AWS Security ChangesHomeSearch

AWS aws-backup documentation change

Service: aws-backup · 2026-05-07 · Documentation low

File: aws-backup/latest/devguide/create-cross-account-backup.md

Summary

Updated encryption key terminology and clarified incremental backup conditions. Added detailed IAM permission requirements for cross-account copy jobs including required actions and example policy.

Security assessment

Changes clarify encryption requirements and add explicit IAM permission documentation for cross-account operations. While security-related (encryption/IAM), there's no evidence of a specific vulnerability being addressed. The note about managed keys vs. customer keys improves security documentation.

Diff

diff --git a/aws-backup/latest/devguide/create-cross-account-backup.md b/aws-backup/latest/devguide/create-cross-account-backup.md
index 23d6055e3..cbc77f125 100644
--- a//aws-backup/latest/devguide/create-cross-account-backup.md
+++ b//aws-backup/latest/devguide/create-cross-account-backup.md
@@ -13 +13 @@ Using AWS Backup, you can back up to multiple AWS accounts on demand or automati
-In your destination account, you must create a backup vault. Then, you assign a customer managed key to encrypt backups in the destination account, and a resource-based access policy to allow AWS Backup to access the resources you would like to copy. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. You can then create a backup plan and choose a destination account that is part of your organizational unit in AWS Organizations. 
+In your destination account, you must create a backup vault. Then, you assign an encryption key to encrypt backups in the destination account, and a resource-based access policy to allow AWS Backup to access the resources you would like to copy. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. You can then create a backup plan and choose a destination account that is part of your organizational unit in AWS Organizations. 
@@ -15 +15,5 @@ In your destination account, you must create a backup vault. Then, you assign a
-When you copy a backup to cross-account for the first time, AWS Backup copies the backup in full. In general, if a service supports incremental backups, subsequent copies of that backup in the same account are incremental. AWS Backup re-encrypts your copy using the customer managed key of your destination vault.
+When you copy a backup to cross-account for the first time, AWS Backup copies the backup in full. In general, if a service supports incremental backups, subsequent copies of that backup to the same destination account and vault are incremental. AWS Backup re-encrypts your copy using the encryption key of your destination vault.
+
+###### Note
+
+For resources [fully managed by AWS Backup](./whatisbackup.html#full-management), you can use either a customer managed key or the AWS Backup managed key (`aws/backup`) for the destination vault. For all other resource types, a customer managed key is required because AWS managed key policies are immutable and cannot be shared cross-account. For more information, see [Encryption for a backup copy to a different account or AWS Region](./encryption.html#copy-encryption).
@@ -39,0 +44,25 @@ The source account user initiates the cross-account backup operation. The source
+For cross-account copy jobs, the IAM role in the source account must also have the following identity-based permissions:
+
+    * `backup:CopyFromBackupVault` – Authorizes copying the source recovery point.
+
+    * `backup:CopyIntoBackupVault` – Authorizes writing into the destination vault. Because this is a cross-account call, this permission must be present in both the identity-based policy (attached to the IAM role) and the resource-based policy (on the destination backup vault).
+
+The AWS managed policy `AWSBackupServiceRolePolicyForBackup` includes both of these permissions. If you use a custom IAM role, you must add these permissions explicitly. The following is an example identity-based policy:
+    
+        {
+      "Statement": [
+        {
+          "Sid": "BackupVaultCopyPermissions",
+          "Effect": "Allow",
+          "Action": "backup:CopyFromBackupVault",
+          "Resource": "*"
+        },
+        {
+          "Sid": "BackupVaultPermissions",
+          "Effect": "Allow",
+          "Action": "backup:CopyIntoBackupVault",
+          "Resource": "arn:aws:backup:*:*:backup-vault:*"
+        }
+      ]
+    }
+