Managed policies for AWS Backup - AWS Backup
AWS managed policiesCustomer managed policiesPolicy updates

Managed policies for AWS Backup

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.

AWS managed policies are created and administered by AWS. You can't change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to.

Customer managed policies give you fine-grained controls to set access to backups in AWS Backup. For example, you can use them to give your database backup administrator access to Amazon RDS backups but not Amazon EFS ones.

For more information, see Managed policies in the IAM User Guide.

AWS managed policies

AWS Backup provides the following AWS managed policies for common use cases. These policies make it easier to define the right permissions and control access to your backups. There are two types of managed policies. One type is designed to be assigned to users to control their access to AWS Backup. The other type of managed policy is designed to be attached to roles that you pass to AWS Backup. The following table lists all the managed policies that AWS Backup provides and describes how they are defined. You can find these managed policies in the Policies section of the IAM console.

AWSBackupAuditAccess

This policy grants permissions for users to create controls and frameworks that define their expectations for AWS Backup resources and activities, and to audit AWS Backup resources and activities against their defined controls and frameworks. This policy grants permissions to AWS Config and similar services to describe user expectations perform the audits.

This policy also grants permissions to deliver audit reports to Amazon S3 and similar services, and enables users to find and open their audit reports.

To view the permissions for this policy, see AWSBackupAuditAccess in the AWS Managed Policy Reference.

AWSBackupDataTransferAccess

This policy provides permissions for the AWS Backup storage plane data transfer APIs, allowing the AWS Backint agent to complete backup data transfer with the AWS Backup storage plane. You can attach this policy to roles assumed by Amazon EC2 instances running SAP HANA with the Backint agent.

To view the permissions for this policy, see AWSBackupDataTransferAccess in the AWS Managed Policy Reference.

AWSBackupFullAccess

The backup administrator has full access to AWS Backup operations, including creating or editing backup plans, assigning AWS resources to backup plans, and restoring backups. Backup administrators are responsible for determining and enforcing backup compliance by defining backup plans that meet their organization's business and regulatory requirements. Backup administrators also ensure that their organization's AWS resources are assigned to the appropriate plan.

To view the permissions for this policy, see AWSBackupFullAccess in the AWS Managed Policy Reference.

AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync

To view the permissions for this policy, see in the AWS Managed Policy Reference.

AWSBackupOperatorAccess

Backup operators are users that are responsible for ensuring the resources that they are responsible for are properly backed up. Backup operators have permissions to assign AWS resources to the backup plans that the backup administrator creates. They also have permissions to create on-demand backups of their AWS resources and to configure the retention period of on-demand backups. Backup operators do not have permissions to create or edit backup plans or to delete scheduled backups after they are created. Backup operators can restore backups. You can limit the resource types that a backup operator can assign to a backup plan or restore from a backup. You do this by allowing only certain service roles to be passed to AWS Backup that have permissions for a certain resource type.

To view the permissions for this policy, see AWSBackupOperatorAccess in the AWS Managed Policy Reference.

AWSBackupOrganizationAdminAccess

The organization administrator has full access to AWS Organizations operations, including creating, editing, or deleting backup policies, assigning backup policies to accounts and organizational units, and monitoring backup activities within the organization. Organization administrators are responsible for protecting accounts in their organization by defining and assigning backup policies that meet their organization's business and regulatory requirements.

To view the permissions for this policy, see AWSBackupOrganizationAdminAccess in the AWS Managed Policy Reference.

AWSBackupRestoreAccessForSAPHANA

This policy provides AWS Backup permission to restore a backup of SAP HANA on Amazon EC2.

To view the permissions for this policy, see AWSBackupRestoreAccessForSAPHANA in the AWS Managed Policy Reference.

AWSBackupServiceLinkedRolePolicyForBackup

This policy is attached to the service-linked role named AWSServiceRoleforBackup to allow AWS Backup to call AWS services on your behalf to manage your backups. For more information, see Using roles to back up and copy.

To view the permissions for this policy, see AWSBackupServiceLinkedRolePolicyforBackup in the AWS Managed Policy Reference.

AWSBackupServiceLinkedRolePolicyForBackupTest

To view the permissions for this policy, see AWSBackupServiceLinkedRolePolicyForBackupTest in the AWS Managed Policy Reference.

AWSBackupServiceRolePolicyForBackup

Provides AWS Backup permissions to create backups of all supported resource types on your behalf.

To view the permissions for this policy, see AWSBackupServiceRolePolicyForBackup in the AWS Managed Policy Reference.

AWSBackupServiceRolePolicyForItemRestores

Description

This policy grants users permissions to restore individual files and items in a snapshot (periodic backup recovery point) to a new or existing Amazon S3 bucket or new Amazon EBS volume. These permissions include: read permissions to Amazon EBS for snapshots managed by AWS Backup read/write permissions to Amazon S3 buckets, and generate and describe permissions for AWS KMS keys.

Using this policy

You can attach AWSBackupServiceRolePolicyForItemRestores to your users, groups, and roles.

Policy details

  • Type: AWS managed policy

  • Creation time: 21 November 2024, 22:45 UTC

  • Edited time: First instance

  • ARN: arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForItemRestores

Policy version: v1 (default)

This policy’s version defines the permissions for the policy. When the user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request or not.

JSON policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EBSReadOnlyPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSnapshots"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "KMSReadOnlyPermissions",
            "Effect": "Allow",
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "EBSDirectReadAPIPermissions",
            "Effect": "Allow",
            "Action": [
                "ebs:ListSnapshotBlocks",
                "ebs:GetSnapshotBlock"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "S3ReadonlyPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "S3PermissionsForFileLevelRestore",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Sid": "KMSDataKeyForS3AndEC2Permissions",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:*:*:key/*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "ec2.*.amazonaws.com",
                        "s3.*.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

AWSBackupServiceRolePolicyForIndexing

Description

This policy grants users permissions to index snapshot, also known as periodic, recovery points. These permissions include: read permissions to Amazon EBS for snapshots managed by AWS Backup read/write permissions to Amazon S3 buckets, and generate and describe permissions for AWS KMS keys.

Using this policy

You can attach AWSBackupServiceRolePolicyForIndexing to your users, groups, and roles.

Policy details

  • Type: AWS managed policy

  • Edited time: First instance

  • ARN: arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForIndexing

Policy version: v1 (default)

This policy’s version defines the permissions for the policy. When the user or or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request or not.

JSON policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EBSReadOnlyPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSnapshots"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "KMSReadOnlyPermissions",
            "Effect": "Allow",
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "EBSDirectReadAPIPermissions",
            "Effect": "Allow",
            "Action": [
                "ebs:ListSnapshotBlocks",
                "ebs:GetSnapshotBlock"
            ],
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "KMSDataKeyForEC2Permissions",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:*:*:key/*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "ec2.*.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

AWSBackupServiceRolePolicyForRestores

Provides AWS Backup permissions to restore backups of all supported resource types on your behalf.

To view the permissions for this policy, see AWSBackupServiceRolePolicyForRestores in the AWS Managed Policy Reference.

For EC2 instance restores, you must also include the following permissions to launch the EC2 instance:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::account-id:role/role-name",
            "Effect": "Allow"
        }
    ]
}

AWSBackupServiceRolePolicyForS3Backup

This policy contains the permissions necessary for AWS Backup to back up any S3 bucket. This includes access to all objects in a bucket and any associated AWS KMS key.

To view the permissions for this policy, see AWSBackupServiceRolePolicyForS3Backup in the AWS Managed Policy Reference.

AWSBackupServiceRolePolicyForS3Restore

This policy contains permissions necessary for AWS Backup to restore an S3 backup to a bucket. This includes read and write permissions to the buckets and the usage of any AWS KMS key in regards to S3 operations.

To view the permissions for this policy, see AWSBackupServiceRolePolicyForS3Restore in the AWS Managed Policy Reference.

AWSServiceRolePolicyForBackupReports

AWS Backup uses this policy for the AWSServiceRoleForBackupReports service-linked role. This service-linked role gives AWS Backup permissions to monitor and report on the compliance of your backup settings, jobs, and resources with your frameworks.

To view the permissions for this policy, see AWSServiceRolePolicyForBackupReports in the AWS Managed Policy Reference.

AWSServiceRolePolicyForBackupRestoreTesting

To view the permissions for this policy, see AWSServiceRolePolicyForBackupRestoreTesting in the AWS Managed Policy Reference.

Customer managed policies

The following sections describe the recommended backup and restore permissions for the AWS services and third-party application supported by AWS Backup. You can use the existing AWS managed policies as a model as you create your own policy documents, and then customize them to further restrict access to your AWS resources.

Backup

Start with the following statements from AWSBackupServiceRolePolicyForBackup:

  • DynamoDBBackupPermissions

  • RDSClusterModifyPermissions

  • GetResourcesPermissions

  • BackupVaultPermissions

  • KMSPermissions

Restore

Start with the RDSPermissions statement from AWSBackupServiceRolePolicyForRestores.

Backup

Start with the following statements from AWSBackupServiceRolePolicyForBackup:

  • DynamoDBPermissions

  • DynamoDBBackupResourcePermissions

  • DynamodbBackupPermissions

  • KMSDynamoDBPermissions

Restore

Start with the following statements from AWSBackupServiceRolePolicyForRestores:

  • DynamoDBPermissions

  • DynamoDBBackupResourcePermissions

  • DynamoDBRestorePermissions

  • KMSPermissions

Backup

Start with the following statements from AWSBackupServiceRolePolicyForBackup:

  • EBSResourcePermissions

  • EBSTagAndDeletePermissions

  • EBSCopyPermissions

  • EBSSnapshotTierPermissions

  • GetResourcesPermissions

  • BackupVaultPermissions

Restore

Start with the EBSPermissions statement from AWSBackupServiceRolePolicyForRestores.

Add the following statement.

{
      "Effect":"Allow",
      "Action": [
        "ec2:DescribeSnapshots",
        "ec2:DescribeVolumes"
      ],
      "Resource":"*"
},
Backup

Start with the following statements from AWSBackupServiceRolePolicyForBackup:

  • EBSCopyPermissions

  • EC2CopyPermissions

  • EC2Permissions

  • EC2TagPermissions

  • EC2ModifyPermissions

  • EBSResourcePermissions

  • GetResourcesPermissions

  • BackupVaultPermissions

Restore

Start with the following statements from AWSBackupServiceRolePolicyForRestores:

  • EBSPermissions

  • EC2DescribePermissions

  • EC2RunInstancesPermissions

  • EC2TerminateInstancesPermissions

  • EC2CreateTagsPermissions

Add the following statement.

{
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::account-id:role/role-name"
},
Backup

Start with the following statements from AWSBackupServiceRolePolicyForBackup:

  • EFSPermissions

  • GetResourcesPermissions

  • BackupVaultPermissions

Restore

Start with the EFSPermissions statement from AWSBackupServiceRolePolicyForRestores.

Backup

Start with the following statements from AWSBackupServiceRolePolicyForBackup:

  • FsxBackupPermissions

  • FsxCreateBackupPermissions

  • FsxPermissions

  • FsxVolumePermissions

  • FsxListTagsPermissions

  • FsxDeletePermissions

  • FsxResourcePermissions

  • KMSPermissions

Restore

Start with the following statements from AWSBackupServiceRolePolicyForRestores:

  • FsxPermissions

  • FsxTagPermissions

  • FsxBackupPermissions

  • FsxDeletePermissions

  • FsxDescribePermissions

  • FsxVolumeTagPermissions

  • FsxBackupTagPermissions

  • FsxVolumePermissions

  • DSPermissions

  • KMSDescribePermissions

Backup

Start with the following statements from AWSBackupServiceRolePolicyForBackup:

  • DynamoDBBackupPermissions

  • RDSClusterModifyPermissions

  • GetResourcesPermissions

  • BackupVaultPermissions

  • KMSPermissions

Restore

Start with the RDSPermissions statement from AWSBackupServiceRolePolicyForRestores.

Backup

Start with the following statements from AWSBackupServiceRolePolicyForBackup:

  • DynamoDBBackupPermissions

  • RDSBackupPermissions

  • RDSClusterModifyPermissions

  • GetResourcesPermissions

  • BackupVaultPermissions

  • KMSPermissions

Restore

Start with the RDSPermissions statement from AWSBackupServiceRolePolicyForRestores.
Backup

Start with AWSBackupServiceRolePolicyForS3Backup.

Add the BackupVaultPermissions and BackupVaultCopyPermissions statements if you need to copy backups to a different account.

Restore

Start with AWSBackupServiceRolePolicyForS3Restore.

Backup

Start with the following statements from AWSBackupServiceRolePolicyForBackup:

  • StorageGatewayPermissions

  • EBSTagAndDeletePermissions

  • GetResourcesPermissions

  • BackupVaultPermissions

Add the following statement.

{
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSnapshots"
      ],
      "Resource":"*"
},
Restore

Start with the following statements from AWSBackupServiceRolePolicyForRestores:

  • StorageGatewayVolumePermissions

  • StorageGatewayGatewayPermissions

  • StorageGatewayListPermissions
Backup

Start with the BackupGatewayBackupPermissions statement from AWSBackupServiceRolePolicyForBackup.

Restore

Start with the GatewayRestorePermissions statement from AWSBackupServiceRolePolicyForRestores.

Encrypted backup

To restore an encrypted backup, do one of the following

  • Add your role to the allowlist for the AWS KMS key policy

  • Add the following statements from AWSBackupServiceRolePolicyForRestores to your IAM role for restores:

    • KMSDescribePermissions

    • KMSPermissions

    • KMSCreateGrantPermissions

Policy updates for AWS Backup

View details about updates to AWS managed policies for AWS Backup since this service began tracking these changes.

Change Description Date
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

AWS Backup added the permission rds:AddTagsToResource to support Amazon RDS multi-tenant snapshot cross-account copy of backups.

This permission is necessary to complete operations when a customer chooses to create a cross-account copy of a multi-tenant RDS snapshot.

 January 8, 2025
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

AWS Backup added the permissions rds:CreateTenantDatabase and rds:DeleteTenantDatabase to this policy to support the restore process of Amazon RDS resources.

These permissions are necessary to complete customer operations for restoring multi-tenant snapshots.

 January 8, 2025
AWSBackupServiceRolePolicyForItemRestores – Added a new AWS managed policy AWS Backup added the AWSBackupServiceRolePolicyForItemRestores AWS managed policy. November 26, 2024
AWSBackupServiceRolePolicyForIndexing – Added a new AWS managed policy AWS Backup added the AWSBackupServiceRolePolicyForIndexing AWS managed policy. November 26, 2024
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

AWS Backup added permission backup:TagResource to this policy.

The permission is necessary to obtain tagging permissions during the creation of a recovery point.

 May 17, 2024
AWSBackupServiceRolePolicyForS3Backup – Update to an existing policy

AWS Backup added permission backup:TagResource to this policy.

The permission is necessary to obtain tagging permissions during the creation of a recovery point.

 May 17, 2024
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

AWS Backup added permission backup:TagResource to this policy.

The permission is necessary to obtain tagging permissions during the creation of a recovery point.

 May 17, 2024
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added the permission rds:DeleteDBInstanceAutomatedBackups.

This permission is necessary for AWS Backup to support continuous backup and point-in-time-restore of Amazon RDS instances.

 May 1, 2024
AWSBackupFullAccess – Update to an existing policy

AWS Backup updated the Amazon Resource Name (ARN) in permission storagegateway:ListVolumes from arn:aws:storagegateway:*:*:gateway/* to * in order to accommodate a change in the Storage Gateway API model.

 May 1, 2024
AWSBackupOperatorAccess – Update to an existing policy

AWS Backup updated the Amazon Resource Name (ARN) in permission storagegateway:ListVolumes from arn:aws:storagegateway:*:*:gateway/* to * in order to accommodate a change in the Storage Gateway API model.

 May 1, 2024
AWSServiceRolePolicyForBackupRestoreTesting – Update to an existing policy

Added the following permissions to describe and list recovery points and protected resources in order to conduct restore testing plans: backup:DescribeRecoveryPoint, backup:DescribeProtectedResource, backup:ListProtectedResources, and backup:ListRecoveryPointsByResource.

Added the permission ec2:DescribeSnapshotTierStatus to support Amazon EBS archive tier storage.

Added the permission rds:DescribeDBClusterAutomatedBackups to support Amazon Aurora continuous backups.

Added the following permissions to support restore testing of Amazon Redshift backups: redshift:DescribeClusters and redshift:DeleteCluster.

Added the permission timestream:DeleteTable to support restore testing of Amazon Timestream backups.

 February 14, 2024
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the permissions ec2:DescribeSnapshotTierStatus and ec2:RestoreSnapshotTier.

These permissions are necessary for users to have the option to restore Amazon EBS resources stored with AWS Backup from archive storage.

For EC2 instance restores, you must also include permissions as shown in the following policy statement to launch the EC2 instance:

 November 27, 2023
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added the permissions ec2:DescribeSnapshotTierStatus and ec2:ModifySnapshotTier to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier.

These permissions are necessary for users to have the option to transition Amazon EBS resources stored with AWS Backup to archive storage.

 November 27, 2023
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added the permissions ec2:DescribeSnapshotTierStatus and ec2:ModifySnapshotTier to support an additional storage option for backed up Amazon EBS resources to be transitioned to the archive storage tier.

These permissions are necessary for users to have the option to transition Amazon EBS resources stored with AWS Backup to archive storage.

Added the permissions rds:DescribeDBClusterSnapshots and rds:RestoreDBClusterToPointInTime, which is necessary for PITR (point-in-time restores) of Aurora clusters.
AWSServiceRolePolicyForBackupRestoreTesting – New policy

Provides the permissions necessary to conduct restore testing. The permissions include the actions list, read, and write for the following services to be included in restore tests: Aurora, DocumentDB, DynamoDB, Amazon EBS, Amazon EC2, Amazon EFS, FSx for Lustre, FSx for Windows File Server, FSx for ONTAP, FSx for OpenZFS, Amazon Neptune, Amazon RDS, and Amazon S3.

November 27, 2023
AWSBackupFullAccess – Update to an existing policy

Added restore-testing.backup.amazonaws.com to IamPassRolePermissions and IamCreateServiceLinkedRolePermissions. This addition is necessary for AWS Backup to conduct restore tests on behalf of customers.

November 27, 2023
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the permissions rds:DescribeDBClusterSnapshots and rds:RestoreDBClusterToPointInTime, which is necessary for PITR (point-in-time restores) of Aurora clusters.

 September 6, 2023
AWSBackupFullAccess – Update to an existing policy

Added the permission rds:DescribeDBClusterAutomatedBackups, which is necessary for continuous backup and point-in-time restore of Aurora clusters.

 September 6, 2023
AWSBackupOperatorAccess – Update to an existing policy

Added the permission rds:DescribeDBClusterAutomatedBackups, which is necessary for continuous backup and point-in-time restore of Aurora clusters.

 September 6, 2023
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added the permission rds:DescribeDBClusterAutomatedBackups. This permission is necessary for AWS Backup support of continuous backup and point-in-time restore of Aurora clusters.

Added the permission rds:DeleteDBClusterAutomatedBackups to allow AWS Backup lifecycle to delete and disassociate Amazon Aurora continuous recovery points when a retention period finishes. This permission is necessary for the Aurora recovery point to avoid a transition into an EXIPIRED state.

Added the permission rds:ModifyDBCluster which allows AWS Backup to interact with Aurora clusters. This addition allows users the ability to enable or disable continuous backups based on desired configurations.

 September 6, 2023
AWSBackupFullAccess – Update to an existing policy

Added the action ram:GetResourceShareAssociations to grant the user permission to get resource share associations for new vault type.

 August 8, 2023
AWSBackupOperatorAccess – Update to an existing policy

Added the action ram:GetResourceShareAssociations to grant the user permission to get resource share associations for new vault type.

 August 8, 2023
AWSBackupServiceRolePolicyForS3Backup – Update to an existing policy

Added the permission s3:PutInventoryConfiguration to enhance backup performance speeds by using a bucket inventory.

 August 1, 2023
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the following actions to grant the user permissions to add tags to restore resources: storagegateway:AddTagsToResource, elasticfilesystem:TagResource, ec2:CreateTags for only ec2:CreateAction that includes either RunInstances or CreateVolume, fsx:TagResource, and cloudformation:TagResource.

 May 22, 2023
AWSBackupAuditAccess – Update to an existing policy

Replaced the resource selection within the API config:DescribeComplianceByConfigRule with a wildcard resource to make it easier for a user to select resources.

 April 11, 2023
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the following permission to restore Amazon EFS using a customer managed key: kms:GenerateDataKeyWithoutPlaintext. This helps to ensure users have required permissions to restore Amazon EFS resources.

 March 27, 2023
AWSServiceRolePolicyForBackupReports – Update to an existing policy

Updated the config:DescribeConfigRules and config:DescribeConfigRuleEvaluationStatus actions to allow AWS Backup Audit Manager to access AWS Backup Audit Manager-managed AWS Config rules.

 March 9, 2023
AWSBackupServiceRolePolicyForS3Restore – Update to an existing policy

Added the following permissions: kms:Decrypt, s3:PutBucketOwnershipControls, and s3:GetBucketOwnershipControls to the policy AWSBackupServiceRolePolicyForS3Restore. These permissions are necessary to support restores of objects when KMS encryption is used in the original backup and for restoring objects when object ownership is configured on the original bucket instead of ACL.

 February 13, 2023
AWSBackupFullAccess – Update to an existing policy

Added the following permissions to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling: backup-gateway:GetHypervisorPropertyMappings, backup-gateway:GetVirtualMachine, backup-gateway:PutHypervisorPropertyMappings, backup-gateway:GetHypervisor, backup-gateway:StartVirtualMachinesMetadataSync, backup-gateway:GetBandwidthRateLimitSchedule, and backup-gateway:PutBandwidthRateLimitSchedule.

 December 15, 2022
AWSBackupOperatorAccess – Update to an existing policy

Added the following permissions to schedule backups using VMware tags of virtual machines and to support schedule-based bandwidth throttling: backup-gateway:GetHypervisorPropertyMappings, backup-gateway:GetVirtualMachine, backup-gateway:GetHypervisor, and backup-gateway:GetBandwidthRateLimitSchedule.

 December 15, 2022
AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync – New policy

Provides permissions for AWS Backup Gateway to sync the metadata of virtual machines in on-premise networks with Backup Gateway.

 December 15, 2022
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added the following permissions to support Timestream backup jobs: timestream:StartAwsBackupJob, timestream:GetAwsBackupStatus, timestream:ListTables, timestream:ListDatabases, timestream:ListTagsForResource, timestream:DescribeTable, timestream:DescribeDatabase, and timestream:DescribeEndpoints.

 December 13, 2022
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the following permissions to support Timestream restore jobs: timestream:StartAwsRestoreJob, timestream:GetAwsRestoreStatus, timestream:ListTables, timestream:ListTagsForResource, timestream:ListDatabases, timestream:DescribeTable, timestream:DescribeDatabase, s3:GetBucketAcl, and timestream:DescribeEndpoints.

 December 13, 2022
AWSBackupFullAccess – Update to an existing policy

Added the following permissions to support Timestream resources: timestream:ListTables, timestream:ListDatabases, s3:ListAllMyBuckets and timestream:DescribeEndpoints.

 December 13, 2022
AWSBackupOperatorAccess – Update to an existing policy

Added the following permissions to support Timestream resources: timestream:ListDatabases, timestream:ListTables, s3:ListAllMyBuckets, and timestream:DescribeEndpoints.

 December 13, 2022
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added the following permissions to support Timestream resources: timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:GetAwsBackupStatus, timestream:GetAwsRestoreStatus, and timestream:DescribeEndpoints.

 December 13, 2022
AWSBackupFullAccess – Update to an existing policy

Added the following permissions to support Amazon Redshift resources: redshift:DescribeClusters, redshift:DescribeClusterSubnetGroups, redshift:DescribeNodeConfigurationOptions, redshift:DescribeOrderableClusterOptions, redshift:DescribeClusterParameterGroups, redshift:DescribeClusterTracks, redshift:DescribeSnapshotSchedules, and ec2:DescribeAddresses.

 November 27, 2022
AWSBackupOperatorAccess – Update to an existing policy

Added the following permissions to support Amazon Redshift resources: redshift:DescribeClusters, redshift:DescribeClusterSubnetGroups, redshift:DescribeNodeConfigurationOptions, redshift:DescribeOrderableClusterOptions, redshift:DescribeClusterParameterGroups,, redshift:DescribeClusterTracks. redshift:DescribeSnapshotSchedules, and ec2:DescribeAddresses.

 November 27, 2022
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the following permissions to support Amazon Redshift restore jobs: redshift:RestoreFromCluster Snapshot, redshift:RestoreTableFromClusterSnapshot, redshift:DescribeClusters, and redshift:DescribeTableRestoreStatus.

 November 27, 2022
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added the following permissions to support Amazon Redshift backup jobs: redshift:CreateClusterSnapshot, redshift:DescribeClusterSnapshots, redshift:DescribeTags, redshift:DeleteClusterSnapshot, redshift:DescribeClusters, and redshift:CreateTags.

 November 27, 2022
AWSBackupFullAccess – Update to an existing policy

Added the following permission to support CloudFormation resources: cloudformation:ListStacks.

 November 27, 2022
AWSBackupOperatorAccess – Update to an existing policy

Added the following permission to support CloudFormation resources: cloudformation:ListStacks.

 November 27, 2022
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added the following permissions to support CloudFormation resources: redshift:DescribeClusterSnapshots, redshift:DescribeTags, redshift:DeleteClusterSnapshot, and redshift:DescribeClusters.

 November 27, 2022
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added the following permissions to support AWS CloudFormation application stack backup jobs: cloudformation:GetTemplate, cloudformation:DescribeStacks, and cloudformation:ListStackResources.

 November 16, 2022
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the following permissions to support AWS CloudFormation application stack backup jobs: cloudformation:CreateChangeSet and cloudformation:DescribeChangeSet

 November 16, 2022
AWSBackupOrganizationAdminAccess – Update to an existing policy

Added the following permissions to this policy to allow organization administrators to usethe Delegated Administrator feature: organizations:ListDelegatedAdministrator, organizations:RegisterDelegatedAdministrator, and organizations:DeregisterDelegatedAdministrator

 November 27, 2022
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added the following permissions to support SAP HANA on Amazon EC2 instances: ssm-sap:GetOperation, ssm-sap:ListDatabases, ssm-sap:BackupDatabase, ssm-sap:UpdateHanaBackupSettings, ssm-sap:GetDatabase, and ssm-sap:ListTagsForResource.

November 20, 2022
AWSBackupFullAccess – Update to an existing policy

Added the following permissions to support SAP HANA on Amazon EC2 instances: ssm-sap:GetOperation, ssm-sap:ListDatabases, ssm-sap:GetDatabase, and ssm-sap:ListTagsForResource.

November 20, 2022
AWSBackupOperatorAccess – Update to an existing policy

Added the following permissions to support SAP HANA on Amazon EC2 instances: ssm-sap:GetOperation, ssm-sap:ListDatabases, ssm-sap:GetDatabase, and ssm-sap:ListTagsForResource.

November 20, 2022
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added the following permission to support SAP HANA on Amazon EC2 instances: ssm-sap:GetOperation.

November 20, 2022
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the following permission to support Backup gateway restore jobs to an EC2 instance: ec2:CreateTags.

November 20, 2022
AWSBackupDataTransferAccess – Update to an existing policy

Added the following permissions to support secure storage data transfer for SAP HANA On Amazon EC2 resources: backup-storage:StartObject, backup-storage:PutChunk, backup-storage:GetChunk, backup-storage:ListChunks, backup-storage:ListObjects, backup-storage:GetObjectMetadata, and backup-storage:NotifyObjectComplete.

 November 20, 2022
AWSBackupRestoreAccessForSAPHANA – Update to an existing policy

Added the following permissions for resource owners to perform restore of SAP HANA On Amazon EC2 resources: backup:Get*, backup:List*, backup:Describe*, backup:StartBackupJob, backup:StartRestoreJob, ssm-sap:GetOperation, ssm-sap:ListDatabases, ssm-sap:BackupDatabase, ssm-sap:RestoreDatabase, ssm-sap:UpdateHanaBackupSettings, ssm-sap:GetDatabase, and ssm-sap:ListTagsForResource.

 November 20, 2022
AWSBackupServiceRolePolicyForS3Backup – Update to an existing policy

Added the permission s3:GetBucketAcl to support backup operations of AWS Backup for Amazon S3.

 August 24, 2022
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the following actions to grant access to create a database instance to support multi-Availability Zone (Multi-AZ) functionality: rds:CreateDBInstance.

 July 20, 2022
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added the s3:GetBucketTagging permission to grant the user permission to select buckets to backup with a resource wildcard. Without this permission, users who select which buckets to backup with a resource wildcard are unsuccessful.

 May 6, 2022
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added volume resources in the scope of existing fsx:CreateBackup and fsx:ListTagsForResource actions, and added new action fsx:DescribeVolumes to support FSx for ONTAP volume level backups.

 April 27, 2022
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the following actions to grant the users permissions to restore FSx for ONTAP volumes fsx:DescribeVolumes, fsx:CreateVolumeFromBackup, fsx:DeleteVolume, and fsx:UntagResource.

 April 27, 2022
AWSBackupServiceRolePolicyForS3Backup – Update to an existing policy

Added the following actions to grant the user permissions to receive notifications of changes to their Amazon S3 buckets during backup operations: s3:GetBucketNotification and s3:PutBucketNotification.

 February 25, 2022
AWSBackupServiceRolePolicyForS3Backup – New policy

Added the following actions to grant the user permissions to back up their Amazon S3 buckets: s3:GetInventoryConfiguration, s3:PutInventoryConfiguration, s3:ListBucketVersions, s3:ListBucket, s3:GetBucketTagging, s3:GetBucketVersioning, s3:GetBucketNotification,s3:GetBucketLocation, and s3:ListAllMyBuckets

Added the following actions to grant the user permissions to back up their Amazon S3 objects: s3:GetObject,s3GetObjectAcl, s3:GetObjectVersionTagging, s3:GetObjectVersionAcl, s3:GetObjectTagging, and s3:GetObjectVersion.

Added the following actions to grant the user permissions to back up their encrypted Amazon S3 data: kms:Decrypt and kms:DescribeKey.

Added the following actions to grant the user permissions to take incremental backups of their Amazon S3 data using Amazon EventBridge rules: events:DescribeRule, events:EnableRule, events:PutRule, events:DeleteRule, events:PutTargets, events:RemoveTargets, events:ListTargetsByRule, events:DisableRule, cloudwatch:GetMetricData, and events:ListRules.

 February 17, 2022
AWSBackupServiceRolePolicyForS3Restore – New policy

Added the following actions to grant the user permissions to restore their Amazon S3 buckets: s3:CreateBucket, s3:ListBucketVersions, s3:ListBucket, s3:GetBucketVersioning, s3:GetBucketLocation, and s3:PutBucketVersioning.

Added the following actions to grant the user permissions to restore their Amazon S3 buckets: s3:GetObject, s3:GetObjectVersion, s3:DeleteObject, s3:PutObjectVersionAcl, s3:GetObjectVersionAcl, s3:GetObjectTagging, s3:PutObjectTagging, s3:GetObjectAcl, s3:PutObjectAcl, s3:PutObject, and s3:ListMultipartUploadParts.

Added the following actions to grant the user permissions to encrypt their restored Amazon S3 data: kms:Decrypt, kms:DescribeKey, and kms:GenerateDataKey.

 February 17, 2022
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added s3:ListAllMyBuckets to grant the user permissions to view a list of their buckets and choose which ones to assign to a backup plan.

 February 14, 2022
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added backup-gateway:ListVirtualMachines to grant the user permissions to view a list of their virtual machines and choose which ones to assign to a backup plan.

Added backup-gateway:ListTagsForResource to grant the user permissions to list the tags for their virtual machines.

 November 30, 2021
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added backup-gateway:Backup to grant the user permissions restore their virtual machine backups. AWS Backup also added backup-gateway:ListTagsForResource to grant the user permissions to list the tags assigned to their virtual machine backups.

 November 30, 2021
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added backup-gateway:Restore to grant the user permissions restore their virtual machine backups.

 November 30, 2021
AWSBackupFullAccess – Update to an existing policy

Added the following actions to grant the users permissions to use AWS Backup Gateway to back up, restore, and manage their virtual machines: backup-gateway:AssociateGatewayToServer, backup-gateway:CreateGateway, backup-gateway:DeleteGateway, backup-gateway:DeleteHypervisor, backup-gateway:DisassociateGatewayFromServer, backup-gateway:ImportHypervisorConfiguration, backup-gateway:ListGateways, backup-gateway:ListHypervisors, backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, backup-gateway:PutMaintenanceStartTime, backup-gateway:TagResource, backup-gateway:TestHypervisorConfiguration, backup-gateway:UntagResource, backup-gateway:UpdateGatewayInformation, and backup-gateway:UpdateHypervisor.

 November 30, 2021
AWSBackupOperatorAccess – Update to an existing policy

Added the following actions to grant the user permissions to back up their virtual machines: backup-gateway:ListGateways, backup-gateway:ListHypervisors, backup-gateway:ListTagsForResource, and backup-gateway:ListVirtualMachines.

 November 30, 2021
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added dynamodb:ListTagsOfResource to grant the user permissions to list tags of their DynamoDB tables to back up using AWS Backup's advanced DynamoDB backup features.

 November 23, 2021
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added dynamodb:StartAwsBackupJob to grant the user permissions to back up their DynamoDB tables using advanced backup features.

Added dynamodb:ListTagsOfResource to grant the user to permissions to copy tags from their source DynamoDB tables to their backups.

 November 23, 2021
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added dynamodb:RestoreTableFromAwsBackup to grant the user permissions restore their DynamoDB tables backed up using AWS Backup's advanced DynamoDB advanced backup features.

 November 23, 2021
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added dynamodb:RestoreTableFromAwsBackup to grant the user permissions restore their DynamoDB tables backed up using AWS Backup's advanced DynamoDB advanced backup features.

 November 23, 2021
AWSBackupOperatorAccess – Update to an existing policy

Removed the actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

AWS Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of AWSBackupOperatorAccess. Also, AWS Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of AWSBackupOperatorAccess.

 November 23, 2021
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added the new actions elasticfilesystem:DescribeFileSystems, dynamodb:ListTables, storagegateway:ListVolumes, ec2:DescribeVolumes, ec2:DescribeInstances, rds:DescribeDBInstances, rds:DescribeDBClusters, and fsx:DescribeFileSystems to allow customers to view and choose from a list of their AWS Backup-supported resources when selecting which resources to assign to a backup plan.

 November 10, 2021
AWSBackupAuditAccess – New policy

Added AWSBackupAuditAccess to grant the user permissions to use AWS Backup Audit Manager. Permissions include the ability to configure compliance frameworks and generate reports.

 August 24, 2021
AWSServiceRolePolicyForBackupReports – New policy

Added AWSServiceRolePolicyForBackupReports to grant permissions for a service-linked role to automate the monitoring of backup settings, jobs, and resources for compliance with frameworks configured by the user.

 August 24, 2021
AWSBackupFullAccess – Update to an existing policy

Added iam:CreateServiceLinkedRole to create a service-linked role (on a best-effort basis) to automate the deletion of expired recovery points for you. Without this service-linked role, AWS Backup cannot delete expired recovery points after customers delete the original IAM role they used to create their recovery points.

 July 5, 2021
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added the new action dynamodb:DeleteBackup to grant DeleteRecoveryPoint permission to automate the deletion of expired DynamoDB recovery points based on your backup plan lifecycle settings.

 July 5, 2021
AWSBackupOperatorAccess – Update to an existing policy

Removed the actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

AWS Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of AWSBackupOperatorAccess Also, AWS Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of AWSBackupOperatorAccess

 May 25, 2021
AWSBackupOperatorAccess – Update to an existing policy

Removed the actions backup:GetRecoveryPointRestoreMetadata and rds:DescribeDBSnapshots because they were redundant.

AWS Backup did not need both backup:GetRecoveryPointRestoreMetadata and backup:Get* as part of AWSBackupOperatorAccess. Also, AWS Backup did not need both rds:DescribeDBSnapshots and rds:describeDBSnapshots as part of AWSBackupOperatorAccess.

 May 25, 2021
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the new action fsx:TagResource to grant StartRestoreJob permission to allow you to apply tags to Amazon FSx file systems during the restore process.

 May 24, 2021
AWSBackupServiceRolePolicyForRestores – Update to an existing policy

Added the new actions ec2:DescribeImages and ec2:DescribeInstances to grant StartRestoreJob permission to allow you to restore Amazon EC2 instances from recovery points.

 May 24, 2021
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

 April 12, 2021
AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy

Added the new action fsx:CopyBackup to grant StartCopyJob permission to allow you to copy Amazon FSx recovery points across Regions and accounts.

 April 12, 2021
AWSBackupServiceRolePolicyForBackup – Update to an existing policy

Updated to comply with the following requirement:

For AWS Backup to create a backup of an encrypted DynamoDB table, you must add the permissions kms:Decrypt and kms:GenerateDataKey to the IAM role used for backup.

 March 10, 2021
AWSBackupFullAccess – Update to an existing policy

Updated to comply with the following requirements:

To use AWS Backup to configure continuous backups for your Amazon RDS database, verify the API permission rds:ModifyDBInstance exists in the IAM role defined by your Backup plan configuration.

To restore Amazon RDS continuous backups, you must add the permission rds:RestoreDBInstanceToPointInTime to the IAM role you submitted for restore job.

In the AWS Backup console, to describe the range of times available for point-in-time recovery, you must include the rds:DescribeDBInstanceAutomatedBackups API permission in your IAM-managed policy.

 March 10, 2021

AWS Backup started tracking changes

AWS Backup started tracking changes for its AWS-managed policies.

 March 10, 2021