Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

[CT.BACKUP.PV.3] Disallow modification of an AWS Backup resource that AWS Control Tower manages - AWS Control Tower

[CT.BACKUP.PV.3] Disallow modification of an AWS Backup resource that AWS Control Tower manages

This control limits creation or modification of AWS Backup resources that AWS Control Tower manages.

This is a preventive control with elective guidance. By default, this control is not enabled. Although you can see the control in the console, you can enable it only by activating AWS Backup capabilities for your landing zone.

AWS service: AWS Backup

Control metadata
  • Control objective: Protect configurations

  • Implementation: Service control policy (SCP)

  • Control behavior: Preventive

  • Control owner: AWS Control Tower

  • Control group:

  • Resource types: AWS::Backup::BackupPlan, AWS::Backup::BackupVault

Usage considerations
  • AWS Backup resources managed by AWS Control Tower should be modified using the AWS Control Tower API or console. API read actions for AWS Backup, such as ListBackupPlans and GetBackupVaultAccessPolicy, can be utilized directly.

  • If you apply a tag with the key aws-control-tower to an AWS Backup resource created independently of AWS Control Tower, the resource becomes subject to this SCP.

The artifact for this control is the following service control policy (SCP).

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CTBACKUPPV3", "Effect": "Deny", "Action": [ "backup:CreateBackupPlan", "backup:CreateBackupSelection", "backup:CreateBackupVault", "backup:CreateLogicallyAirGappedBackupVault", "backup:DeleteBackupPlan", "backup:DeleteBackupSelection", "backup:DeleteBackupVault", "backup:DeleteBackupVaultAccessPolicy", "backup:DeleteBackupVaultLockConfiguration", "backup:DeleteBackupVaultSharingPolicy", "backup:PutBackupVaultAccessPolicy", "backup:PutBackupVaultLockConfiguration", "backup:PutBackupVaultSharingPolicy", "backup:UpdateBackupPlan" ], "Resource": [ "arn:*:backup:*:*:backup-plan:*", "arn:*:backup:*:*:backup-vault:*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN": "arn:*:iam::*:role/AWSControlTowerExecution" }, "Null": { "aws:ResourceTag/aws-control-tower": false } } } ] }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.