AWS Storage Blog

Managing access to backups using service control policies with AWS Backup

Effective and reliable ways of securing data are important to any organization, and every business must address the protection of valuable information. When thinking about security in the cloud, an important consideration is reducing the surface area of negative impacts using a strategic data protection plan. Your data protection plan should mitigate the risk of security events such as inadvertent access and data exfiltration. As a result, organizations are establishing security controls and zero trust architecture to continuously monitor and validate that a user has the right permission to data, and ensure recoverability from security events.

As customers scale their workloads or migrate into AWS, they may need to centrally manage permissions to their backup vaults and operations. In this blog post, we show you how to secure your AWS Backup data and operations using service control policies (SCPs). We also implement a sample policy across a multi-account environment using the SCP policy editor. You can use SCPs to implement centralized control over the maximum available permissions for all accounts in your organization. This offers defense in depth and ensures your users stay within the defined access control guidelines.

Solution overview

To start the walkthrough of this solution, we outline recommended SCPs you can use to secure your AWS Backup data and operations. SCPs define guardrails, or set limits, on the actions that your account administrator can delegate to IAM users and roles. SCPs use the AWS Identity and Access Management (IAM) policy language; however, they do not grant user permissions. Rather, they offer the maximum available permissions for all accounts in your organization. For example, if your SCP explicitly denies an action for an account, it overrides any existing permission, and none of your principals can take that action. For more information, see the documentation on determining whether a request is allowed or denied within an account.

The following diagram shows the high-level architecture and AWS resources that are deployed by implementing the outlined steps:

How to secure AWS Backup using SCPs

Figure 1. How to secure AWS Backup using SCPs

The solution architecture is depicted in the preceding Figure 1. The architecture uses AWS Organizations to scale the protection of backup operations and data. AWS Organizations helps you to centrally manage, govern, automate, and scale AWS resources across your accounts. The solution uses SCPs at the organization level to implement permission boundaries or guardrails. You can use the policy editor in the AWS Organizations console to create your SCPs. Using the SCP editor makes it easier to author SCPs by guiding you to add actions, resources, and conditions.

Let’s go through the process flow to understand what happens at each step as shown in Figure 1:

  1. Create SCPs and deploy them in the AWS Organizations console.
  2. AWS Organizations enforces the SCPs across your member accounts.
  3. The SCPs are inherited by your AWS Backup resources.

Prerequisites

For this walkthrough, you need the following:

  1. AWS accounts that belong to AWS Organizations, including a management account. For more information, see the documentation on creating and configuring an organization.
  2. Knowledge of service control policies.
  3. Ensure you have enabled all features in AWS Organizations and SCPs through the AWS Organizations console.
  4. Create sample AWS Backup IAM roles outlined in the next section.

Note: It is important to note that SCPs can potentially block access to IAM users and service roles. If SCPs are used incorrectly, they can impact your production workloads. We recommend testing SCPs in non-production environments before enabling them in production. SCPs don’t affect users or roles in the management account. They affect only the member accounts in your organizations.

Recommended SCPs to secure your AWS Backup data and operations

  1. Restrict administrative operations in AWS Backup

This SCP prevents all principals, except a specified AWS Backup role with service permission, from carrying out administrative operations in AWS Backup. You can define conditions for when the policy is in effect. The administrative operations include the following: create a backup vault, plan, and selection; delete a backup vault, plan, selection; update a backup plan; start a backup job, copy job, and restore job; and stop a backup job.

The following example denies all principals across your member accounts of the specified actions, except any role that starts with the IAM role prefix: AWSBackupRoleWithServicePermissions-*.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAdminServiceOperations",
      "Effect": "Deny",
      "Action": [
				"backup:CreateBackupVault",
				"backup:DeleteBackupVault",
				"backup:CreateBackupSelection",
				"backup:DeleteBackupSelection",
				"backup:CreateBackupPlan",
				"backup:DeleteBackupPlan",
				"backup:UpdateBackupPlan",
				"backup:StartBackupJob",
				"backup:StartCopyJob",
				"backup:StartRestoreJob",
				"backup:StopBackupJob"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/AWSBackupRoleWithServicePermissions-*"
          ]
        }
      }
    }
  ]
}
  1. Restrict tampering with AWS Backup vault

Another common use case is to restrict the operations on AWS Backup vault to an IAM role. This ensures that only privileged users can modify the backup vault configurations. The restricted operations include the following API calls: create, update, or delete vault notification settings; create, update, or delete a vault access policy; and delete a backup vault.

 The following example denies all principals across your member accounts of the specified actions, except any role that start with the IAM role prefix:

AWSBackupRoleWithVaultPermissions-*.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyVaultOperations",
      "Effect": "Deny",
      "Action": [
			"backup:PutBackupVaultNotifications",
			"backup:DeleteBackupVaultNotifications",			 
            "backup:PutBackupVaultAccessPolicy",
			"backup:DeleteBackupVaultAccessPolicy",
			"backup:DeleteBackupVault"         
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/AWSBackupRoleWithVaultPermissions-*"
          ]
        }
      }
    }
  ]
}
  1. Restrict operations on AWS Backup vault contents

To ensure defense in depth, there could be a use case to restrict the operations performed on the contents of a backup vault to a specific IAM role. This SCP can be used to protect your backups in case of account compromise. This role would be designated to manage the contents of the vault. The restricted operations include the following API calls: copy into a backup vault; delete and disassociate a recovery point; and update a recovery point lifecycle.

The following example denies all principals across your member accounts of the specified actions, except any role that start with the IAM role prefix:

AWSBackupRoleWithVaultContentPermissions-*.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyVaultContentOperations",
      "Effect": "Deny",
      "Action": [
            "backup:CopyIntoBackupVault",
            "backup:DeleteRecoveryPoint",
            "backup:DisassociateRecoveryPoint",
            "backup:UpdateRecoveryPointLifecycle"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/AWSBackupRoleWithVaultContentPermissions-*"
          ]
        }
      }
    }
  ]
}
  1. Mitigate data exfiltration from AWS Backup vault

This SCP is a common request from AWS customers. The policy intends to apply restrictions to ensure that only privileged IAM roles are permitted to use the data in the backup vault. The restricted operations include the following API calls: copy from a backup vault; start a copy job; and start a restore job.

The following example denies all principals across your member accounts of the specified actions, except any role that start with the IAM role prefix:

AWSBackupRoleDataPermissions-*.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyVaultContentExfiltrationOperations",
      "Effect": "Deny",
      "Action": [
			"backup:CopyFromBackupVault",
			"backup:StartCopyJob",
			"backup:StartRestoreJob"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/AWSBackupRoleWithDataPermissions-*"
          ]
        }
      }
    }
  ]
}
  1. Restrict tag operations on AWS Backup resources

This SCP enforces tag operations on AWS Backup resources. It restricts IAM roles that can assign or remove a set of key-value pairs to a recovery point, backup plan, or backup vault. The following example denies all principals across your member accounts of the specified actions, except any role that start with the IAM role prefix: AWSBackupRoleWithTagPermissions-*.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyTagOperations",
      "Effect": "Deny",
      "Action": [
 			"backup:UntagResource",
    			"backup:TagResource"            
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/AWSBackupRoleWithTagPermissions-*"
          ]
        }
      }
    }
  ]
}
  1. Control access to AWS Backup resources using tags

You can use IAM conditions in your AWS Backup SCPs to control access to specific backup resources based on the tags on that resource. This can be done using the global aws:ResourceTag/TAG-KEY condition key. AWS Backup also defines the condition keys that can be used as a condition element of an IAM policy. You can use the keys to refine your SCP policy statements. For more information, see the documentation on actions, resources, and condition keys for AWS Backup. The following example denies all principals across your member accounts from deleting AWS Backup vaults created with the tag key environment, and tag value demo.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyTagBasedOperations",
      "Effect": "Deny",
      "Action": [
        "backup:DeleteBackupVault"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/environment": [
            "demo"
          ]
        }
      }
    }
  ]
}

Implementing SCPs at scale

You can use the AWS Management Console to create and deploy AWS Backup SCPs across your multi-account environment.

Deployment steps

The following steps require you to create and deploy your SCPs using the AWS Organizations console.

  1. Navigate to the AWS Organizations service control policies console, and then select Create policy.

(updated) Figure 2 - Select Create Policy on the Service control policies console

Figure 2: Select Create Policy on the Service control policies console

  1. Enter a Policy name and Policy description that will help you quickly identify the actions in the policy. Assign a tag value and key to your SCP. In this example, we use the following:
    • Policy name: DenyVaultContentOperations
    • Policy Description: Prevent the operations performed on the contents of backup vaults.
    • Tag Key: operations
    • Tag Value: non-production

Figure 3 - Enter your policy metadata (name, description, and tags)

Figure 3: Enter your policy metadata (name, description, and tags)

  1. You are presented with a JSON policy editor. The policy editor provides an empty statement to get you started, and it allows you to specify a list of Actions, Resources, Conditions, and Statement ID as shown in the following Figure 4.
  2. In the right panel: 1) select the Backup service and add the actions you want to restrict; 2) specify the resource type and ARN; 3) specify an optional condition key. Change the Statement ID to a phrase that describes the actions performed by the statement.

JSON policy editor

Figure 4: The policy editor

In this example, we select the following actions from the list to deny all backup vault content operations, and we specify all resource types:

  • backup:CopyIntoBackupVault
  • backup:DeleteRecoveryPoint
  • backup:DisassociateRecoveryPoint
  • backup:UpdateRecoveryPointLifecycle

You can create an exception for your backup service role by specifying its Principal ARN in the condition key, and selecting the appropriate IAM operator. In this example, we exclude any role that begins with AWSBackupRoleWithDataPermissions from the SCP using the following condition:

  • Condition key: aws:PrincipalArn
  • Qualifier: Default
  • Operator: StringNotLike
  • Value: arn:aws:iam::*:role/AWSBackupRoleWithDataPermissions-*
  1. Your policy should look like the following Figure 5. You can add multiple statements to your SCP by selecting Add new statement.

Figure 5 - Sample SCP to deny backup vault content operations

Figure 5: Sample SCP to deny backup vault content operations

For more information, see the documentation on creating, updating, and deleting service control policies.

  1. Select Create policy button to create your SCP. The newly created policy would appear in the list of your SCPs.
  2. On the Service control policies page, choose the name of the policy. On the Action tab, choose Attach policy. Choose the radio button next to the root organizational unit (OU), or select an account or OU that you want to attach the policy to. Finally, select Attach policy

Figure 6 - attach SCP to OU

Figure 6: Attach SCP to OU

You have now successfully created and attached an SCP. For more information, see the documentation on Attaching and detaching service control policies.

Cleaning up

To delete the SCP created in this solution, you must first detach the SCP from all attached entities and Delete the policy from the Service control policies page. If you want to read more about deleting SCPs, see the documentation on creating, updating, and deleting service control policies.

Conclusion

In this blog post, we showed you the necessary SCPs to manage access to your AWS Backup data and operations. We also present how to create and apply a sample SCP from a management account to effectively manage permissions related to AWS Backup in your organization. This mechanism enables you to apply a data protection plan at scale across your cloud backups and mitigate the risk of security events such as inadvertent access and data exfiltration.

To get started on AWS or to learn more about building a well-architected AWS environment, visit the AWS Backup Getting Started page for guidance.

Thank you for reading this blog. If you have any feedback or questions, please leave them in the comments section.

Further Reading

Sabith Venkitachalapathy

Sabith Venkitachalapathy

Sabith Venkitachalapathy is an Enterprise Solutions Architect at AWS, where he helps customers architect and manage regulated multi-account environments on AWS to solve a range of business needs. He specializes in the Financial Services industry. Outside of work, he enjoys cooking, traveling, and spending time with his family.

Ibukun Oyewumi

Ibukun Oyewumi

Ibukun Oyewumi is a Security Assurance Consultant at AWS. He focuses on helping customers architect, build, scale, and optimize security controls, risk management, and compliance.