AWS aws-backup documentation change
Summary
Restructured and expanded documentation for Multi-party approval setup. Added sections on required access policies, prerequisites, best practices, and detailed setup steps. Enhanced security guidance including IAM permissions and policy requirements.
Security assessment
The changes add significant documentation about security features including required IAM permissions ('mpa:GetApprovalTeam', 'mpa:ListApprovalTeams', etc.), Service Control Policies (SCPs), and explicit policy ARNs for secure configuration. However, there is no evidence this addresses a specific security vulnerability or incident.
Diff
diff --git a/aws-backup/latest/devguide/multipartyapproval.md b/aws-backup/latest/devguide/multipartyapproval.md index ffe6869d6..e16fadfa9 100644 --- a//aws-backup/latest/devguide/multipartyapproval.md +++ b//aws-backup/latest/devguide/multipartyapproval.md @@ -7 +7 @@ -Overview of Multi-party approvalPrerequisites and best practicesMulti-party approval cross-Region considerationsMulti-party approval terms +Overview of Multi-party approvalPrerequisites and best practicesRequired access policiesSet up Multi-party approvalMulti-party approval cross-Region considerationsMulti-party approval terms @@ -21 +21 @@ An an AWS Backup customer, you can use Multi-party approval to grant approval ca -The following steps outline the recommended flow for setting up a recovery AWS organization, setting up Multi-party approval, and then using Multi-party approval with your logically air-gapped vaults: +## Prerequisites and best practices for using Multi-party approval with a logically air-gapped vault @@ -23 +23 @@ The following steps outline the recommended flow for setting up a recovery AWS o - 1. An administrator [creates a new organization through Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html) to be used for recovery operations. +Before you can effectively and securely use Multi-party approval with your logically air-gapped vaults, there are prerequisites and recommended best practices. @@ -25 +25 @@ The following steps outline the recommended flow for setting up a recovery AWS o - 2. In the management account of this new organization, the administrator creates and configures an IAM Identity Center (IDC) instance (to enable an organization instance, see [Enable IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html) in the _IAM Identity Center User Guide_. See also the sequence to [Create a Multi-party approval identity source](https://docs.aws.amazon.com/mpa/latest/userguide/setting-up.html) in the _Multi-party approval User Guide_. +**Best practices:** @@ -27 +27 @@ The following steps outline the recommended flow for setting up a recovery AWS o - 3. The administrator then will [create an approval team](https://docs.aws.amazon.com/mpa/latest/userguide/create-team.html), the core group of trusted individuals who will be the primary users of Multi-party approval. + * Two (or more) AWS organizations through Organizations. One should be your primary organization where you have one or more accounts that have at least one logically air-gapped vault. The secondary organization should be your recovery organization. It is in this org where your multi-party approval team will be managed. @@ -29 +28,0 @@ The following steps outline the recommended flow for setting up a recovery AWS o - 4. The administrator uses AWS RAM to [share an approval team](./multipartyapproval-tasks-administrator.html#share-multipartyapproval-team-using-ram) with each account that owns a logically air-gapped vault and the recovery account that needs to request access on that vault. @@ -31 +29,0 @@ The following steps outline the recommended flow for setting up a recovery AWS o - 5. An administrator of the logically air-gapped vault owning account [associates the vault with an approval team](./multipartyapproval-tasks-requester.html#associate-multipartyapproval-team). @@ -33 +30,0 @@ The following steps outline the recommended flow for setting up a recovery AWS o - 6. A recovery account [requests access](./multipartyapproval-tasks-requester.html#create-restore-access-vault) to an account that has a logically air-gapped vault with an associated Multi-party approval team (“team”). The team associated with the account [approves or denies the request](https://docs.aws.amazon.com/mpa/latest/userguide/respond-request.html). @@ -35 +32 @@ The following steps outline the recommended flow for setting up a recovery AWS o - 7. The admin of the account of that owns the logically air-gapped vault can request that [the approval team be disassociated from the vault](./multipartyapproval-tasks-requester.html#disassociate-multipartyapproval-team). The request requires current team approval. +**Prerequisites** @@ -37 +34 @@ The following steps outline the recommended flow for setting up a recovery AWS o - 8. An administrator can [update approval team membership](https://docs.aws.amazon.com/mpa/latest/userguide/update-team.html) as necessary in accordance with their security practices or when people join or leave your organization. + 1. You have [Set up Multi-party approval](https://docs.aws.amazon.com/mpa/latest/userguide/setting-up.html) and have at least one approval team. @@ -38,0 +36 @@ The following steps outline the recommended flow for setting up a recovery AWS o + 2. At least one account in your primary organization must have a logically air-gapped vault (and the original backup vault). @@ -39,0 +38 @@ The following steps outline the recommended flow for setting up a recovery AWS o + 3. The management account in the primary organization is opted-in to Multi-party approval. @@ -40,0 +40 @@ The following steps outline the recommended flow for setting up a recovery AWS o +###### Tip @@ -42 +42 @@ The following steps outline the recommended flow for setting up a recovery AWS o -## Prerequisites and best practices for using Multi-party approval with a logically air-gapped vault +AWS Backup recommends you apply a Service Control Policy (SCP) to your primary organization and configure it with the appropriate permissions to the organization and to each approval team. See Multi-party approval terms section for a sample policy. @@ -44 +44 @@ The following steps outline the recommended flow for setting up a recovery AWS o -Before you can effectively and securely use Multi-party approval with your logically air-gapped vaults, there are prerequisites and recommended best practices. + 4. Your Multi-party approval team from the secondary (recovery) organization is [shared through AWS RAM](./multipartyapproval-tasks-administrator.html#share-multipartyapproval-team-using-ram) with both your accounts that own the logically air-gapped vault(s) and your recovery accounts. @@ -46 +45,0 @@ Before you can effectively and securely use Multi-party approval with your logic -**Best practices:** @@ -48 +46,0 @@ Before you can effectively and securely use Multi-party approval with your logic - * Two (or more) AWS organizations through Organizations. One should be your primary organization where you have one or more accounts that have at least one logically air-gapped vault. The secondary organization should be your recovery organization. It is in this org where your multi-party approval team will be managed. @@ -50,0 +49 @@ Before you can effectively and securely use Multi-party approval with your logic +## Required access policies @@ -51,0 +51 @@ Before you can effectively and securely use Multi-party approval with your logic +Before setting up Multi-party approval, configure the following access policies: @@ -53 +53 @@ Before you can effectively and securely use Multi-party approval with your logic -**Prerequisites** + * **Service Control Policy (SCP):** Apply an SCP to your primary organization to control which actions are allowed across accounts. The SCP should grant appropriate permissions to the organization and to each approval team. For more information about SCPs, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the _Organizations User Guide_. @@ -55 +55 @@ Before you can effectively and securely use Multi-party approval with your logic - 1. You have [Set up Multi-party approval](https://docs.aws.amazon.com/mpa/latest/userguide/setting-up.html) and have at least one approval team. + * **Multi-party approval team policy:** When you [create an approval team](https://docs.aws.amazon.com/mpa/latest/userguide/create-team.html#create-team-steps), attach the appropriate resource policy. For AWS Backup logically air-gapped vaults, use the policy `arn:aws:mpa::aws:policy/backup.amazonaws.com/CreateRestoreAccessVault`. To list available policies, run `aws mpa list-policies --region us-east-1`. Multi-party approval team resources can only be created and stored in US East (N. Virginia), so MPA commands must target this Region. @@ -57 +57 @@ Before you can effectively and securely use Multi-party approval with your logic - 2. At least one account in your primary organization must have a logically air-gapped vault (and the original backup vault). + * **AWS RAM sharing permissions:** When sharing your approval team across accounts, use the RAM permission `arn:aws:ram::aws:permission/AWSRAMMPAApprovalTeamAccess`. For more information, see [Share an approval team using AWS RAM](./multipartyapproval-tasks-administrator.html#share-multipartyapproval-team-using-ram). @@ -59 +59 @@ Before you can effectively and securely use Multi-party approval with your logic - 3. The management account in the primary organization is opted-in to Multi-party approval. + * **IAM permissions:** Users who interact with Multi-party approval need the appropriate IAM permissions, including `mpa:GetApprovalTeam`, `mpa:ListApprovalTeams`, `mpa:StartSession`, `mpa:CancelSession`, `mpa:GetSession`, and `mpa:ListSessions`. These permissions are included in the [AWSBackupFullAccess](https://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html) managed policy. @@ -61 +60,0 @@ Before you can effectively and securely use Multi-party approval with your logic -###### Tip @@ -63 +61,0 @@ Before you can effectively and securely use Multi-party approval with your logic -AWS Backup recommends you apply a Service Control Policy (SCP) to your primary organization and configure it with the appropriate permissions to the organization and to each approval team. See Multi-party approval terms section for a sample policy. @@ -65 +63,20 @@ AWS Backup recommends you apply a Service Control Policy (SCP) to your primary o - 4. Your Multi-party approval team from the secondary (recovery) organization is [shared through AWS RAM](./multipartyapproval-tasks-administrator.html#share-multipartyapproval-team-using-ram) with both your accounts that own the logically air-gapped vault(s) and your recovery accounts. + +## Set up Multi-party approval + +The following steps outline the recommended flow for setting up a recovery AWS organization, setting up Multi-party approval, and then using Multi-party approval with your logically air-gapped vaults: + + 1. An administrator [creates a new organization through Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html) to be used for recovery operations. + + 2. In the management account of this new organization, the administrator creates and configures an IAM Identity Center (IDC) instance (to enable an organization instance, see [Enable IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html) in the _IAM Identity Center User Guide_. See also the sequence to [Create a Multi-party approval identity source](https://docs.aws.amazon.com/mpa/latest/userguide/setting-up.html) in the _Multi-party approval User Guide_. + + 3. The administrator then will [create an approval team](https://docs.aws.amazon.com/mpa/latest/userguide/create-team.html), the core group of trusted individuals who will be the primary users of Multi-party approval. + + 4. The administrator uses AWS RAM to [share an approval team](./multipartyapproval-tasks-administrator.html#share-multipartyapproval-team-using-ram) with each account that owns a logically air-gapped vault and the recovery account that needs to request access on that vault. + + 5. An administrator of the logically air-gapped vault owning account [associates the vault with an approval team](./multipartyapproval-tasks-requester.html#associate-multipartyapproval-team). + + 6. A recovery account [requests access](./multipartyapproval-tasks-requester.html#create-restore-access-vault) to an account that has a logically air-gapped vault with an associated Multi-party approval team (“team”). The team associated with the account [approves or denies the request](https://docs.aws.amazon.com/mpa/latest/userguide/respond-request.html). + + 7. The admin of the account of that owns the logically air-gapped vault can request that [the approval team be disassociated from the vault](./multipartyapproval-tasks-requester.html#disassociate-multipartyapproval-team). The request requires current team approval. + + 8. An administrator can [update approval team membership](https://docs.aws.amazon.com/mpa/latest/userguide/update-team.html) as necessary in accordance with their security practices or when people join or leave your organization.