AWS Security ChangesHomeSearch

AWS aws-backup documentation change

Service: aws-backup · 2026-02-22 · Documentation low

File: aws-backup/latest/devguide/create-a-vault-access-policy.md

Summary

Added three JSON policy examples demonstrating how to restrict access to backup operations: 1) Deny specific recovery point operations on EBS snapshots 2) Deny backup vault operations 3) Deny DeleteRecoveryPoint except for specified principals

Security assessment

The changes add security documentation showing how to implement least-privilege access controls for backup operations. While this enhances security awareness, there's no evidence of addressing a specific vulnerability. The examples demonstrate security best practices for access policies.

Diff

diff --git a/aws-backup/latest/devguide/create-a-vault-access-policy.md b/aws-backup/latest/devguide/create-a-vault-access-policy.md
index f6ce71d33..b479f6fb3 100644
--- a//aws-backup/latest/devguide/create-a-vault-access-policy.md
+++ b//aws-backup/latest/devguide/create-a-vault-access-policy.md
@@ -35,0 +36,32 @@ This policy denies access to the specified API operations for all Amazon EBS sna
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "DenyRecoveryPointOperations",
+          "Effect": "Deny",
+          "Principal": {
+            "AWS": "arn:aws:iam::111122223333:role/MyRole"
+          },
+          "Action": [
+            "backup:UpdateRecoveryPointLifecycle",
+            "backup:DescribeRecoveryPoint",
+            "backup:DeleteRecoveryPoint",
+            "backup:GetRecoveryPointRestoreMetadata",
+            "backup:StartRestoreJob"
+          ],
+          "Resource": [
+            "arn:aws:ec2:*:*:snapshot/*"
+          ]
+        }
+      ]
+    }
+    
+    
+
@@ -39,0 +72,35 @@ This policy denies access to the specified API operations targeting a backup vau
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "DenyBackupVaultOperations",
+          "Effect": "Deny",
+          "Principal": {
+            "AWS": "arn:aws:iam::123456789012:role/MyRole"
+          },
+          "Action": [
+            "backup:DescribeBackupVault",
+            "backup:DeleteBackupVault",
+            "backup:PutBackupVaultAccessPolicy",
+            "backup:DeleteBackupVaultAccessPolicy",
+            "backup:GetBackupVaultAccessPolicy",
+            "backup:StartBackupJob",
+            "backup:GetBackupVaultNotifications",
+            "backup:PutBackupVaultNotifications",
+            "backup:DeleteBackupVaultNotifications",
+            "backup:ListRecoveryPointsByBackupVault"
+          ],
+          "Resource": "arn:aws:backup:us-east-1:123456789012:backup-vault:backup vault name"
+        }
+      ]
+    }
+    
+    
+
@@ -86,0 +154,30 @@ To allow list IAM identities using their ARN, use the `aws:PrincipalArn` global
+JSON
+    
+
+****
+    
+    
+        {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "DenyDeleteRecoveryPoint",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "backup:DeleteRecoveryPoint",
+          "Resource": "*",
+          "Condition": {
+            "ArnNotEquals": {
+              "aws:PrincipalArn": [
+                "arn:aws:iam::112233445566:role/mys3role",
+                "arn:aws:iam::112233445566:user/shaheer",
+                "arn:aws:iam::112233445566:root"
+              ]
+            }
+          }
+        }
+      ]
+    }
+    
+    
+