AWS Security ChangesHomeSearch

AWS aws-backup high security documentation change

Service: aws-backup · 2025-06-19 · Security-related high

File: aws-backup/latest/devguide/security-iam-awsmanpol.md

Summary

Added MPA-related permissions to AWSBackupFullAccess policy and updated policy documentation

Security assessment

Adds critical IAM permissions (mpa:* actions) required for Multi-party approval functionality, enabling secure access control for air-gapped vault operations.

Diff

diff --git a/aws-backup/latest/devguide/security-iam-awsmanpol.md b/aws-backup/latest/devguide/security-iam-awsmanpol.md
index b63fba8dc..fb4aaa963 100644
--- a//aws-backup/latest/devguide/security-iam-awsmanpol.md
+++ b//aws-backup/latest/devguide/security-iam-awsmanpol.md
@@ -280,3 +280 @@ This policy’s version defines the permissions for the policy. When the user or
-                "Action" : [
-                    "kms:Decrypt"
-                ],
+                "Action": "kms:Decrypt",
@@ -666,0 +665,10 @@ Change | Description | Date
+AWSBackupFullAccess – Update to an existing policy |  AWS Backup added the following permissions to this policy:
+
+  * `mpa:GetApprovalTeam`
+  * `mpa:ListApprovalTeams`
+  * `mpa:StartSession`
+  * `mpa:CancelSession`
+  * `mpa:GetSession`
+  * `mpa:ListSessions`
+
+These permissions are necessary for AWS Backup integration with AWS Account Management and AWS Organizations so customers have the option of Multi-party approval (MPA) as part of their logically air-gapped vaults. | June 17, 2025