# What is Multi-party approval?
**Security through approval**
Multi-party approval is a capability of [AWS Organizations](https://aws.amazon.com/organizations) that allows you to protect a predefined list of operations through a distributed approval process. Use Multi-party approval to establish approval workflows and transform security processes into team-based decisions.
![\[Multi-party approval process with Requester, Administrator, and Approvers roles and their functions.\]](http://docs.aws.amazon.com/mpa/latest/userguide/images/personas.png)
*Figure 1: Diagram depicting the job functions for Multi-party approval.*
| Requester | Administrator | Approver |
| --- | --- | --- |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/mpa/latest/userguide/what-is.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/mpa/latest/userguide/what-is.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/mpa/latest/userguide/what-is.html) |
## Example scenario: Protect logically air-gapped vaults
You can use Multi-party approval with AWS Backup. AWS Backup offers logically air-gapped vaults, which are backup vaults with increased security features. For more information, see [Logically air-gapped vault](https://docs.aws.amazon.com/aws-backup/latest/devguide/logicallyairgappedvault.html) in the *AWS Backup Developer Guide*.
When a logically air-gapped vault is protected with Multi-party approval, a request to create a restore access backup vault must go through an [approval session](mpa-concepts.md#mpa-session). This means that the `CreateRestoreAccessVault` operation will require team approval before it can be executed. In Figure 2, this is represented with `CreateRestoreAccessVault` as the requested operation in the dotted box in a pending approval state. The approval session for the requested operation takes place in the [approval portal](mpa-concepts.md#mpa-portal).
If the access request is approved, AWS Backup creates a restore access backup vault in the requester's account. This restore access backup vault is the requester's connection to the logically air-gapped vault. In Figure 2, this is represented with the requested operation in the dotted box moving from pending approval to approved.
For more information, see [How Multi-party approval works](how-it-works.md). To get started, see [Set up Multi-party approval](setting-up.md).
![\[Workflow diagram showing request approval process between AWS Management Console and Approval Portal.\]](http://docs.aws.amazon.com/mpa/latest/userguide/images/how-it-works.png)
*Figure 2: Diagram depicting how Multi-party approval works. You can also use the AWS CLI & AWS SDKs instead of the AWS Management Console.*
## When to use Multi-party approval
------
#### [ When Multi-party approval is beneficial ]
+ You need to align with the Zero Trust principle of "never trust, always verify"
+ You need to make sure that the right humans have access to the right things in the right way
+ You need distributed decision-making for sensitive or critical operations
+ You need to protect against unintended operations on sensitive or critical resources
+ You need formal reviews and approvals for auditing or compliance reasons
------
#### [ When Multi-party approval might not be the best choice ]
+ For standalone AWS accounts that don't use AWS Organizations and IAM Identity Center
+ For operations that require immediate execution without delay
+ For scenarios where the overhead of managing approval teams and workflows isn't justified by the risk
------
## What operations are currently supported with Multi-party approval
| AWS service | Benefits of using with Multi-party approval | Protected operation | Learn more |
| --- | --- | --- | --- |
| [AWS Backup](https://aws.amazon.com/backup) | An an AWS Backup customer, you can use Multi-party approval to grant approval capabilities of some operations to a group of trusted individuals who can collaboratively approve access to a logically air-gapped vault from a separately-created recovery account in the case of suspected malicious activity that may compromise use of the primary account. | [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_CreateRestoreAccessBackupVault.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_CreateRestoreAccessBackupVault.html) [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_AssociateBackupVaultMpaApprovalTeam.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_AssociateBackupVaultMpaApprovalTeam.html) [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DisassociateBackupVaultMpaApprovalTeam.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DisassociateBackupVaultMpaApprovalTeam.html) [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_RevokeRestoreAccessBackupVault.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_RevokeRestoreAccessBackupVault.html) | For more information, see [Multi-party approval for logically air-gapped vaults](https://docs.aws.amazon.com/aws-backup/latest/devguide/multipartyapproval.html) in the AWS Backup Developer Guide. |
## Required services
Multi-party approval requires [AWS Organizations](https://aws.amazon.com/organizations) and [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center).
# Terms and concepts for Multi-party approval
To help you understand Multi-party approval, this topic describes some of the key terms and concepts.
**Topics**
+ [Job functions for Multi-party approval](#job-functions)
+ [AWS resources for Multi-party approval](#aws-resources)
+ [Multi-party approval resources](#mpa-resources)
+ [Multi-party approval interfaces](#interfaces)
## Job functions for Multi-party approval
**Requester**
The *requester* is the individual or entity that makes a request to execute a [protected operation](#mpa-protected-operation). The request triggers an [approval session](#mpa-session).
**Administrator**
The *administrator*, or admin, is responsible for managing [approval teams](#mpa-team-term). When a Multi-party approval admin creates a team, they set the initial approval requirements and invite approvers to join the team.
When a team is [active](team-health.md), the Multi-party approval admin can request to update the team description, approval threshold, and approvers assigned to a team. They can also request to delete the team. Requests by the Multi-party approval admin require team approval to take effect.
For more information, see [Administrator tasks](administrator.md).
**Approver**
An *approver* is responsible for responding to [requested operations](#mpa-protected-operation). If an approver has accepted a team invitation and the team is [active](team-health.md), the approver receives email notifications about [pending requests](#mpa-protected-operation) for the team. The approver can view request details and respond to pending requests using the [Multi-party approval portal](#mpa-portal).
For more information, see [Approver tasks](approver.md).
An *inactive approver* is an approver who has not responded in two or more sessions, or who cannot respond to requests due to the state of their IAM Identity Center user credentials. For example, a [deleted](https://docs.aws.amazon.com/singlesignon/latest/userguide/deleteusers.html) or [disabled](https://docs.aws.amazon.com/singlesignon/latest/userguide/disableuser.html) user.
## AWS resources for Multi-party approval
**Protected operation**
A *protected operation* is a predefined list of operations that require [team approval](#mpa-team-term) before they can be executed. When a [requester](#mpa-requester-term) attempts to execute a protected operation, the operation enters a pending state until the approval threshold is met.
When the protected operation is pending, it is also referred to as a *requested operation* or a *pending request*. For a list of supported protected operations, see [What operations are currently supported with Multi-party approval](what-is.md#mpa-integrations-supported).
## Multi-party approval resources
**Approval team**
An *approval team*, or team, consists of [approvers](#mpa-approver-term). To grant approval, teams require a specified number of approvals (M) out of the total approvers (N). This is the *approval threshold*.
A team becomes [active](team-health.md) if every invited approver accepts the team invitation. When active, teams become *self-protecting*. This means changes to the team require team approval to take effect.
Teams can be shared across accounts using AWS Resource Access Manager (AWS RAM). For more information, see [Share team](share-team.md).
**Approval session**
An *approval session*, or session, is a 24-hour workflow initiated when a [requester](#mpa-requester-term) attempts to execute a [protected operation](#mpa-protected-operation). Session details include the following non-exhaustive items:
+ Approval team
+ Requested operation, requester comments, and AWS Region where the request was made
+ Initiation time and completion or expiration time for the requested operation
+ Approver responses and response time
+ Request status (`PENDING`, `CANCELLED`, `APPROVED`, `FAILED`, or `CREATING`)
+ Completion strategy. Currently, only `AUTO_COMPLETION_UPON_APPROVAL` is supported. This means the operation is automatically executed using the requester's permissions, if approved.
Sessions expire 24 hours after the initial request. Expired sessions and non-responses from approvers count as rejections.
**Identity source**
An *identity source* is a Multi-party approval resource that models the connection between Multi-party approval and the AWS IAM Identity Center instance that manages the user authentication for [approvers](#mpa-approver-term).
A Multi-party approval identity source is created when you [set up Multi-party approval](setting-up.md). This is a one-time operation.
When a Multi-party approval identity source is created, it adds the [Multi-party approval portal](#mpa-portal) application to the connected IAM Identity Center instance and creates a unique URL. A Multi-party approval identity source is required to create [approval teams](#mpa-team-term).
## Multi-party approval interfaces
**Multi-party approval console**
The *Multi-party approval console* is located in the AWS Organizations console, and is an interface for Multi-party approval [administrator](#mpa-administrator-term) to create and manage their [approval teams](#mpa-team-term).
**Multi-party approval portal**
The *Multi-party approval portal*, or approval portal, is used by approvers to view team invitations and requests, respond to requests, and view operation history.
The portal is an AWS managed application for AWS IAM Identity Center that is accessed by [approvers](#mpa-approver-term) through the link in the team invitation or requested operation email notification.
# Region support
To use Multi-party approval, you must create [approval teams](mpa-concepts.md#mpa-team-term) and the [identity source](mpa-concepts.md#mpa-identity-source) in the US East (N. Virginia) Region. For more information about AWS Regions, see [Region](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#region) in the *AWS Glossary Reference*.
Multi-party approval requires an organization instance of AWS IAM Identity Center. The IAM Identity Center instance can be enabled in any supported Region. For more information, see [Considerations for choosing an AWS Region](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-region-considerations.html) in the *IAM Identity Center User Guide*.
**Cross-Region considerations**
You can create approval teams that protect resources which are located in any commercial Region, even in Regions that are not US East (N. Virginia). During an approval session, user content (specifically requester comments) moves across Regions. When protecting resources in other Regions, there might be delays in the approval process if the US East (N. Virginia) Region experiences issues.
When you enable Multi-party approval and your IAM Identity Center instance in different Regions, Multi-party approval makes calls across Regions to IAM Identity Center. This means that [user and group](https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html) information moves across Regions. If the Region where the IAM Identity Center instance is located experiences issues, approvers might temporarily be unable to access the Multi-party approval portal, and delivery of notifications about new approvals might be delayed.
For more information, see [IAM Identity Center Region data storage and operations](https://docs.aws.amazon.com/singlesignon/latest/userguide/regions.html) in the *IAM Identity Center User Guide*.
# Quotas for Multi-party approval
Your AWS account has default quotas, formerly referred to as limits, for each AWS service. Unless otherwise noted, each quota is Region-specific.
To view the quotas for Multi-party approval, open the [Service Quotas console](https://console.aws.amazon.com/servicequotas/home). In the navigation pane, choose **AWS services** and select **Multi-party approval**.
Your AWS account has the following quotas related to Multi-party approval.
| Description | Quota | Adjustable |
| --- | --- | --- |
| Maximum number of identity sources for each account | 1 | No |
| Maximum number of approval teams for each account | 10 | No |
| Maximum number of approvers for each approval team | 20 | No |