Profile Applicability:
 • Level 2

Description:

IAM roles for backup operations allow AWS Backup to perform necessary actions on behalf of users or services. These roles provide the necessary permissions to create and manage backups, such as initiating backup jobs, reading resource states, and storing data in backup vaults.

Rationale:

By creating specific IAM roles for backup operations, you ensure that only authorized entities can interact with the backup service and access backup data. These roles help enforce the principle of least privilege, reducing the risk of unauthorized backup-related operations.

Impact:

Pros:

  • Ensures that backup operations are managed by specific IAM roles with the appropriate permissions

  • Helps enforce least privilege by restricting access to only necessary services

  • Enhances auditability and control over backup actions

Cons:

  • Misconfigured roles could prevent backup jobs from running properly

  • Requires careful maintenance and regular review of IAM policies and roles

  • Adding too many permissions may expose sensitive backup data

Default Value:

By default, AWS Backup does not create IAM roles for backup operations. Roles must be explicitly created and assigned.

Pre-requisites:

  • IAM permissions to create and assign IAM roles (e.g., iam:CreateRoleiam:AttachRolePolicy)

  • Defined permissions based on least privilege

  • Backup vault and backup plan in place

  • AWS Backup service enabled

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Roles

  3. Check if IAM roles for backup are created and appropriately named

  4. Review the permissions attached to the backup role

  5. Verify that backup roles are assigned to AWS Backup resources and have the necessary permissions

Using AWS CLI:

  1. List roles in the IAM account:

     aws iam list-roles

  2. Describe the backup role to check for the appropriate permissions:

     aws iam get-role --role-name <role-name>

  3. List policies attached to the backup role:

     aws iam list-attached-role-policies --role-name <role-name>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Roles

  3. Click Create Role

  4. Choose AWS service and select Backup

  5. Assign necessary permissions to the role based on backup needs (e.g., AWSBackupServiceRolePolicyForBackup)

  6. Name the role (e.g., BackupServiceRole)

  7. Attach policies with appropriate permissions to interact with AWS Backup

  8. Complete the role creation process and assign it to the backup service

Using AWS CLI:

  1. Create a policy JSON file named backup-policy.json for the backup role permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "backup:StartBackupJob",
        "backup:ListBackupVaults",
        "backup:CreateBackupPlan",
        "backup:DescribeBackupVault",
        "backup:DeleteBackupJob"
      ],
      "Resource": "*"
    }
  ]
}

  1. Create the IAM policy:

     aws iam create-policy --policy-name BackupServicePolicy --policy-document file://backup-policy.json

  2. Create the backup role with the appropriate trust policy:

     aws iam create-role --role-name BackupServiceRole --assume-role-policy-document file://trust-policy.json

  3. Attach the policy to the created backup role:

    aws iam attach-role-policy --role-name BackupServiceRole --policy-arn arn:aws:iam::<account-id>:policy/BackupServicePolicy

Backout Plan:

Using AWS Console:

  1. Navigate to IAM > Roles

  2. Search for the BackupServiceRole

  3. Detach the policy and delete the role if not needed

  4. Review other IAM policies to ensure backup permissions are removed

Using AWS CLI:

  1. Detach the policy from the role:

     aws iam detach-role-policy --role-name BackupServiceRole --policy-arn arn:aws:iam::<account-id>:policy/BackupServicePolicy

  2. Delete the backup role:

     aws iam delete-role --role-name BackupServiceRole

References: