AWS aws-backup documentation change
Summary
Updated multiple AWS Backup managed policies with Redshift Serverless permissions
Security assessment
Expands IAM policy documentation for new service integration without addressing known vulnerabilities
Diff
diff --git a/aws-backup/latest/devguide/security-iam-awsmanpol.md b/aws-backup/latest/devguide/security-iam-awsmanpol.md index 376a0f7ab..4e92173ad 100644 --- a//aws-backup/latest/devguide/security-iam-awsmanpol.md +++ b//aws-backup/latest/devguide/security-iam-awsmanpol.md @@ -667,0 +668,53 @@ Change | Description | Date +AWSBackupFullAccess – Update to an existing policy | AWS Backup added the following permissions to this policy: + + * `aws:CalledVia` + * `redshift-serverless:DeleteSnapshot` + * `redshift-serverless:GetNamespace` + * `redshift-serverless:GetSnapshot` + * `redshift-serverless:GetWorkgroup` + * `redshift-serverless:ListNamespaces` + * `redshift-serverless:ListSnapshots` + * `redshift-serverless:ListWorkgroups` + +These permissions are necessary for designated customers to have full access to Amazon Redshift Serverless backups, including required read permissions as well as the ability to delete Amazon Redshift Serverless recovery points (snapshot backups). | March 31, 2025 +AWSBackupOperatorAccess – Update to an existing policy | AWS Backup added the following permissions to this policy: + + * `redshift-serverless:GetNamespace` + * `redshift-serverless:GetSnapshot` + * `redshift-serverless:GetWorkgroup` + * `redshift-serverless:ListNamespaces` + * `redshift-serverless:ListSnapshots` + * `redshift-serverless:ListWorkgroups` + +These permissions are necessary for designated customers to have all necessary backup permissions to Amazon Redshift Serverless, including required read permissions. | March 31, 2025 +AWSBackupServiceLinkedRolePolicyForBackup – Update to an existing policy | AWS Backup added the following permissions to this policy: + + * `redshift-serverless:DeleteSnapshot` + * `redshift-serverless:GetNamespace` + * `redshift-serverless:GetSnapshot` + * `redshift-serverless:GetWorkgroup` + * `redshift-serverless:ListNamespaces` + * `redshift-serverless:ListSnapshots` + * `redshift-serverless:ListTagsForResource` + * `redshift-serverless:ListWorkgroups` + +These permissions are necessary for AWS Backup to manage Amazon Redshift Serverless snapshots at customer specified intervals. | March 31, 2025 +AWSBackupServiceRolePolicyForBackup – Update to an existing policy | AWS Backup added the following permissions to this policy: + + * `redshift-serverless:CreateSnapshot` + * `redshift-serverless:DeleteSnapshot` with a condition to only allow snapshots deletion with the `"aws:backup:source-resource"` tag + * `redshift-serverless:GetNamespace` + * `redshift-serverless:GetSnapshot` + * `redshift-serverless:ListNamespaces` + * `redshift-serverless:ListSnapshots` + * `redshift-serverless:ListTagsForResource` + * `redshift-serverless:TagResource` + +These permissions are necessary to allow AWS Backup to create, delete, retrieve, and manage Amazon Redshift Serverless snapshots on behalf of customers. | March 31, 2025 +AWSBackupServiceRolePolicyForRestores – Update to an existing policy | AWS Backup added the following permissions to this policy: + + * `redshift-serverless:GetNamespace` + * `redshift-serverless:GetTableRestoreStatus` + * `redshift-serverless:RestoreTableFromSnapshot` + +These permissions are necessary to allow AWS Backup to restore Amazon Redshift and Amazon Redshift Serverless snapshots on behalf of the customer. | March 31, 2025