Actions, resources, and condition keys for AWS Backup - Service Authorization Reference

Actions, resources, and condition keys for AWS Backup

AWS Backup (service prefix: backup) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Backup

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CancelLegalHold Grants permission to cancel a legal hold Write

legalHold*

CopyFromBackupVault [permission only] Grants permission to copy from a backup vault Write

recoveryPoint*

backup:CopyTargets

backup:CopyTargetOrgPaths

CopyIntoBackupVault [permission only] Grants permission to copy into a backup vault Write

backupVault*

aws:RequestTag/${TagKey}

CreateBackupPlan Grants permission to create a new backup plan Write

backupPlan*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBackupSelection Grants permission to create a new resource assignment in a backup plan Write

backupPlan*

iam:PassRole

CreateBackupVault Grants permission to create a new backup vault Write

backupVault*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFramework Grants permission to create a new framework Write

framework*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLegalHold Grants permission to create a new legal hold Write

legalHold*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLogicallyAirGappedBackupVault Grants permission to create a new logically air-gapped backup vault, a logical container where backups are stored Write

backupVault*

aws:RequestTag/${TagKey}

aws:TagKeys

backup:MinRetentionDays

backup:MaxRetentionDays

CreateReportPlan Grants permission to create a new report plan Write

reportPlan*

aws:RequestTag/${TagKey}

aws:TagKeys

backup:FrameworkArns

CreateRestoreTestingPlan Grants permission to create a new restore testing plan Write

restoreTestingPlan*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRestoreTestingSelection Grants permission to create a new resource assignment in a restore testing plan Write

restoreTestingPlan*

iam:PassRole

DeleteBackupPlan Grants permission to delete a backup plan Write

backupPlan*

DeleteBackupSelection Grants permission to delete a resource assignment from a backup plan Write

backupPlan*

DeleteBackupVault Grants permission to delete a backup vault Write

backupVault*

DeleteBackupVaultAccessPolicy Grants permission to delete backup vault access policy Permissions management

backupVault*

DeleteBackupVaultLockConfiguration Grants permission to remove the lock configuration from a backup vault Write

backupVault*

DeleteBackupVaultNotifications Grants permission to remove the notifications from a backup vault Write

backupVault*

DeleteBackupVaultSharingPolicy [permission only] Grants permission to delete backup vault sharing policy Permissions management

backupVault*

DeleteFramework Grants permission to delete a framework Write

framework*

DeleteRecoveryPoint Grants permission to delete a recovery point from a backup vault Write

recoveryPoint*

DeleteReportPlan Grants permission to delete a report plan Write

reportPlan*

DeleteRestoreTestingPlan Grants permission to delete a restore testing plan Write

restoreTestingPlan*

DeleteRestoreTestingSelection Grants permission to delete a resource assignment from a restore testing plan Write

restoreTestingPlan*

DescribeBackupJob Grants permission to describe a backup job Read
DescribeBackupVault Grants permission to describe a new backup vault with the specified name Read

backupVault*

DescribeCopyJob Grants permission to describe a copy job Read
DescribeFramework Grants permission to describe a framework with the specified name Read

framework*

DescribeGlobalSettings Grants permission to describe global settings Read
DescribeProtectedResource Grants permission to describe a protected resource Read
DescribeRecoveryPoint Grants permission to describe a recovery point Read

recoveryPoint*

DescribeRegionSettings Grants permission to describe region settings Read
DescribeReportJob Grants permission to describe a report job Read
DescribeReportPlan Grants permission to describe a report plan with the specified name Read

reportPlan*

DescribeRestoreJob Grants permission to describe a restore job Read
DisassociateRecoveryPoint Grants permission to disassociate a recovery point from a backup vault Write

recoveryPoint*

DisassociateRecoveryPointFromParent Grants permission to disassociate a recovery point from its parent Write

recoveryPoint*

ExportBackupPlanTemplate Grants permission to export a backup plan as a JSON Read
GetBackupPlan Grants permission to get a backup plan Read

backupPlan*

GetBackupPlanFromJSON Grants permission to transform a JSON to a backup plan Read
GetBackupPlanFromTemplate Grants permission to transform a template to a backup plan Read
GetBackupSelection Grants permission to get a backup plan resource assignment Read

backupPlan*

GetBackupVaultAccessPolicy Grants permission to get backup vault access policy Read

backupVault*

GetBackupVaultNotifications Grants permission to get backup vault notifications Read

backupVault*

GetBackupVaultSharingPolicy [permission only] Grants permission to get backup vault sharing policy Read

backupVault*

GetLegalHold Grants permission to get a legal hold Read

legalHold*

GetRecoveryPointRestoreMetadata Grants permission to get recovery point restore metadata Read

recoveryPoint*

GetRestoreJobMetadata Grants permission to get the restore metadata associated with a restore job Read
GetRestoreTestingInferredMetadata Grants permission to get inferred metadata generated by restore testing Read
GetRestoreTestingPlan Grants permission to get a restore testing plan Read

restoreTestingPlan*

GetRestoreTestingSelection Grants permission to get a restore testing plan resource assignment Read

restoreTestingPlan*

GetSupportedResourceTypes Grants permission to get supported resource types Read
ListBackupJobSummaries Grants permission to list backup job summaries List
ListBackupJobs Grants permission to list backup jobs List
ListBackupPlanTemplates Grants permission to list backup plan templates provided by AWS Backup List
ListBackupPlanVersions Grants permission to list backup plan versions List

backupPlan*

ListBackupPlans Grants permission to list backup plans List
ListBackupSelections Grants permission to list resource assignments for a specific backup plan List

backupPlan*

ListBackupVaults Grants permission to list backup vaults List
ListCopyJobSummaries Grants permission to list copy job summaries List
ListCopyJobs Grants permission to list copy jobs List
ListFrameworks Grants permission to list frameworks List
ListLegalHolds Grants permission to list legal holds List
ListProtectedResources Grants permission to list protected resources by AWS Backup List
ListProtectedResourcesByBackupVault Grants permission to list protected resources inside a backup vault List

backupVault*

ListRecoveryPointsByBackupVault Grants permission to list recovery points inside a backup vault List

backupVault*

ListRecoveryPointsByLegalHold Grants permission to list recovery points by legal hold List

legalHold*

ListRecoveryPointsByResource Grants permission to list recovery points for a resource List
ListReportJobs Grants permission to list report jobs List
ListReportPlans Grants permission to list report plans List
ListRestoreJobSummaries Grants permission to list restore job summaries List
ListRestoreJobs Grants permission to list restore jobs List
ListRestoreJobsByProtectedResource Grants permission to list restore jobs for a protected resource List
ListRestoreTestingPlans Grants permission to list restore testing plans List
ListRestoreTestingSelections Grants permission to list resource assignments for a specific restore testing plan List

restoreTestingPlan*

ListTags Grants permission to list tags for a resource Read

backupPlan

backupVault

framework

legalHold

recoveryPoint

reportPlan

restoreTestingPlan

PutBackupVaultAccessPolicy Grants permission to add an access policy to the backup vault Permissions management

backupVault*

PutBackupVaultLockConfiguration Grants permission to add a lock configuration to the backup vault Write

backupVault*

backup:ChangeableForDays

backup:MinRetentionDays

backup:MaxRetentionDays

PutBackupVaultNotifications Grants permission to add an SNS topic to the backup vault Write

backupVault*

PutBackupVaultSharingPolicy [permission only] Grants permission to add a sharing policy to the backup vault Permissions management

backupVault*

PutRestoreValidationResult Grants permission to put a restore validation result Write
StartBackupJob Grants permission to start a new backup job Write

backupVault*

iam:PassRole

StartCopyJob Grants permission to copy a backup from a source backup vault to a destination backup vault Write

recoveryPoint*

iam:PassRole

StartReportJob Grants permission to start a new report job Write

reportPlan*

StartRestoreJob Grants permission to start a new restore job Write

recoveryPoint*

iam:PassRole

StopBackupJob Grants permission to stop a backup job Write
TagResource Grants permission to tag a resource Tagging

backupPlan

backupVault

framework

legalHold

recoveryPoint

reportPlan

restoreTestingPlan

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag a resource Tagging

backupPlan

backupVault

framework

legalHold

recoveryPoint

reportPlan

restoreTestingPlan

aws:TagKeys

UpdateBackupPlan Grants permission to update a backup plan Write

backupPlan*

UpdateFramework Grants permission to update a framework Write

framework*

UpdateGlobalSettings Grants permission to update the current global settings for the AWS Account Write
UpdateRecoveryPointLifecycle Grants permission to update the lifecycle of the recovery point Write

recoveryPoint*

UpdateRegionSettings Grants permission to update the current service opt-in settings for the Region Write
UpdateReportPlan Grants permission to update a report plan Write

reportPlan*

backup:FrameworkArns

UpdateRestoreTestingPlan Grants permission to update a restore testing plan Write

restoreTestingPlan*

UpdateRestoreTestingSelection Grants permission to update a resource assignment in a restore testing plan Write

restoreTestingPlan*

iam:PassRole

Resource types defined by AWS Backup

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
backupVault arn:${Partition}:backup:${Region}:${Account}:backup-vault:${BackupVaultName}

aws:ResourceTag/${TagKey}

backupPlan arn:${Partition}:backup:${Region}:${Account}:backup-plan:${BackupPlanId}

aws:ResourceTag/${TagKey}

recoveryPoint arn:${Partition}:${Vendor}:${Region}:*:${ResourceType}:${RecoveryPointId}

aws:ResourceTag/${TagKey}

framework arn:${Partition}:backup:${Region}:${Account}:framework:${FrameworkName}-${FrameworkId}

aws:ResourceTag/${TagKey}

reportPlan arn:${Partition}:backup:${Region}:${Account}:report-plan:${ReportPlanName}-${ReportPlanId}

aws:ResourceTag/${TagKey}

legalHold arn:${Partition}:backup:${Region}:${Account}:legal-hold:${LegalHoldId}

aws:ResourceTag/${TagKey}

restoreTestingPlan arn:${Partition}:backup:${Region}:${Account}:restore-testing-plan:${RestoreTestingPlanName}-${RestoreTestingPlanId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Backup

AWS Backup defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the presence of mandatory tags in the request ArrayOfString
backup:ChangeableForDays Filters access by the value of the ChangeableForDays parameter Numeric
backup:CopyTargetOrgPaths Filters access by the organization unit ArrayOfString
backup:CopyTargets Filters access by the ARN of an backup vault ArrayOfARN
backup:FrameworkArns Filters access by the Framework ARNs ArrayOfARN
backup:MaxRetentionDays Filters access by the value of the MaxRetentionDays parameter Numeric
backup:MinRetentionDays Filters access by the value of the MinRetentionDays parameter Numeric