# Controls for AWS Backup
When you enable AWS Backup in your AWS Control Tower landing zone, some preventive controls are activated in your environment. These controls protect the resources that AWS Backup needs to operate with AWS Control Tower. You cannot enable these controls if AWS Backup is not enabled for your landing zone.
**Topics**
+ [[CT.BACKUP.PV.1] Disallow modification of a tag that AWS Control Tower applies to AWS Backup resources](ct-backup-pv-1.md)
+ [[CT.BACKUP.PV.2] Disallow modification of an AWS Backup report plan that AWS Control Tower manages](ct-backup-pv-2.md)
+ [[CT.BACKUP.PV.3] Disallow modification of an AWS Backup resource that AWS Control Tower manages](ct-backup-pv-3.md)
+ [[CT.IAM.PV.1] Disallow modification of an AWS IAM role that AWS Control Tower utilizes to manage AWS Backup resources](ct-iam-pv-1.md)
+ [[CT.S3.PV.1] Disallow modification of an Amazon S3 bucket that stores AWS Backup reports for AWS Control Tower](ct-s3-pv-1.md)
# [CT.BACKUP.PV.1] Disallow modification of a tag that AWS Control Tower applies to AWS Backup resources
This control limits changes to tags that AWS Control Tower applies to AWS Backup resources.
This is a preventive control with elective guidance. By default, this control is not enabled. Although you can see the control in the console, you can enable it only by activating AWS Backup capabilities for your landing zone.
**AWS service: **AWS Backup
**Control metadata**
+ **Control objective: **Protect configurations
+ **Implementation: **Service control policy (SCP)
+ **Control behavior: **Preventive
+ **Control owner: **AWS Control Tower
+ **Control group: **
+ **Resource types: **`Multiple`
**Usage considerations**
AWS Backup resources managed by AWS Control Tower should be modified using the AWS Control Tower API or console. API read actions for AWS Backup, such as `ListBackupPlans` and `GetBackupVaultAccessPolicy`, can be utilized directly.
If you apply a tag with the key `aws-control-tower` to an AWS Backup resource created independently of AWS Control Tower, the resource becomes subject to this SCP.
The artifact for this control is the following service control policy (SCP).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CTBACKUPPV1",
"Effect": "Deny",
"Action": [
"backup:TagResource",
"backup:UntagResource"
],
"Resource": "*",
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:*:iam::*:role/AWSControlTowerExecution"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "aws-control-tower"
}
}
}
]
}
```
------
# [CT.BACKUP.PV.2] Disallow modification of an AWS Backup report plan that AWS Control Tower manages
This control limits changes to the AWS Backup report plan that AWS Control Tower manages.
This is a preventive control with elective guidance. By default, this control is not enabled. Although you can see the control in the console, you can enable it only by activating AWS Backup capabilities for your landing zone.
**AWS service: **AWS Backup
**Control metadata**
+ **Control objective: **Protect configurations
+ **Implementation: **Service control policy (SCP)
+ **Control behavior: **Preventive
+ **Control owner: **AWS Control Tower
+ **Control group: **
+ **Resource types: **`AWS::Backup::ReportPlan`
**Usage considerations**
AWS Backup resources managed by AWS Control Tower should be modified using the AWS Control Tower API or console. API read actions for AWS Backup, such as `ListBackupPlans` and `GetBackupVaultAccessPolicy`, can be utilized directly.
The artifact for this control is the following service control policy (SCP).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CTBACKUPPV2",
"Effect": "Deny",
"Action": [
"backup:CreateReportPlan",
"backup:DeleteReportPlan",
"backup:UpdateReportPlan"
],
"Resource": "arn:*:backup:*:*:report-plan:aws_controltower_*",
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": [
"arn:*:iam::*:role/AWSControlTowerExecution"
]
}
}
}
]
}
```
------
# [CT.BACKUP.PV.3] Disallow modification of an AWS Backup resource that AWS Control Tower manages
This control limits creation or modification of AWS Backup resources that AWS Control Tower manages.
This is a preventive control with elective guidance. By default, this control is not enabled. Although you can see the control in the console, you can enable it only by activating AWS Backup capabilities for your landing zone.
**AWS service: **AWS Backup
**Control metadata**
+ **Control objective: **Protect configurations
+ **Implementation: **Service control policy (SCP)
+ **Control behavior: **Preventive
+ **Control owner: **AWS Control Tower
+ **Control group: **
+ **Resource types: **`AWS::Backup::BackupPlan`, `AWS::Backup::BackupVault`
**Usage considerations**
AWS Backup resources managed by AWS Control Tower should be modified using the AWS Control Tower API or console. API read actions for AWS Backup, such as `ListBackupPlans` and `GetBackupVaultAccessPolicy`, can be utilized directly.
If you apply a tag with the key `aws-control-tower` to an AWS Backup resource created independently of AWS Control Tower, the resource becomes subject to this SCP.
The artifact for this control is the following service control policy (SCP).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CTBACKUPPV3",
"Effect": "Deny",
"Action": [
"backup:CreateBackupPlan",
"backup:CreateBackupSelection",
"backup:CreateBackupVault",
"backup:CreateLogicallyAirGappedBackupVault",
"backup:DeleteBackupPlan",
"backup:DeleteBackupSelection",
"backup:DeleteBackupVault",
"backup:DeleteBackupVaultAccessPolicy",
"backup:DeleteBackupVaultLockConfiguration",
"backup:DeleteBackupVaultSharingPolicy",
"backup:PutBackupVaultAccessPolicy",
"backup:PutBackupVaultLockConfiguration",
"backup:PutBackupVaultSharingPolicy",
"backup:UpdateBackupPlan"
],
"Resource": [
"arn:*:backup:*:*:backup-plan:*",
"arn:*:backup:*:*:backup-vault:*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:*:iam::*:role/AWSControlTowerExecution"
},
"Null": {
"aws:ResourceTag/aws-control-tower": false
}
}
}
]
}
```
------
# [CT.IAM.PV.1] Disallow modification of an AWS IAM role that AWS Control Tower utilizes to manage AWS Backup resources
This control limits modification of the AWS IAM role (aws-controltower-BackupRole) that AWS Control Tower utilizes for management of AWS Backup resources.
This is a preventive control with elective guidance. By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs.
**AWS service: **AWS Identity and Access Management (IAM)
**Control metadata**
+ **Control objective: **Protect configurations
+ **Implementation: **Service control policy (SCP)
+ **Control behavior: **Preventive
+ **Control owner: **AWS Control Tower
+ **Control group: **
+ **Resource types: **`AWS::IAM::Role`
**Usage considerations**
AWS Backup resources managed by AWS Control Tower should be modified using the AWS Control Tower API or console. API read actions for AWS Backup, such as `ListBackupPlans` and `GetBackupVaultAccessPolicy`, can be utilized directly.
The artifact for this control is the following service control policy (SCP).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CTIAMPV1",
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole"
],
"Resource": "arn:*:iam::*:role/aws-controltower-BackupRole",
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:*:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}
```
------
# [CT.S3.PV.1] Disallow modification of an Amazon S3 bucket that stores AWS Backup reports for AWS Control Tower
This control limits modification of the Amazon S3 buckets that AWS Control Tower utilizes as a destination for storing AWS Backup reports.
This is a preventive control with elective guidance. By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs.
**AWS service: **Amazon S3
**Control metadata**
+ **Control objective: **Protect configurations
+ **Implementation: **Service control policy (SCP)
+ **Control behavior: **Preventive
+ **Control owner: **AWS Control Tower
+ **Control group: **
+ **Resource types: **`AWS::S3::Bucket`
**Usage considerations**
AWS Backup resources managed by AWS Control Tower should be modified using the AWS Control Tower API or console. API read actions for AWS Backup, such as `ListBackupPlans` and `GetBackupVaultAccessPolicy`, can be utilized directly.
The artifact for this control is the following service control policy (SCP).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CTS3PV1",
"Effect": "Deny",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:PutAccelerateConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutReplicationConfiguration"
],
"Resource": "arn:*:s3:::aws-controltower-backup-reports-*",
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": [
"arn:*:iam::*:role/AWSControlTowerExecution"
]
}
}
}
]
}
```
------