はじめに
今回AWS BackupサービスのBackupVaultアクセスポリシーを設計する際の注意点をご紹介したいと思います。
BackupVaultアクセスポリシー
AWS Backupサービスでは、リソースベースポリシーとしてBackupVaultアクセスポリシーが利用できます。AWS Backupサービスの対象ActionでもすべてBackupVaultアクセスポリシーに定義できるわけではありませ。ActionのResource TypeがBackupvault`であっても、BackupVaultアクセスポリシーとして指定できないアクションも存在します。今回はAWS Backupのアクションのうち、BackupVaultアクセスポリシーとして指定可能なアクションと指定不可能なアクションを紹介します。
AWS Backupのリソースベースポリシー
BackupVaultアクセスポリシー
BackupVaultアクセスポリシーを使用することで、特定のユーザーやグループがBackupVaultに対して実行できるアクションを制御できます。ただし、いくつかのアクションはBackupVaultアクセスポリシーとして指定できません。
BackupVaultアクセスポリシーで指定できないBackupのActionを定義すると
"Policy Statement action out of service scope"というポリシーステートメントのアクションはサービス範囲外というエラーが出ます。
これはBackupVaultアクセスポリシーがサポートしないactionとして定義されているからです。
以下はBackupVaultポリシーに適用できるactionをリスト化しました。
BackupVaultのAccess policyに適用可能なAction一覧
| Service Action | Resource Type | BackupVaultポリシーに適用 |
|---|---|---|
| CopyIntoBackupVault | backupVault | ○ |
| DeleteBackupVault | backupVault | ○ |
| DeleteBackupVaultAccessPolicy | backupVault | ○ |
| DeleteBackupVaultLockConfiguration | backupVault | ○ |
| DeleteBackupVaultNotifications | backupVault | ○ |
| DescribeBackupVault | backupVault | ○ |
| GetBackupVaultAccessPolicy | backupVault | ○ |
| GetBackupVaultNotifications | backupVault | ○ |
| ListRecoveryPointsByBackupVault | backupVault | ○ |
| PutBackupVaultAccessPolicy | backupVault | ○ |
| PutBackupVaultLockConfiguration | backupVault | ○ |
| PutBackupVaultNotifications | backupVault | ○ |
| StartBackupJob | backupVault | ○ |
| CreateBackupVault | backupVault | × |
| CreateLogicallyAirGappedBackupVault | backupVault | × |
| DeleteBackupVaultSharingPolicy | backupVault | × |
| GetBackupVaultSharingPolicy | backupVault | × |
| ListProtectedResourcesByBackupVault | backupVault | × |
| PutBackupVaultSharingPolicy | backupVault | × |
| CopyFromBackupVault | recoveryPoint | ○ |
| DeleteRecoveryPoint | recoveryPoint | ○ |
| DescribeRecoveryPoint | recoveryPoint | ○ |
| DisassociateRecoveryPoint | recoveryPoint | ○ |
| DisassociateRecoveryPointFromParent | recoveryPoint | ○ |
| GetRecoveryPointRestoreMetadata | recoveryPoint | ○ |
| StartCopyJob | recoveryPoint | ○ |
| StartRestoreJob | recoveryPoint | ○ |
| UpdateRecoveryPointLifecycle | recoveryPoint | ○ |
| CreateBackupPlan | backupPlan | × |
| CreateBackupSelection | backupPlan | × |
| DeleteBackupPlan | backupPlan | × |
| DeleteBackupSelection | backupPlan | × |
| GetBackupPlan | backupPlan | × |
| GetBackupSelection | backupPlan | × |
| ListBackupPlanVersions | backupPlan | × |
| ListBackupSelections | backupPlan | × |
| UpdateBackupPlan | backupPlan | × |
| CreateFramework | framework | × |
| DeleteFramework | framework | × |
| DescribeFramework | framework | × |
| UpdateFramework | framework | × |
| CancelLegalHold | legalHold | × |
| CreateLegalHold | legalHold | × |
| GetLegalHold | legalHold | × |
| ListRecoveryPointsByLegalHold | legalHold | × |
| DescribeBackupJob | not required | × |
| DescribeCopyJob | not required | × |
| DescribeGlobalSettings | not required | × |
| DescribeProtectedResource | not required | × |
| DescribeRegionSettings | not required | × |
| DescribeReportJob | not required | × |
| DescribeRestoreJob | not required | × |
| ExportBackupPlanTemplate | not required | × |
| GetBackupPlanFromJSON | not required | × |
| GetBackupPlanFromTemplate | not required | × |
| GetSupportedResourceTypes | not required | × |
| ListBackupJobs | not required | × |
| ListBackupPlans | not required | × |
| ListBackupPlanTemplates | not required | × |
| ListBackupVaults | not required | × |
| ListCopyJobs | not required | × |
| ListFrameworks | not required | × |
| ListLegalHolds | not required | × |
| ListProtectedResources | not required | × |
| ListRecoveryPointsByResource | not required | × |
| ListReportJobs | not required | × |
| ListReportPlans | not required | × |
| ListRestoreJobs | not required | × |
| ListTags | not required | × |
| StopBackupJob | not required | × |
| TagResource | not required | × |
| UntagResource | not required | × |
| UpdateGlobalSettings | not required | × |
| UpdateRegionSettings | not required | × |
| CreateReportPlan | reportPlan | × |
| DeleteReportPlan | reportPlan | × |
| DescribeReportPlan | reportPlan | × |
BackupVaultのAccess policyに適用可能なAction一覧を適用したCFnサンプル
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[youraccount]:root"
},
"Action": [
"backup:CopyFromBackupVault",
"backup:CopyIntoBackupVault",
"backup:DeleteBackupVault",
"backup:DeleteBackupVaultAccessPolicy",
"backup:DeleteBackupVaultLockConfiguration",
"backup:DeleteBackupVaultNotifications",
"backup:DeleteRecoveryPoint",
"backup:DescribeBackupVault",
"backup:DescribeRecoveryPoint",
"backup:DisassociateRecoveryPoint",
"backup:DisassociateRecoveryPointFromParent",
"backup:GetBackupVaultAccessPolicy",
"backup:GetBackupVaultNotifications",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListRecoveryPointsByBackupVault",
"backup:PutBackupVaultAccessPolicy",
"backup:PutBackupVaultLockConfiguration",
"backup:PutBackupVaultNotifications",
"backup:StartBackupJob",
"backup:StartCopyJob",
"backup:StartRestoreJob",
"backup:UpdateRecoveryPointLifecycle"
],
"Resource": "*"
}
]
}