`, `cloudformation:DescribeStacks`, and `cloudformation:ListStackResources`.  | November 16, 2022 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy | Added the following permissions to support CloudFormation application stack backup jobs: `cloudformation:CreateChangeSet` and `cloudformation:DescribeChangeSet`  | November 16, 2022 | 
| [AWSBackupOrganizationAdminAccess](#AWSBackupOrganizationAdminAccess) – Update to an existing policy | Added the following permissions to this policy to allow organization administrators to usethe Delegated Administrator feature: `organizations:ListDelegatedAdministrator`, `organizations:RegisterDelegatedAdministrator`, and `organizations:DeregisterDelegatedAdministrator`  | November 27, 2022 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy | Added the following permissions to support SAP HANA on Amazon EC2 instances: `ssm-sap:GetOperation`, `ssm-sap:ListDatabases`, `ssm-sap:BackupDatabase`, `ssm-sap:UpdateHanaBackupSettings`, `ssm-sap:GetDatabase`, and `ssm-sap:ListTagsForResource`.  | November 20, 2022 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy | Added the following permissions to support SAP HANA on Amazon EC2 instances: `ssm-sap:GetOperation`, `ssm-sap:ListDatabases`, `ssm-sap:GetDatabase`, and `ssm-sap:ListTagsForResource`.  | November 20, 2022 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy | Added the following permissions to support SAP HANA on Amazon EC2 instances: `ssm-sap:GetOperation`, `ssm-sap:ListDatabases`, `ssm-sap:GetDatabase`, and `ssm-sap:ListTagsForResource`.  | November 20, 2022 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy | Added the following permission to support SAP HANA on Amazon EC2 instances: `ssm-sap:GetOperation`.  | November 20, 2022 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy | Added the following permission to support Backup gateway restore jobs to an EC2 instance: `ec2:CreateTags`.  | November 20, 2022 | 
| [AWSBackupDataTransferAccess](#AWSBackupDataTransferAccess) – Update to an existing policy | Added the following permissions to support secure storage data transfer for SAP HANA On Amazon EC2 resources: `backup-storage:StartObject`, `backup-storage:PutChunk`, `backup-storage:GetChunk`, `backup-storage:ListChunks`, `backup-storage:ListObjects`, `backup-storage:GetObjectMetadata`, and `backup-storage:NotifyObjectComplete`.  | November 20, 2022 | 
| [AWSBackupRestoreAccessForSAPHANA](#AWSBackupRestoreAccessForSAPHANA) – Update to an existing policy | Added the following permissions for resource owners to perform restore of SAP HANA On Amazon EC2 resources: `backup:Get*`, `backup:List*`, `backup:Describe*`, `backup:StartBackupJob`, `backup:StartRestoreJob`, `ssm-sap:GetOperation`, `ssm-sap:ListDatabases`, `ssm-sap:BackupDatabase`, `ssm-sap:RestoreDatabase`, `ssm-sap:UpdateHanaBackupSettings`, `ssm-sap:GetDatabase`, and `ssm-sap:ListTagsForResource`.  | November 20, 2022 | 
| [AWSBackupServiceRolePolicyForS3Backup](#AWSBackupServiceRolePolicyForS3Backup) – Update to an existing policy  |  Added the permission `s3:GetBucketAcl` to support backup operations of AWS Backup for Amazon S3.  | August 24, 2022 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy  |  Added the following actions to grant access to create a database instance to support multi-Availability Zone (Multi-AZ) functionality: `rds:CreateDBInstance`.  | July 20, 2022 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  Added the `s3:GetBucketTagging` permission to grant the user permission to select buckets to backup with a resource wildcard. Without this permission, users who select which buckets to backup with a resource wildcard are unsuccessful.  | May 6, 2022 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy  |  Added volume resources in the scope of existing `fsx:CreateBackup` and `fsx:ListTagsForResource` actions, and added new action `fsx:DescribeVolumes` to support FSx for ONTAP volume level backups.  | April 27, 2022 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy  |  Added the following actions to grant the users permissions to restore FSx for ONTAP volumes `fsx:DescribeVolumes`, `fsx:CreateVolumeFromBackup`, `fsx:DeleteVolume`, and `fsx:UntagResource`.  | April 27, 2022 | 
| [AWSBackupServiceRolePolicyForS3Backup](#AWSBackupServiceRolePolicyForS3Backup) – Update to an existing policy  |  Added the following actions to grant the user permissions to receive notifications of changes to their Amazon S3 buckets during backup operations: `s3:GetBucketNotification` and `s3:PutBucketNotification`.  | February 25, 2022 | 
| [AWSBackupServiceRolePolicyForS3Backup](#AWSBackupServiceRolePolicyForS3Backup) – New policy  |  Added the following actions to grant the user permissions to back up their Amazon S3 buckets: `s3:GetInventoryConfiguration`, `s3:PutInventoryConfiguration`, `s3:ListBucketVersions`, `s3:ListBucket`, `s3:GetBucketTagging`, `s3:GetBucketVersioning`, `s3:GetBucketNotification`,`s3:GetBucketLocation`, and `s3:ListAllMyBuckets` Added the following actions to grant the user permissions to back up their Amazon S3 objects: `s3:GetObject`,`s3GetObjectAcl`, `s3:GetObjectVersionTagging`, `s3:GetObjectVersionAcl`, `s3:GetObjectTagging`, and `s3:GetObjectVersion`.  Added the following actions to grant the user permissions to back up their encrypted Amazon S3 data: `kms:Decrypt` and `kms:DescribeKey`.  Added the following actions to grant the user permissions to take incremental backups of their Amazon S3 data using Amazon EventBridge rules: `events:DescribeRule`, `events:EnableRule`, `events:PutRule`, `events:DeleteRule`, `events:PutTargets`, `events:RemoveTargets`, `events:ListTargetsByRule`, `events:DisableRule`, `cloudwatch:GetMetricData`, and `events:ListRules`.  | February 17, 2022 | 
| [AWSBackupServiceRolePolicyForS3Restore](#AWSBackupServiceRolePolicyForS3Restore) – New policy  |  Added the following actions to grant the user permissions to restore their Amazon S3 buckets: `s3:CreateBucket`, `s3:ListBucketVersions`, `s3:ListBucket`, `s3:GetBucketVersioning`, `s3:GetBucketLocation`, and `s3:PutBucketVersioning`. Added the following actions to grant the user permissions to restore their Amazon S3 buckets: `s3:GetObject`, `s3:GetObjectVersion`, `s3:DeleteObject`, `s3:PutObjectVersionAcl`, `s3:GetObjectVersionAcl`, `s3:GetObjectTagging`, `s3:PutObjectTagging`, `s3:GetObjectAcl`, `s3:PutObjectAcl`, `s3:PutObject`, and `s3:ListMultipartUploadParts`. Added the following actions to grant the user permissions to encrypt their restored Amazon S3 data: `kms:Decrypt`, `kms:DescribeKey`, and `kms:GenerateDataKey`.  | February 17, 2022 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  Added `s3:ListAllMyBuckets` to grant the user permissions to view a list of their buckets and choose which ones to assign to a backup plan.  | February 14, 2022 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  Added `backup-gateway:ListVirtualMachines` to grant the user permissions to view a list of their virtual machines and choose which ones to assign to a backup plan. Added `backup-gateway:ListTagsForResource` to grant the user permissions to list the tags for their virtual machines.  | November 30, 2021 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy  |  Added `backup-gateway:Backup` to grant the user permissions restore their virtual machine backups. AWS Backup also added `backup-gateway:ListTagsForResource` to grant the user permissions to list the tags assigned to their virtual machine backups.  | November 30, 2021 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy  |  Added `backup-gateway:Restore` to grant the user permissions restore their virtual machine backups.  | November 30, 2021 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy  |  Added the following actions to grant the users permissions to use AWS Backup Gateway to back up, restore, and manage their virtual machines: `backup-gateway:AssociateGatewayToServer`, `backup-gateway:CreateGateway`, `backup-gateway:DeleteGateway`, `backup-gateway:DeleteHypervisor`, `backup-gateway:DisassociateGatewayFromServer`, `backup-gateway:ImportHypervisorConfiguration`, `backup-gateway:ListGateways`, `backup-gateway:ListHypervisors`, `backup-gateway:ListTagsForResource`, `backup-gateway:ListVirtualMachines`, `backup-gateway:PutMaintenanceStartTime`, `backup-gateway:TagResource`, `backup-gateway:TestHypervisorConfiguration`, `backup-gateway:UntagResource`, `backup-gateway:UpdateGatewayInformation`, and `backup-gateway:UpdateHypervisor`.  | November 30, 2021 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy  |  Added the following actions to grant the user permissions to back up their virtual machines: `backup-gateway:ListGateways`, `backup-gateway:ListHypervisors`, `backup-gateway:ListTagsForResource`, and `backup-gateway:ListVirtualMachines`.  | November 30, 2021 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  Added `dynamodb:ListTagsOfResource` to grant the user permissions to list tags of their DynamoDB tables to back up using AWS Backup's advanced DynamoDB backup features.  | November 23, 2021 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy  |  Added `dynamodb:StartAwsBackupJob` to grant the user permissions to back up their DynamoDB tables using advanced backup features. Added `dynamodb:ListTagsOfResource` to grant the user to permissions to copy tags from their source DynamoDB tables to their backups.  | November 23, 2021 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy  |  Added `dynamodb:RestoreTableFromAwsBackup` to grant the user permissions restore their DynamoDB tables backed up using AWS Backup's advanced DynamoDB advanced backup features.  | November 23, 2021 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy  |  Added `dynamodb:RestoreTableFromAwsBackup` to grant the user permissions restore their DynamoDB tables backed up using AWS Backup's advanced DynamoDB advanced backup features.  | November 23, 2021 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy  |  Removed the actions `backup:GetRecoveryPointRestoreMetadata` and `rds:DescribeDBSnapshots` because they were redundant.  AWS Backup did not need both `backup:GetRecoveryPointRestoreMetadata` and `backup:Get*` as part of `AWSBackupOperatorAccess`. Also, AWS Backup did not need both `rds:DescribeDBSnapshots` and `rds:describeDBSnapshots` as part of `AWSBackupOperatorAccess`.  | November 23, 2021 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  Added the new actions `elasticfilesystem:DescribeFileSystems`, `dynamodb:ListTables`, `storagegateway:ListVolumes`, `ec2:DescribeVolumes`, `ec2:DescribeInstances`, `rds:DescribeDBInstances`, `rds:DescribeDBClusters`, and `fsx:DescribeFileSystems` to allow customers to view and choose from a list of their AWS Backup-supported resources when selecting which resources to assign to a backup plan.  | November 10, 2021 | 
| [AWSBackupAuditAccess](#AWSBackupAuditAccess) – New policy  |  Added `AWSBackupAuditAccess` to grant the user permissions to use AWS Backup Audit Manager. Permissions include the ability to configure compliance frameworks and generate reports.  | August 24, 2021 | 
| [AWSServiceRolePolicyForBackupReports](#AWSServiceRolePolicyForBackupReports) – New policy  |  Added `AWSServiceRolePolicyForBackupReports` to grant permissions for a service-linked role to automate the monitoring of backup settings, jobs, and resources for compliance with frameworks configured by the user.  | August 24, 2021 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy  |  Added `iam:CreateServiceLinkedRole` to create a service-linked role (on a best-effort basis) to automate the deletion of expired recovery points for you. Without this service-linked role, AWS Backup cannot delete expired recovery points after customers delete the original IAM role they used to create their recovery points.  | July 5, 2021 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  Added the new action `dynamodb:DeleteBackup` to grant `DeleteRecoveryPoint` permission to automate the deletion of expired DynamoDB recovery points based on your backup plan lifecycle settings.  | July 5, 2021 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy  |  Removed the actions `backup:GetRecoveryPointRestoreMetadata` and `rds:DescribeDBSnapshots` because they were redundant. AWS Backup did not need both `backup:GetRecoveryPointRestoreMetadata` and `backup:Get*` as part of `AWSBackupOperatorAccess` Also, AWS Backup did not need both `rds:DescribeDBSnapshots` and `rds:describeDBSnapshots` as part of `AWSBackupOperatorAccess`  | May 25, 2021 | 
| [AWSBackupOperatorAccess](#AWSBackupOperatorAccess) – Update to an existing policy  |  Removed the actions `backup:GetRecoveryPointRestoreMetadata` and `rds:DescribeDBSnapshots` because they were redundant. AWS Backup did not need both `backup:GetRecoveryPointRestoreMetadata` and `backup:Get*` as part of `AWSBackupOperatorAccess`. Also, AWS Backup did not need both `rds:DescribeDBSnapshots` and `rds:describeDBSnapshots` as part of `AWSBackupOperatorAccess`.  | May 25, 2021 | 
| [AWSBackupServiceRolePolicyForRestores]() – Update to an existing policy  |  Added the new action `fsx:TagResource` to grant `StartRestoreJob` permission to allow you to apply tags to Amazon FSx file systems during the restore process.  | May 24, 2021 | 
| [AWSBackupServiceRolePolicyForRestores](#AWSBackupServiceRolePolicyForRestores) – Update to an existing policy  |  Added the new actions `ec2:DescribeImages` and `ec2:DescribeInstances` to grant `StartRestoreJob` permission to allow you to restore Amazon EC2 instances from recovery points.  | May 24, 2021 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy  |  Added the new action `fsx:CopyBackup` to grant `StartCopyJob` permission to allow you to copy Amazon FSx recovery points across Regions and accounts.  | April 12, 2021 | 
| [AWSBackupServiceLinkedRolePolicyForBackup](#AWSBackupServiceLinkedRolePolicyForBackup) – Update to an existing policy  |  Added the new action `fsx:CopyBackup` to grant `StartCopyJob` permission to allow you to copy Amazon FSx recovery points across Regions and accounts.  | April 12, 2021 | 
| [AWSBackupServiceRolePolicyForBackup](#AWSBackupServiceRolePolicyForBackup) – Update to an existing policy  |  Updated to comply with the following requirement: For AWS Backup to create a backup of an encrypted DynamoDB table, you must add the permissions `kms:Decrypt` and `kms:GenerateDataKey` to the IAM role used for backup.  | March 10, 2021 | 
| [AWSBackupFullAccess](#AWSBackupFullAccess) – Update to an existing policy  |  Updated to comply with the following requirements: To use AWS Backup to configure continuous backups for your Amazon RDS database, verify the API permission `rds:ModifyDBInstance` exists in the IAM role defined by your Backup plan configuration. To restore Amazon RDS continuous backups, you must add the permission `rds:RestoreDBInstanceToPointInTime` to the IAM role you submitted for restore job. In the AWS Backup console, to describe the range of times available for point-in-time recovery, you must include the `rds:DescribeDBInstanceAutomatedBackups` API permission in your IAM-managed policy.  | March 10, 2021 | 
|  AWS Backup started tracking changes  |  AWS Backup started tracking changes for its AWS-managed policies.  | March 10, 2021 | 

# Using service-linked roles for AWS Backup
<a name="using-service-linked-roles"></a>

AWS Backup uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts). A service-linked role is a unique type of IAM role that is linked directly to AWS Backup. Service-linked roles are predefined by AWS Backup and include all the permissions that the service requires to call other AWS services on your behalf. 

**Topics**
+ [Using roles to back up and copy](using-service-linked-roles-AWSServiceRoleForBackup.md)
+ [Using roles for AWS Backup Audit Manager](using-service-linked-roles-AWSServiceRoleForBackupReports.md)
+ [Using roles for restore testing](using-service-linked-roles-AWSServiceRoleForBackupRestoreTesting.md)

# Using roles to back up and copy
<a name="using-service-linked-roles-AWSServiceRoleForBackup"></a>

AWS Backup uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts). A service-linked role is a unique type of IAM role that is linked directly to AWS Backup. Service-linked roles are predefined by AWS Backup and include all the permissions that the service requires to call other AWS services on your behalf. 

A service-linked role makes setting up AWS Backup easier because you don’t have to manually add the necessary permissions. AWS Backup defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Backup can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

You can delete a service-linked role only after first deleting its related resources. This protects your AWS Backup resources because you can't inadvertently remove permission to access the resources.

For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.

## Service-linked role permissions for AWS Backup
<a name="service-linked-role-permissions-AWSServiceRoleForBackup"></a>

AWS Backup uses the service-linked role named **AWSServiceRoleForBackup** to create and delete backups of your AWS resources on your behalf.

The AWSServiceRoleForBackup service-linked role trusts the following services to assume the role:
+ `backup.amazonaws.com`

To view the permissions for this policy, see [ AWSBackupServiceLinkedRolePolicyforBackup](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSBackupServiceLinkedRolePolicyForBackup.html) in the *AWS Managed Policy Reference*.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#service-linked-role-permissions) in the *IAM User Guide*.

## Creating a service-linked role for AWS Backup
<a name="create-service-linked-role-AWSServiceRoleForBackup"></a>

You don't need to manually create a service-linked role. When you list resources to back up, set up cross-account backup, or perform backups in the AWS Management Console, the AWS CLI, or the AWS API, AWS Backup creates the service-linked role for you. 

**Important**  
 This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. To learn more, see [A New Role Appeared in My IAM Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you list resources to back up, set up cross-account backup, or perform backups, AWS Backup creates the service-linked role for you again. 

## Editing a service-linked role for AWS Backup
<a name="edit-service-linked-role-AWSServiceRoleForBackup"></a>

AWS Backup does not allow you to edit the AWSServiceRoleForBackup service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Edit a service-linked role description](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-service-linked-role.html#edit-service-linked-role-iam-console) in the *IAM User Guide*.

## Deleting a service-linked role for AWS Backup
<a name="delete-service-linked-role-AWSServiceRoleForBackup"></a>

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.

### Cleaning up a service-linked role
<a name="service-linked-role-review-before-delete-AWSServiceRoleForBackup"></a>

Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. First, you must delete all your recovery points. Then, you must delete all your backup vaults.

**Note**  
If the AWS Backup service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes, then try the operation again.

**To delete AWS Backup resources used by the AWSServiceRoleForBackup (console)**

1. To delete all your recovery points and backup vaults (except for your default vault), follow the procedure in [ Delete a vault](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-a-vault.html#delete-a-vault).

1. To delete your default vault, use the following command in the AWS CLI:

   ```
   aws backup delete-backup-vault --backup-vault-name Default --region us-east-1
   ```

**To delete AWS Backup resources used by the AWSServiceRoleForBackup (AWS CLI)**

1. To delete all your recovery points, use [delete-recovery-point](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/delete-recovery-point.html).

1. To delete all your backup vaults, use [delete-backup-vault](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/delete-backup-vault.html).

**To delete AWS Backup resources used by the AWSServiceRoleForBackup (API)**

1. To delete all your recovery points, use `[DeleteRecoveryPoint](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteRecoveryPoint.html)`.

1. To delete all your backup vaults, use `[DeleteBackupVault](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVault.html)`.

### Manually delete the service-linked role
<a name="slr-manual-delete-AWSServiceRoleForBackup"></a>

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForBackup service-linked role. For more information, see [Delete a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#id_roles_manage_delete_slr) in the *IAM User Guide*.

## Supported Regions for AWS Backup service-linked roles
<a name="slr-regions-AWSServiceRoleForBackup"></a>

AWS Backup supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Backup supported features and Regions](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#features-by-region).

# Using roles for AWS Backup Audit Manager
<a name="using-service-linked-roles-AWSServiceRoleForBackupReports"></a>

AWS Backup uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts). A service-linked role is a unique type of IAM role that is linked directly to AWS Backup. Service-linked roles are predefined by AWS Backup and include all the permissions that the service requires to call other AWS services on your behalf. 

A service-linked role makes setting up AWS Backup easier because you don’t have to manually add the necessary permissions. AWS Backup defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Backup can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

You can delete a service-linked role only after first deleting its related resources. This protects your AWS Backup resources because you can't inadvertently remove permission to access the resources.

For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.

## Service-linked role permissions for AWS Backup
<a name="service-linked-role-permissions-AWSServiceRoleForBackupReports"></a>

AWS Backup uses the service-linked role named **AWSServiceRoleForBackupReports** – Provides AWS Backup with permission to create controls, frameworks, and reports.

The AWSServiceRoleForBackupReports service-linked role trusts the following services to assume the role:
+ `reports.backup.amazonaws.com`

To view the permissions for this policy, see [AWSServiceRolePolicyForBackupReports](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRolePolicyForBackupReports.html) in the *AWS Managed Policy Reference*.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#service-linked-role-permissions) in the *IAM User Guide*.

## Creating a service-linked role for AWS Backup
<a name="create-service-linked-role-AWSServiceRoleForBackupReports"></a>

You don't need to manually create a service-linked role. When you create a framework or a report plan in the AWS Management Console, the AWS CLI, or the AWS API, AWS Backup creates the service-linked role for you. 

**Important**  
 This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. To learn more, see [A New Role Appeared in My IAM Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a framework or a report plan, AWS Backup creates the service-linked role for you again. 

## Editing a service-linked role for AWS Backup
<a name="edit-service-linked-role-AWSServiceRoleForBackupReports"></a>

AWS Backup does not allow you to edit the AWSServiceRoleForBackupReports service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Edite a service-linked role description](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-service-linked-role.html#edit-service-linked-role-iam-console) in the *IAM User Guide*.

## Deleting a service-linked role for AWS Backup
<a name="delete-service-linked-role-AWSServiceRoleForBackupReports"></a>

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.

### Cleaning up a service-linked role
<a name="service-linked-role-review-before-delete-AWSServiceRoleForBackupReports"></a>

Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. You must delete all frameworks and report plans.

**Note**  
If the AWS Backup service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes, then try the operation again.

**To delete AWS Backup resources used by the AWSServiceRoleForBackupReports (console)**

1. To delete all frameworks, see [Deleting frameworks](https://docs.aws.amazon.com/aws-backup/latest/devguide/deleting-frameworks.html).

1. To delete all report plans, see [Deleting report plans](https://docs.aws.amazon.com/aws-backup/latest/devguide/delete-report-plan.html).

**To delete AWS Backup resources used by the AWSServiceRoleForBackupReports (AWS CLI)**

1. To delete all frameworks, use [delete-framework](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/delete-framework.html).

1. To delete all report plans, use [delete-report-plan](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/backup/delete-report-plan.html).

**To delete AWS Backup resources used by the AWSServiceRoleForBackupReports (API)**

1. To delete all frameworks, use [DeleteFramework](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteFramework.html).

1. To delete all report plans, use [DeleteReportPlan](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteReportPlan.html).

### Manually delete the service-linked role
<a name="slr-manual-delete-AWSServiceRoleForBackupReports"></a>

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForBackupReports service-linked role. For more information, see [Delete a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#id_roles_manage_delete_slr) in the *IAM User Guide*.

## Supported Regions for AWS Backup service-linked roles
<a name="slr-regions-AWSServiceRoleForBackupReports"></a>

AWS Backup supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Backup supported features and Regions](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#features-by-region).

# Using roles for restore testing
<a name="using-service-linked-roles-AWSServiceRoleForBackupRestoreTesting"></a>

AWS Backup uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts). A service-linked role is a unique type of IAM role that is linked directly to AWS Backup. Service-linked roles are predefined by AWS Backup and include all the permissions that the service requires to call other AWS services on your behalf. 

A service-linked role makes setting up AWS Backup easier because you don’t have to manually add the necessary permissions. AWS Backup defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Backup can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

You can delete a service-linked role only after first deleting its related resources. This protects your AWS Backup resources because you can't inadvertently remove permission to access the resources.

For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.

## Service-linked role permissions for AWS Backup
<a name="service-linked-role-permissions-AWSServiceRoleForBackupRestoreTesting"></a>

AWS Backup uses the service-linked role named **AWSServiceRoleForBackupRestoreTesting** – Provides backup permissions to conduct restore testing.

The **AWSServiceRoleForBackupRestoreTesting** service-linked role trusts the following services to assume the role:
+ `restore-testing.backup.amazonaws.com`

To view the permissions for this policy, see [AWSServiceRolePolicyForBackupRestoreTesting](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRolePolicyForBackupRestoreTesting.html) in the *AWS Managed Policy Reference*.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#service-linked-role-permissions) in the *IAM User Guide*.

## Creating a service-linked role for AWS Backup
<a name="create-service-linked-role-AWSServiceRoleForBackupRestoreTesting"></a>

You don't need to manually create a service-linked role. When you conduct restore testing in the AWS Management Console, the AWS CLI, or the AWS API, AWS Backup creates the service-linked role for you. 

**Important**  
 This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. To learn more, see [A New Role Appeared in My IAM Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you conduct restore testing, AWS Backup creates the service-linked role for you again.

## Editing a service-linked role for AWS Backup
<a name="edit-service-linked-role-AWSServiceRoleForBackupRestoreTesting"></a>

AWS Backup does not allow you to edit the AWSServiceRoleForBackupRestoreTesting service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Edit a service-linked role description](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-service-linked-role.html#edit-service-linked-role-iam-console) in the *IAM User Guide*.

## Deleting a service-linked role for AWS Backup
<a name="delete-service-linked-role-AWSServiceRoleForBackupRestoreTesting"></a>

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.

### Cleaning up a service-linked role
<a name="service-linked-role-review-before-delete-AWSServiceRoleForBackupRestoreTesting"></a>

Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. You must delete all restore testing plans.

**Note**  
If the AWS Backup service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes, then try the operation again.

**To delete AWS Backup resources used by the AWSServiceRoleForBackupRestoreTesting (console)**
+ To delete all restore testing plans, see [Restore testing](https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing.html).

**To delete AWS Backup resources used by the AWSServiceRoleForBackupRestoreTesting (AWS CLI)**
+ To delete restore testing plans, use `delete-restore-testing-plan`.

**To delete AWS Backup resources used by the AWSServiceRoleForBackupRestoreTesting (API)**
+ To delete restore testing plans, use `DeleteRestoreTestingPlan`.

### Manually delete the service-linked role
<a name="slr-manual-delete-AWSServiceRoleForBackupRestoreTesting"></a>

Use the IAM console, the AWS CLI, or the AWS API to delete the **AWSServiceRoleForBackupRestoreTesting** service-linked role. For more information, see [Delete a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#id_roles_manage_delete_slr) in the *IAM User Guide*.

## Supported Regions for AWS Backup service-linked roles
<a name="slr-regions-AWSServiceRoleForBackupRestoreTesting"></a>

AWS Backup supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Backup supported features and Regions](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#features-by-region).

# Cross-service confused deputy prevention
<a name="cross-service-confused-deputy-prevention"></a>

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account.

We recommend using the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource policies to limit the permissions that AWS Backup gives another service to the resource. If you use both global condition context keys, the `aws:SourceAccount` value and the account in the `aws:SourceArn` value must use the same account ID when used in the same policy statement.

The value of `aws:SourceArn` must be a AWS Backup vault when using AWS Backup to publish Amazon SNS topics on your behalf.

The most effective way to protect against the confused deputy problem is to use the `aws:SourceArn` global condition context key with the full ARN of the resource. If you don't know the full ARN of the resource or if you are specifying multiple resources, use the `aws:SourceArn` global context condition key with wildcards (`*`) for the unknown portions of the ARN. For example, `arn:aws::servicename::123456789012:*`. 

The following example policy shows how you can use the `aws:SourceArn` and `aws:SourceAccount` global condition context keys in AWS Backup to prevent the confused deputy problem. This policy grants the service principal backup-storage.amazonaws.com ability to perform KMS actions only when the service principal is acting on behalf of AWS account 123456789012 on the backup vaults: