AWS aws-backup high security documentation change
Summary
Added MPA-related permissions to AWSBackupFullAccess policy and updated policy documentation
Security assessment
Adds critical IAM permissions (mpa:* actions) required for Multi-party approval functionality, enabling secure access control for air-gapped vault operations.
Diff
diff --git a/aws-backup/latest/devguide/security-iam-awsmanpol.md b/aws-backup/latest/devguide/security-iam-awsmanpol.md index b63fba8dc..fb4aaa963 100644 --- a//aws-backup/latest/devguide/security-iam-awsmanpol.md +++ b//aws-backup/latest/devguide/security-iam-awsmanpol.md @@ -280,3 +280 @@ This policy’s version defines the permissions for the policy. When the user or - "Action" : [ - "kms:Decrypt" - ], + "Action": "kms:Decrypt", @@ -666,0 +665,10 @@ Change | Description | Date +AWSBackupFullAccess – Update to an existing policy | AWS Backup added the following permissions to this policy: + + * `mpa:GetApprovalTeam` + * `mpa:ListApprovalTeams` + * `mpa:StartSession` + * `mpa:CancelSession` + * `mpa:GetSession` + * `mpa:ListSessions` + +These permissions are necessary for AWS Backup integration with AWS Account Management and AWS Organizations so customers have the option of Multi-party approval (MPA) as part of their logically air-gapped vaults. | June 17, 2025