AWS aws-backup documentation change
Summary
Updated encryption key terminology and clarified incremental backup conditions. Added detailed IAM permission requirements for cross-account copy jobs including required actions and example policy.
Security assessment
Changes clarify encryption requirements and add explicit IAM permission documentation for cross-account operations. While security-related (encryption/IAM), there's no evidence of a specific vulnerability being addressed. The note about managed keys vs. customer keys improves security documentation.
Diff
diff --git a/aws-backup/latest/devguide/create-cross-account-backup.md b/aws-backup/latest/devguide/create-cross-account-backup.md index 23d6055e3..cbc77f125 100644 --- a//aws-backup/latest/devguide/create-cross-account-backup.md +++ b//aws-backup/latest/devguide/create-cross-account-backup.md @@ -13 +13 @@ Using AWS Backup, you can back up to multiple AWS accounts on demand or automati -In your destination account, you must create a backup vault. Then, you assign a customer managed key to encrypt backups in the destination account, and a resource-based access policy to allow AWS Backup to access the resources you would like to copy. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. You can then create a backup plan and choose a destination account that is part of your organizational unit in AWS Organizations. +In your destination account, you must create a backup vault. Then, you assign an encryption key to encrypt backups in the destination account, and a resource-based access policy to allow AWS Backup to access the resources you would like to copy. In the source account, if your resources are encrypted with a customer managed key, you must share this customer managed key with the destination account. You can then create a backup plan and choose a destination account that is part of your organizational unit in AWS Organizations. @@ -15 +15,5 @@ In your destination account, you must create a backup vault. Then, you assign a -When you copy a backup to cross-account for the first time, AWS Backup copies the backup in full. In general, if a service supports incremental backups, subsequent copies of that backup in the same account are incremental. AWS Backup re-encrypts your copy using the customer managed key of your destination vault. +When you copy a backup to cross-account for the first time, AWS Backup copies the backup in full. In general, if a service supports incremental backups, subsequent copies of that backup to the same destination account and vault are incremental. AWS Backup re-encrypts your copy using the encryption key of your destination vault. + +###### Note + +For resources [fully managed by AWS Backup](./whatisbackup.html#full-management), you can use either a customer managed key or the AWS Backup managed key (`aws/backup`) for the destination vault. For all other resource types, a customer managed key is required because AWS managed key policies are immutable and cannot be shared cross-account. For more information, see [Encryption for a backup copy to a different account or AWS Region](./encryption.html#copy-encryption). @@ -39,0 +44,25 @@ The source account user initiates the cross-account backup operation. The source +For cross-account copy jobs, the IAM role in the source account must also have the following identity-based permissions: + + * `backup:CopyFromBackupVault` – Authorizes copying the source recovery point. + + * `backup:CopyIntoBackupVault` – Authorizes writing into the destination vault. Because this is a cross-account call, this permission must be present in both the identity-based policy (attached to the IAM role) and the resource-based policy (on the destination backup vault). + +The AWS managed policy `AWSBackupServiceRolePolicyForBackup` includes both of these permissions. If you use a custom IAM role, you must add these permissions explicitly. The following is an example identity-based policy: + + { + "Statement": [ + { + "Sid": "BackupVaultCopyPermissions", + "Effect": "Allow", + "Action": "backup:CopyFromBackupVault", + "Resource": "*" + }, + { + "Sid": "BackupVaultPermissions", + "Effect": "Allow", + "Action": "backup:CopyIntoBackupVault", + "Resource": "arn:aws:backup:*:*:backup-vault:*" + } + ] + } +