# Multi-party approval for logically air-gapped vaults
<a name="multipartyapproval"></a>



## Overview of Multi-party approval in a logically air-gapped vault
<a name="multipartyapproval-overview"></a>

AWS Backup offers you the option to add [Multi-party approval](https://docs.aws.amazon.com/mpa/latest/userguide/what-is.html), a capability from AWS Organizations, to your logically air-gapped vaults. Multi-party approval provides an additional option to help to protect critical operations through a distributed approval process. 

Multi-party approval is designed to help protect critical resources and to minimize the time to return to full operation, such as a disruption caused by malicious actors or malware events. This setup can help you restore the contents of a logically air-gapped vault that may have been compromised.

There is no additional cost for integrating and using Multi-party approval teams with AWS Backup logically air-gapped vaults (storage and cross-region transfers charges apply, as shown on the [pricing](https://aws.amazon.com/backup/pricing) page).

An an AWS Backup customer, you can use Multi-party approval to grant approval capabilities of some operations to a group of trusted individuals who can collaboratively approve access to a logically air-gapped vault from a separately-created recovery account in the case of suspected malicious activity that may compromise use of the primary account.

The following steps outline the recommended flow for setting up a recovery AWS organization, setting up Multi-party approval, and then using Multi-party approval with your logically air-gapped vaults:

1. An administrator [creates a new organization through Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html) to be used for recovery operations.

1. In the management account of this new organization, the administrator creates and configures an IAM Identity Center (IDC) instance (to enable an organization instance, see [Enable IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html) in the *IAM Identity Center User Guide*. See also the sequence to [Create a Multi-party approval identity source](https://docs.aws.amazon.com/mpa/latest/userguide/setting-up.html) in the *Multi-party approval User Guide*.

1. The administrator then will [create an approval team](https://docs.aws.amazon.com/mpa/latest/userguide/create-team.html), the core group of trusted individuals who will be the primary users of Multi-party approval.

1. The administrator uses AWS RAM to [share an approval team](multipartyapproval-tasks-administrator.md#share-multipartyapproval-team-using-ram) with each account that owns a logically air-gapped vault and the recovery account that needs to request access on that vault.

1. An administrator of the logically air-gapped vault owning account [associates the vault with an approval team](multipartyapproval-tasks-requester.md#associate-multipartyapproval-team).

1. A recovery account [requests access](multipartyapproval-tasks-requester.md#create-restore-access-vault) to an account that has a logically air-gapped vault with an associated Multi-party approval team (“team”). The team associated with the account [approves or denies the request](https://docs.aws.amazon.com/mpa/latest/userguide/respond-request.html).

1. The admin of the account of that owns the logically air-gapped vault can request that [the approval team be disassociated from the vault](multipartyapproval-tasks-requester.md#disassociate-multipartyapproval-team). The request requires current team approval.

1. An administrator can [update approval team membership](https://docs.aws.amazon.com/mpa/latest/userguide/update-team.html) as necessary in accordance with their security practices or when people join or leave your organization.

## Prerequisites and best practices for using Multi-party approval with a logically air-gapped vault
<a name="multipartyapproval-prerequisites"></a>

Before you can effectively and securely use Multi-party approval with your logically air-gapped vaults, there are prerequisites and recommended best practices.

**Best practices:**
+ Two (or more) AWS organizations through Organizations. One should be your primary organization where you have one or more accounts that have at least one logically air-gapped vault. The secondary organization should be your recovery organization. It is in this org where your multi-party approval team will be managed.

**Prerequisites**

1. You have [Set up Multi-party approval](https://docs.aws.amazon.com/mpa/latest/userguide/setting-up.html) and have at least one approval team.

1. At least one account in your primary organization must have a logically air-gapped vault (and the original backup vault).

1. The management account in the primary organization is opted-in to Multi-party approval.
**Tip**  
AWS Backup recommends you apply a Service Control Policy (SCP) to your primary organization and configure it with the appropriate permissions to the organization and to each approval team. See [Multi-party approval terms](#multipartyapproval-terms) section for a sample policy.

1. Your Multi-party approval team from the secondary (recovery) organization is [shared through AWS RAM](multipartyapproval-tasks-administrator.md#share-multipartyapproval-team-using-ram) with both your accounts that own the logically air-gapped vault(s) and your recovery accounts.

## Cross-Region considerations and dependencies when using Multi-party approval
<a name="multipartyapproval-cross-region"></a>

When you enable Multi-party approval and your IAM Identity Center instance in different Regions, Multi-party approval makes calls across Regions to IAM Identity Center. This means that user and group information moves across Regions. Multi-party approval Team resources can only be created and stored in AWS Region US East (N. Virginia).

Other AWS Regions that reference Multi-party approval team resources will depend on AWS Region US East (N. Virginia). Accordingly, Multi-party approval will make cross-Regions calls if your Identity Center instance and/or logically air-gapped vault is not in US East (N. Virginia).

## Multi-party approval terms, concepts, and user personas
<a name="multipartyapproval-terms"></a>

Multi-party approval in your logically air-gapped vault is an integration of AWS Organizations, AWS Account Management, and AWS Backup, along with AWS Identity and Access Management ( IAM) and AWS RAM (RAM) features. Through the CLI, you can interact with each service to send the appropriate commands. You can also use the console, but you will need to navigate to the appropriate service’s console to complete specific tasks.

How you interact with Multi-party approval depends on your roles and responsibilities at your organizations, as well as the permissions you have in your AWS Backup accounts. 

As shown in the [Multi-party approval User Guide](https://docs.aws.amazon.com/mpa/latest/userguide/what-is.html), members of your organization who use multi-party approval will either be a ***requester***, an ***administrator***, or an ***approver***. Specific permissions apply to each [job function](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html). In accordance with security best practices, an user should only fulfill one job function.

 **Consoles, portals, and sessions** 

AWS Backup accounts with one or more logically air-gapped vaults can use multi-party approval.

Prior to the multi-party approval process, an administrator utilizes AWS Organizations to create a secondary organization for recovery purposes (a **recovery organization**) if one has not previously been set up.

Then, the administrator utilizes AWS Resource Access Manager (RAM) to set up cross-organization sharing between the primary organization and the recovery organization.

The **primary organization** is home to accounts that own and use a logically air-gapped vault, which stores the protected data.

The recovery organization is home to at least one **recovery account**. This account houses an access point that can serve as a critical ‘back door’ to the shared logically air-gapped vault. This access point is called a **restore access backup vault**. This access vault does not store data; instead, it serves as an access or mount point that mirrors the contents of the source logically air-gapped vault but contains no data that can be changed or deleted. For example, if a customer goes through the restore process for a recovery point in a restore access backup vault, it is the recovery point in the logically air-gapped vault that is restored through cross-account restore by way of the recovery account.

To ensure extra security, customers use this recovery account to carry out protected operations in the primary account, but only after those operations have been given approval by the associated [approval team in an approval session](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html#mpa-resources). A session is created by AWS once an approval request has been sent, and that session ends when a threshold of approval team members approves or denies the request or when the allowed session time has passed. 

A team consists of **approvers** (effectively, the *parties* portion of Multi-party approval) who receive email notifications of protected operation requests. These emails confirm that an approval session has begun for the request. Approval is granted once the required minimum threshold of approval is reached. This threshold can be set as the **multi-party approval team** (“Team”) is created.

Multi-party approval teams are managed through the Organizations **multi-party approval portal** (“portal”), an AWS managed application that provides identities a centralized location where approval team members can receive and respond to approval team invitations and operation requests.

# Administrator tasks
<a name="multipartyapproval-tasks-administrator"></a>

Several tasks involving AWS Backup and Multi-party overview required a user with admin permissions and access to the management account.

## Create an approval team
<a name="create-multipartyapproval-team"></a>

A user at your organization with admin permissions for an AWS account needs to [set up Multi-party approval](https://docs.aws.amazon.com/mpa/latest/userguide/setting-up.html) (step 3 in the [Overview](multipartyapproval.md#multipartyapproval-overview)).

Before doing this step, it is recommended as a best practice you have both a primary organization and a secondary organization (for recovery purposes) set up through AWS Organizations (step 1 in [Overview](multipartyapproval.md#multipartyapproval-overview).

See [Create an approval team](https://docs.aws.amazon.com/mpa/latest/userguide/create-team.html#create-team-steps) in the *Multi-party approval user guide* to create your team.

During the [https://docs.aws.amazon.com/mpa/latest/APIReference/API_CreateApprovalTeam.html](https://docs.aws.amazon.com/mpa/latest/APIReference/API_CreateApprovalTeam.html) operation, one of the parameters is `policies`. This is a list of ARNs (Amazon Resource Names) for Multi-party approval resource policies that define permissions that protect the team.

The policy shown in the example in the *Multi-party approval User Guide* in the procedure [Create an approval team](https://docs.aws.amazon.com/mpa/latest/userguide/create-team.html#create-team-steps) contains the policy `["arn:aws:mpa::aws:policy/backup.amazonaws.com/CreateRestoreAccessVault"]` with several necessary permissions. 

Follow these steps to return a list of available policies by using `mpa list-policies`:

1. List Policies: 

   ```
   aws mpa list-policies --region us-east-1
   ```

1. List all policy versions: 

   ```
   aws mpa list-policy-versions --policy-arn arn:aws:mpa:::aws:policy/backup.amazonaws.com/CreateRestoreAccessVault --region us-east-1
   ```

1. Get details on a policy: 

   ```
   aws mpa get-policy-version --policy-version-arn arn:aws:mpa:::aws:policy/backup.amazonaws.com/CreateRestoreAccessVault/1 --region us-east-1
   ```

Expand below to see the policy that will created then attached to your approval team by this operation:

### Restore access vault policy
<a name="restoreaccessvaultpolicy"></a>

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "VaultOwnerPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "mpa:StartSession",
        "mpa:CancelSession"
      ],
      "Condition": {
        "StringEquals": {
          "mpa:RequestedOperation": "backup:RevokeRestoreAccessBackupVault",
          "mpa:ProtectedResourceAccount": "${aws:PrincipalAccount}"
        },
        "Bool": {
          "aws:ViaAWSService": "true"
        }
      }
    }
  ]
}
```

------

## Share a Multi-party approval team using AWS RAM
<a name="share-multipartyapproval-team-using-ram"></a>

You can share a Multi-party approval team with other AWS accounts using [AWS Resource Access Manager (RAM)](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html), step 4 in the [overview](multipartyapproval.md#multipartyapproval-overview).

------
#### [ Console ]

**Share a Multi-party approval team using AWS RAM**

1. Sign in to the [AWS RAM console](https://console.aws.amazon.com/ram/home?region=us-east-1).

1. In the navigation pane, choose **Resource shares**.

1. Choose **Create resource share**.

1. In the **Name** field, enter a descriptive name for your resource share.

1. Under **Resource type**, select **Multi-party approval Team** from the dropdown menu.

1. Under **Resources**, select the approval team you want to share.

1. Under **Principals**, specify the AWS accounts with whom you want to share the approval team.

1. To share with specific AWS accounts, select **AWS accounts** and enter the 12-digit account IDs.

1. To share with an organization or organizational unit, select **Organization** or **Organizational unit** and enter the appropriate ID.

1. (*Optional*) Under **Tags**, add any tags you want to associate with this resource share.

1. Choose **Create resource share**.

The resource share status will initially show as `PENDING`. Once the recipient accounts accept the invitation, the status will change to `ACTIVE`.

------
#### [ CLI ]

To share a Multi-party approval team using AWS RAM through the CLI, use the following commands:

First, identify the ARN of the approval team you want to share:

```
aws mpa list-approval-teams --region us-east-1
```

Create a resource share using the create-resource-share command:

```
aws ram create-resource-share \
--name "MPA-Team-Share" \
--resource-arns "arn:aws:mpa:us-east-1:ACCOUNT_ID:approval-team/TEAM_ID" \
--principals "ACCOUNT_ID_TO_SHARE_WITH" \
--permission-arns "arn:aws:ram::aws:permission/AWSRAMMPAApprovalTeamAccess" \
--region us-east-1
```

To share with an organization instead of specific accounts:

```
aws ram create-resource-share \
--name "MPA-Team-Share" \
--resource-arns "arn:aws:mpa:us-east-1:ACCOUNT_ID:approval-team/TEAM_ID" \
--permission-arns "arn:aws:ram::aws:permission/AWSRAMMPAApprovalTeamAccess" \
--allow-external-principals \
--region us-east-1
```

Check the status of your resource share:

```
aws ram get-resource-shares \
--resource-owner SELF \
--region us-east-1
```

The recipient account(s) will need to accept the resource share invitation:

```
aws ram get-resource-share-invitations --region us-east-1
```

Run in recipient account to accept an invitation:

```
aws ram accept-resource-share-invitation \
--resource-share-invitation-arn "arn:aws:ram:REGION:ACCOUNT_ID:resource-share-invitation/INVITATION_ID" \
--region us-east-1
```

Once the invitation is accepted, the Multi-party approval team will be available for use in the recipient account.

------

AWS offers tools to share account access, including through [AWS Resource Access Manager](logicallyairgappedvault.md#lag-share) and [Multi-party access](https://docs.aws.amazon.com/mpa/latest/userguide/share-team.html). When you choose to share a logically air-gapped vault with another account, consider the following details:


| Feature | AWS RAM based sharing | Multi-party approval based access | 
| --- | --- | --- | 
| Access to logically air-gapped vaults | Once RAM share is complete, the vaults can be accessed. | Any attempt by a different account must be approved by a threshold number of Multi-party approval team members. The approval session automatically expires 24 hours after the request is initiated. | 
| Access removal | The account which owns the logically air-gapped vault can end RAM based sharing at any time. | Access to a vault can only be removed by a request to the Multi-party approval team. | 
| Copy across accounts and/or Regions | Not currently supported. | Backups can be copied within the same account or with other accounts in the same organization as the recovery account. | 
| Cross-Region transfer billing |  | Cross-Region transfers are billed to the same account that owns the restore access backup vault. | 
| Recommended use | Primary use is for data loss recovery and for restore testing. | Primary use is for situations where account access or security is suspected to be compromised. | 
| Regions | Available in all AWS Regions where logically air-gapped vaults are supported. | Available in all AWS Regions where logically air-gapped vaults are supported. | 
| Restores | All supported resource types can be restored from a shared account. | All supported resource types can be restored from a shared account. | 
| Setup | Sharing can occur as soon as the AWS Backup account sets up RAM sharing and the receiving account accepts the share. | Sharing requires the management account to first create a team, then set up RAM sharing. Then, the management account opts in to Multi-party approval and assigns that team to a logically air-gapped vault. | 
| Sharing |  Sharing is done through RAM within same AWS organization or across AWS organizations. Access is granted according to the 'push' model, in which the account that owns the logically air-gapped vault first grants access. Then, the other account accepts access.  |  Access to a logically air-gapped vault is through Organizations supported approval teams within the same AWS organization or across organizations. Access is granted according to the 'pull' model, where the receiving account first requests access, then the approval team grants or denies the request.  | 

# Requester tasks
<a name="multipartyapproval-tasks-requester"></a>

## Associate a Multi-party approval team with a logically air-gapped vault
<a name="associate-multipartyapproval-team"></a>

Requester: **User with access to account that owns the logically air-gapped vault**.

You can associate a Multi-party approval team with a logically air-gapped vault to enable collaborative approval for access to the vault (step 5 in the [Overview](multipartyapproval.md#multipartyapproval-overview)).

------
#### [ Console ]

**Associate a Multi-party approval team with a logically air-gapped vault**

1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).

1. Navigate to the **Backup vaults** section in the left navigation pane.

1. Select the logically air-gapped backup vault you want to associate with an MPA team.

1. On the **vault details** page, select **Assign approval team**.

1. From the dropdown menu, select the approval team you want to associate with the vault

1. *Optional* Enter a comment explaining the reason for the association.

1. Select **Send request** to submit the association request.

If this is the first approval team to be associated with the vault, the team will be associated with the vault. If the vault already has an associated team, see [Update Multi-party approval team](#update-multpartyapproval-team) for steps.

------
#### [ CLI ]

Use the CLI command `associate-backup-vault-mpa-approval-team`, modified with the following parameters:

```
aws backup associate-backup-vault-mpa-approval-team \
--backup-vault-name VAULT_NAME \
--mpa-approval-team-arn MPA_TEAM_ARN \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
```

If this is the first approval team to be associated with the vault, the team will be associated with the vault. If the vault already has an associated team, see [Update Multi-party approval team](#update-multpartyapproval-team) for steps.

------

## Request access to a logically air-gapped vault
<a name="create-restore-access-vault"></a>

Requester: **User with access to recovery account**.

You can request access to a logically air-gapped vault in another account (step 6 in the [Overview](multipartyapproval.md#multipartyapproval-overview)).

After an approval team has granted the request, AWS Backup creates a restore access backup vault in your designated recovery account so that account will have access to recovery points in the connected logically air-gapped vault.

------
#### [ Console ]

**Request access to a logically air-gapped vault**

1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).

1. Navigate to the **Backup vaults** section in the left navigation pane

1. Select the **Vaults accessible through MPA** tab

1. Select **Request vault access**.

1. Enter the source backup vault ARN of the logically air-gapped vault you want to access.

1. Enter an optional name for the restore access backup vault. If you do not input a name, AWS Backup will assign a name based on the name of the logically air gapped vault.

1. Enter an optional requester comment explaining the reason for the access request.

1. Select **Send request** to submit the access request.

The approval team members associated with the source vault will receive an email notification to approve the request.

Once the request is approved by the required number ("threshold") of team members, the restore access backup vault will be created in the recovery account.

------
#### [ CLI ]

Use the CLI command `create-restore-access-backup-vault`:

```
aws backup create-restore-access-backup-vault \
--source-backup-vault-arn SOURCE_VAULT_ARN \
--backup-vault-name OPTIONAL_VAULT_NAME \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
```

The MPA approval team members associated with the source vault will receive a notification to approve the request. Once the request is approved by the required number ("threshold") of team members, the restore access backup vault will be created in the recovery account.

You can check the status of the vault using:

```
aws backup describe-backup-vault \
--backup-vault-name VAULT_NAME \
--region REGION
```

------

## Disassociate Multi-party approval team from logically air gapped vault
<a name="disassociate-multipartyapproval-team"></a>

Requester: **Administrator of account that owns the logically air-gapped vault**.

You can disassociate a Multi-party approval team from a logically air-gapped vault (step 7 in the [Overview](multipartyapproval.md#multipartyapproval-overview)).

------
#### [ Console ]

**Disassociate approval team from logically air-gapped vault**

1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).

1. Navigate to the **Backup vaults** section in the left navigation pane.

1. Select the logically air-gapped backup vault from which you want to disassociate the approval team.

1. On the **Vault details** page, select **Disassociate approval team**.

1. Enter an optional requester comment explaining the reason for the disassociation.

1. Select **Send request** to submit the disassociation request.

The current approval team members will receive a notification to approve the request.

Once approved by the required number of team members, the team will be disassociated from the vault.

------
#### [ CLI ]

Use the CLI command `disassociate-backup-vault-mpa-approval-team`:

```
aws backup disassociate-backup-vault-mpa-approval-team \
--backup-vault-name VAULT_NAME \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
```

The current MPA approval team members will receive a notification to approve the request. Once approved by the required number of team members, the team will be disassociated from the vault.

------

## Revoke restore access backup vault
<a name="revoke-restore-access-vault"></a>

Requester: **Administrator of account that owns the logically air-gapped vault**.

You can revoke access to a restore access backup vault from the source vault account.

------
#### [ Console ]

**Revoke restore access backup vault**

1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).

1. Navigate to the **Backup vaults** section in the left navigation pane.

1. Select the logically air-gapped backup vault for which you want to revoke access.

1. On the **Vault details** page, scroll down to the **Access through Multi-party approval** section.

1. Find the restore access backup vault you want to revoke, then select **Request to remove vault access**.

1. Enter an optional requester comment explaining the reason for the revocation.

1. Select **Send request** to submit the revocation request.

The approval team members will receive a notification to approve the request.

Once approved by the required number of team members, the restore access backup vault will be deleted from the recovery account

------
#### [ CLI ]

First, list the restore access backup vaults associated with your source vault:

```
aws backup list-restore-access-backup-vaults \
--backup-vault-name SOURCE_VAULT_NAME \
--region REGION
```

Then, use the CLI command `revoke-restore-access-backup-vault`:

```
aws backup revoke-restore-access-backup-vault \
--backup-vault-name SOURCE_VAULT_NAME \
--restore-access-backup-vault-arn RESTORE_ACCESS_VAULT_ARN \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
```

The approval team members will receive a notification to approve the request. Once approved by the required number of team members, the restore access backup vault will be deleted from the recovery account.

------

## Update the Multi-party approval team associated with a logically air-gapped vault
<a name="update-multpartyapproval-team"></a>

Requester: **Administrator of account that owns the logically air-gapped vault**.

You can update the Multi-party approval team associated with a logically air-gapped vault (step 8 in the [Overview](multipartyapproval.md#multipartyapproval-overview)).

------
#### [ Console ]

**Update the approval team associated with a logically air-gapped vault**

1. Open the AWS Backup console at [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup).

1. Navigate to the **Backup vaults** section in the left navigation pane.

1. Select the logically air-gapped backup vault for which you want to update the approval team.

1. On the vault details page, select **Request approval team change**.

1. From the dropdown menu, select the new approval team you want to associate with the vault.

1. Enter an optional requester comment explaining the reason for the change.

1. Select **Send request** to submit the change request.

The current approval team members will receive an email notification to approve the request.

Once approved by the required number of team members (threshold) from the current MPA team, the new team will be associated with the vault.

------
#### [ CLI ]

Use the CLI command `associate-backup-vault-mpa-approval-team` with the new team ARN:

```
aws backup associate-backup-vault-mpa-approval-team \
--backup-vault-name VAULT_NAME \
--mpa-approval-team-arn NEW_MPA_TEAM_ARN \
--requester-comment "OPTIONAL_COMMENT" \
--region REGION
```

The current approval team members will receive a notification to approve the request. Once approved by the required number of team members (threshold) from the current team, the new MPA team will be associated with the vault.

------

# Approver tasks
<a name="multipartyapproval-tasks-approver"></a>

A user who is a member of a Multi-party approval team can [approve or deny requests](https://docs.aws.amazon.com/mpa/latest/userguide/approver.html) that are part of a session. Other tasks include:
+ [Respond to requested operations](https://docs.aws.amazon.com/mpa/latest/userguide/respond-request)
+ [View an approval team](https://docs.aws.amazon.com/mpa/latest/userguide/approver-view-team)
+ [View operation history](https://docs.aws.amazon.com/mpa/latest/userguide/view-operation-history)