AWSBackupServiceRolePolicyForBackup
Description: Provides AWS Backup permission to create backups on your behalf across AWS services
AWSBackupServiceRolePolicyForBackup
is an AWS managed policy.
Using this policy
You can attach AWSBackupServiceRolePolicyForBackup
to your users, groups, and roles.
Policy details
-
Type: Service role policy
-
Creation time: January 10, 2019, 21:01 UTC
-
Edited time: September 27, 2024, 20:02 UTC
-
ARN:
arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
Policy version
Policy version: v20 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "DynamoDBPermissions", "Effect" : "Allow", "Action" : [ "dynamodb:DescribeTable", "dynamodb:CreateBackup" ], "Resource" : "arn:aws:dynamodb:*:*:table/*" }, { "Sid" : "DynamoDBBackupResourcePermissions", "Effect" : "Allow", "Action" : [ "dynamodb:DescribeBackup", "dynamodb:DeleteBackup" ], "Resource" : "arn:aws:dynamodb:*:*:table/*/backup/*" }, { "Sid" : "DynamoDBBackupPermissions", "Effect" : "Allow", "Action" : [ "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:DescribeDBSnapshots", "rds:CreateDBSnapshot", "rds:CopyDBSnapshot", "rds:DescribeDBInstances", "rds:CreateDBClusterSnapshot", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", "rds:CopyDBClusterSnapshot", "rds:DescribeDBClusterAutomatedBackups" ], "Resource" : "*" }, { "Sid" : "RDSInstanceAutomatedBackupPermissions", "Effect" : "Allow", "Action" : "rds:DeleteDBInstanceAutomatedBackup", "Resource" : "arn:aws:rds:*:*:auto-backup:*" }, { "Sid" : "RDSClusterPermissions", "Effect" : "Allow", "Action" : [ "rds:ModifyDBCluster" ], "Resource" : [ "arn:aws:rds:*:*:cluster:*" ] }, { "Sid" : "RDSClusterBackupPermissions", "Effect" : "Allow", "Action" : "rds:DeleteDBClusterAutomatedBackup", "Resource" : "arn:aws:rds:*:*:cluster-auto-backup:*" }, { "Sid" : "RDSModifyPermissions", "Effect" : "Allow", "Action" : [ "rds:ModifyDBInstance" ], "Resource" : [ "arn:aws:rds:*:*:db:*" ] }, { "Sid" : "RDSBackupPermissions", "Effect" : "Allow", "Action" : [ "rds:DeleteDBSnapshot", "rds:ModifyDBSnapshotAttribute" ], "Resource" : [ "arn:aws:rds:*:*:snapshot:awsbackup:*" ] }, { "Sid" : "RDSClusterModifyPermissions", "Effect" : "Allow", "Action" : [ "rds:DeleteDBClusterSnapshot", "rds:ModifyDBClusterSnapshotAttribute" ], "Resource" : [ "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*" ] }, { "Sid" : "StorageGatewayPermissions", "Effect" : "Allow", "Action" : [ "storagegateway:CreateSnapshot", "storagegateway:ListTagsForResource" ], "Resource" : "arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Sid" : "EBSCopyPermissions", "Effect" : "Allow", "Action" : [ "ec2:CopySnapshot" ], "Resource" : "arn:aws:ec2:*::snapshot/*" }, { "Sid" : "EC2CopyPermissions", "Effect" : "Allow", "Action" : [ "ec2:CopyImage" ], "Resource" : "*" }, { "Sid" : "EBSTagAndDeletePermissions", "Effect" : "Allow", "Action" : [ "ec2:CreateTags", "ec2:DeleteSnapshot" ], "Resource" : "arn:aws:ec2:*::snapshot/*" }, { "Sid" : "EC2Permissions", "Effect" : "Allow", "Action" : [ "ec2:CreateImage", "ec2:DeregisterImage", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeNetworkInterfaces", "ec2:DescribeElasticGpus", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSnapshotTierStatus" ], "Resource" : "*" }, { "Sid" : "EC2TagPermissions", "Effect" : "Allow", "Action" : [ "ec2:CreateTags" ], "Resource" : "arn:aws:ec2:*:*:image/*" }, { "Sid" : "EC2ModifyPermissions", "Effect" : "Allow", "Action" : [ "ec2:ModifySnapshotAttribute", "ec2:ModifyImageAttribute" ], "Resource" : "*", "Condition" : { "Null" : { "aws:ResourceTag/aws:backup:source-resource" : "false" } } }, { "Sid" : "EBSSnapshotTierPermissions", "Effect" : "Allow", "Action" : [ "ec2:ModifySnapshotTier" ], "Resource" : "arn:aws:ec2:*::snapshot/*", "Condition" : { "Null" : { "aws:ResourceTag/aws:backup:source-resource" : "false" } } }, { "Sid" : "BackupVaultPermissions", "Effect" : "Allow", "Action" : [ "backup:DescribeBackupVault", "backup:CopyIntoBackupVault" ], "Resource" : "arn:aws:backup:*:*:backup-vault:*" }, { "Sid" : "BackupVaultCopyPermissions", "Effect" : "Allow", "Action" : [ "backup:CopyFromBackupVault" ], "Resource" : "*" }, { "Sid" : "EFSPermissions", "Effect" : "Allow", "Action" : [ "elasticfilesystem:Backup", "elasticfilesystem:DescribeTags" ], "Resource" : "arn:aws:elasticfilesystem:*:*:file-system/*" }, { "Sid" : "EBSResourcePermissions", "Effect" : "Allow", "Action" : [ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource" : [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Sid" : "KMSDynamoDBPermissions", "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : [ "dynamodb.*.amazonaws.com" ] } } }, { "Sid" : "KMSPermissions", "Effect" : "Allow", "Action" : "kms:DescribeKey", "Resource" : "*" }, { "Sid" : "KMSCreateGrantPermissions", "Effect" : "Allow", "Action" : "kms:CreateGrant", "Resource" : "*", "Condition" : { "Bool" : { "kms:GrantIsForAWSResource" : "true" } } }, { "Sid" : "KMSDataKeyEC2Permissions", "Effect" : "Allow", "Action" : [ "kms:GenerateDataKeyWithoutPlaintext" ], "Resource" : "arn:aws:kms:*:*:key/*", "Condition" : { "StringLike" : { "kms:ViaService" : [ "ec2.*.amazonaws.com" ] } } }, { "Sid" : "GetResourcesPermissions", "Effect" : "Allow", "Action" : [ "tag:GetResources" ], "Resource" : "*" }, { "Sid" : "SSMPermissions", "Effect" : "Allow", "Action" : [ "ssm:CancelCommand", "ssm:GetCommandInvocation" ], "Resource" : "*" }, { "Sid" : "SSMSendPermissions", "Effect" : "Allow", "Action" : "ssm:SendCommand", "Resource" : [ "arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot", "arn:aws:ec2:*:*:instance/*" ] }, { "Sid" : "FsxBackupPermissions", "Effect" : "Allow", "Action" : "fsx:DescribeBackups", "Resource" : "arn:aws:fsx:*:*:backup/*" }, { "Sid" : "FsxCreateBackupPermissions", "Effect" : "Allow", "Action" : "fsx:CreateBackup", "Resource" : [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:backup/*", "arn:aws:fsx:*:*:volume/*" ] }, { "Sid" : "FsxPermissions", "Effect" : "Allow", "Action" : "fsx:DescribeFileSystems", "Resource" : "arn:aws:fsx:*:*:file-system/*" }, { "Sid" : "FsxVolumePermissions", "Effect" : "Allow", "Action" : "fsx:DescribeVolumes", "Resource" : "arn:aws:fsx:*:*:volume/*" }, { "Sid" : "FsxListTagsPermissions", "Effect" : "Allow", "Action" : "fsx:ListTagsForResource", "Resource" : [ "arn:aws:fsx:*:*:file-system/*", "arn:aws:fsx:*:*:volume/*" ] }, { "Sid" : "FsxDeletePermissions", "Effect" : "Allow", "Action" : "fsx:DeleteBackup", "Resource" : "arn:aws:fsx:*:*:backup/*" }, { "Sid" : "FsxResourcePermissions", "Effect" : "Allow", "Action" : [ "fsx:ListTagsForResource", "fsx:ManageBackupPrincipalAssociations", "fsx:CopyBackup", "fsx:TagResource" ], "Resource" : "arn:aws:fsx:*:*:backup/*" }, { "Sid" : "DynamodbBackupPermissions", "Effect" : "Allow", "Action" : [ "dynamodb:StartAwsBackupJob", "dynamodb:ListTagsOfResource" ], "Resource" : "arn:aws:dynamodb:*:*:table/*" }, { "Sid" : "BackupGatewayBackupPermissions", "Effect" : "Allow", "Action" : [ "backup-gateway:Backup", "backup-gateway:ListTagsForResource" ], "Resource" : "arn:aws:backup-gateway:*:*:vm/*" }, { "Sid" : "CloudformationStackPermissions", "Effect" : "Allow", "Action" : [ "cloudformation:ListStacks", "cloudformation:GetTemplate", "cloudformation:DescribeStacks", "cloudformation:ListStackResources" ], "Resource" : "arn:aws:cloudformation:*:*:stack/*/*" }, { "Sid" : "RedshiftCreatePermissions", "Effect" : "Allow", "Action" : [ "redshift:CreateClusterSnapshot", "redshift:DescribeClusterSnapshots", "redshift:DescribeTags" ], "Resource" : [ "arn:aws:redshift:*:*:snapshot:*/*", "arn:aws:redshift:*:*:cluster:*" ] }, { "Sid" : "RedshiftSnapshotPermissions", "Effect" : "Allow", "Action" : [ "redshift:DeleteClusterSnapshot" ], "Resource" : [ "arn:aws:redshift:*:*:snapshot:*/*" ] }, { "Sid" : "RedshiftPermissions", "Effect" : "Allow", "Action" : [ "redshift:DescribeClusters" ], "Resource" : [ "arn:aws:redshift:*:*:cluster:*" ] }, { "Sid" : "RedshiftResourcePermissions", "Effect" : "Allow", "Action" : [ "redshift:CreateTags" ], "Resource" : [ "arn:aws:redshift:*:*:snapshot:*/*" ] }, { "Sid" : "TimestreamResourcePermissions", "Effect" : "Allow", "Action" : [ "timestream:StartAwsBackupJob", "timestream:GetAwsBackupStatus", "timestream:ListTables", "timestream:ListDatabases", "timestream:ListTagsForResource", "timestream:DescribeTable", "timestream:DescribeDatabase" ], "Resource" : [ "arn:aws:timestream:*:*:database/*" ] }, { "Sid" : "TimestreamEndpointPermissions", "Effect" : "Allow", "Action" : [ "timestream:DescribeEndpoints" ], "Resource" : "*" }, { "Sid" : "SSMSAPPermissions", "Effect" : "Allow", "Action" : [ "ssm-sap:GetOperation", "ssm-sap:ListDatabases" ], "Resource" : "*" }, { "Sid" : "SSMSAPResourcePermissions", "Effect" : "Allow", "Action" : [ "ssm-sap:BackupDatabase", "ssm-sap:UpdateHanaBackupSettings", "ssm-sap:GetDatabase", "ssm-sap:ListTagsForResource" ], "Resource" : "arn:aws:ssm-sap:*:*:*" }, { "Sid" : "RecoveryPointTaggingPermissions", "Effect" : "Allow", "Action" : [ "backup:TagResource" ], "Resource" : "arn:aws:backup:*:*:recovery-point:*", "Condition" : { "StringEquals" : { "aws:PrincipalAccount" : "${aws:ResourceAccount}" } } } ] }