Delegated administrator support for AWS Backup

[Update: 12/13/2022 – Under Step 2. Delegate backup policy in AWS Organizations console, the JSON policy paragraph and sample JSON policy were updated.]

Until today, backup administrators had to use the AWS Organizations management account to administer backup policies and monitor cross-account backup activities. However, the use of the AWS Organizations management account should only be used for the tasks that require such an account, as recommended in the best practices for AWS Organizations.

With AWS Backup cross account management, you can centrally manage backup policies as well as monitor your backup, restore and copy jobs across AWS accounts in an AWS Organizations. The AWS team is excited to announce that you can now delegate the administration of backup policies and cross-account monitoring to member accounts in your AWS Organizations. This means that you won’t need to use your management account to perform daily data protection tasks.

In this blog post, I walk through the process of delegating AWS Backup policy administration and jobs monitoring to a member account and share considerations while configuring this new functionality.

Walkthrough of process to add delegated administrator for backup

The cross-account management feature has two capabilities. First, the ability to create backup policies across an AWS Organizations and second is the ability to monitor cross-account backup, restore and copy jobs across all the member accounts where backup policies have been applied to.

Prerequisites

To delegate AWS Backup policy administration, you need credentials for the management account of your AWS Organization and the member account numbers you want to delegate administration to.
To delegate AWS Backup jobs monitoring, you need to enable cross-account management in AWS Backup. Refer to the documentation for more information.

To delegate both capabilities to a member account, a two-step process is required. First, registering a member account in the AWS Backup console; and then, delegating permissions to manage backup policies through the AWS Organizations console.

Step 1: Delegate jobs monitoring in AWS Backup console

1. Log in using your management account credentials and go to the AWS Backup console. Under Settings, scroll down to the new section, Delegated administrator.

Figure 1: Register delegated administrator

2. To register a delegated administrator, choose Register delegated administrator. This will display the list of accounts that belong to your organization. Select the account you want to delegate access to and choose Register delegated administrator.

Figure 2: Register delegated administrator

3. In the Settings section, under Delegated administrator you should now see the account that was registered.

Delegated administrator registration summary

Figure 3: Delegated administrator registration summary

Note: Up to 5 member accounts can be registered as delegated administrators.

Step 2. Delegate backup policy in AWS Organizations console

1. In the management account, navigate to Settings, scroll down and you will see a new section called Delegated administrator for AWS Organizations. Select Delegate as shown in Figure 4.

Delegated administrator for AWS Organizations

Figure 4: Delegated administrator for AWS Organizations

2. In the JSON editor, define a policy for delegating AWS Backup administration using the same member account ID that were delegated jobs monitoring in AWS Backup in the previous step.

As a reference, use the following sample JSON policy which provides permissions to fully administrate backup policies. Remember to replace AWS-member-account-ID with the account ID you are delegating access to and the AWS-management-account-ID with the account ID of your AWS Organizations management account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOrganizationsRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:Describe*",
        "organizations:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowBackupPoliciesCreation",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:CreatePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "BACKUP_POLICY"
        }
      }
    },
    {
      "Sid": "AllowBackupPoliciesModification",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:DescribePolicy",
        "organizations:UpdatePolicy",
        "organizations:DeletePolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:policy/*/backup_policy/*"               ],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "BACKUP_POLICY"
        }
      }
    },
    {
      "Sid": "AllowBackupPoliciesAttachmentAndDetachmentToAllAccountsAndOUs",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:AttachPolicy",
        "organizations:DetachPolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:root/*",
        "arn:aws:organizations::AWS-management-account-ID:ou/*",
        "arn:aws:organizations::AWS-management-account-ID:account/*",
        "arn:aws:organizations::AWS-management-account-ID:policy/*/backup_policy/*"        
      ],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "BACKUP_POLICY"
        }
      }
    }
  ]
}

If you need to delegate permissions to more than one member account, use an array in the principal section to add multiple account IDs. Here is an example on how that section looks with multiple account IDs.

"Principal" : { 
"AWS": [ 
  "123456789012",
  "555555555555" 
  ]
}

Validation

Once the above steps have been completed, you can validate that the required permissions have been delegated. Log into the account that was registered as delegated administrator, in the AWS Backup console and go to Settings. Under the Delegated administrator section, you should see the member account registered.

Within the AWS Backup console, select Cross-account monitoring from the side menu on the left of the screen, and confirm that you can monitor the status of backup, restore and copy activity across multiple accounts within your AWS Organization. Lastly, verify you can create, delete and modify backup policies by going to Backup policies on the left of the screen.

Cleaning up

The delegated administrator capability does not incur into any additional charges, but if you want to revert the configuration that was implemented through this blog post, you can de-register the delegated member account in the AWS Backup console and remove the policy in the AWS Organizations delegated administrator section.

Conclusion

In this post, we showed how to configure delegated administration for AWS Backup, delegating administration of AWS Backup and cross-account management capabilities to non-management AWS accounts without requiring access to the AWS Organizations management account. This follows the AWS recommended best practice of restricting access to the management account since you no longer need to use your management account to perform daily data protection tasks.

To learn more about AWS Backup cross-account management and delegated administration, see the AWS Backup documentation. Please let us know your feedback in the comments section and if you find this new functionality helpful, we would love to hear from you!