LoginSignup
2
0
@jonhyoku_imuin株式会社セゾンテクノロジー

BackupポリシーとBackupVaultポリシーに適用可能なポリシー

Posted at

はじめに

今回AWS BackupサービスのBackupVaultアクセスポリシーを設計する際の注意点をご紹介したいと思います。

BackupVaultアクセスポリシー

AWS Backupサービスでは、リソースベースポリシーとしてBackupVaultアクセスポリシーが利用できます。AWS Backupサービスの対象ActionでもすべてBackupVaultアクセスポリシーに定義できるわけではありませ。ActionのResource TypeがBackupvault`であっても、BackupVaultアクセスポリシーとして指定できないアクションも存在します。今回はAWS Backupのアクションのうち、BackupVaultアクセスポリシーとして指定可能なアクションと指定不可能なアクションを紹介します。

AWS Backupのリソースベースポリシー

BackupVaultアクセスポリシー

BackupVaultアクセスポリシーを使用することで、特定のユーザーやグループがBackupVaultに対して実行できるアクションを制御できます。ただし、いくつかのアクションはBackupVaultアクセスポリシーとして指定できません。
BackupVaultアクセスポリシーで指定できないBackupのActionを定義すると
"Policy Statement action out of service scope"というポリシーステートメントのアクションはサービス範囲外というエラーが出ます。

02.PNG

これはBackupVaultアクセスポリシーがサポートしないactionとして定義されているからです。
以下はBackupVaultポリシーに適用できるactionをリスト化しました。

BackupVaultのAccess policyに適用可能なAction一覧

Service Action Resource Type BackupVaultポリシーに適用
CopyIntoBackupVault backupVault
DeleteBackupVault backupVault
DeleteBackupVaultAccessPolicy backupVault
DeleteBackupVaultLockConfiguration backupVault
DeleteBackupVaultNotifications backupVault
DescribeBackupVault backupVault
GetBackupVaultAccessPolicy backupVault
GetBackupVaultNotifications backupVault
ListRecoveryPointsByBackupVault backupVault
PutBackupVaultAccessPolicy backupVault
PutBackupVaultLockConfiguration backupVault
PutBackupVaultNotifications backupVault
StartBackupJob backupVault
CreateBackupVault backupVault ×
CreateLogicallyAirGappedBackupVault backupVault ×
DeleteBackupVaultSharingPolicy backupVault ×
GetBackupVaultSharingPolicy backupVault ×
ListProtectedResourcesByBackupVault backupVault ×
PutBackupVaultSharingPolicy backupVault ×
CopyFromBackupVault recoveryPoint
DeleteRecoveryPoint recoveryPoint
DescribeRecoveryPoint recoveryPoint
DisassociateRecoveryPoint recoveryPoint
DisassociateRecoveryPointFromParent recoveryPoint
GetRecoveryPointRestoreMetadata recoveryPoint
StartCopyJob recoveryPoint
StartRestoreJob recoveryPoint
UpdateRecoveryPointLifecycle recoveryPoint
CreateBackupPlan backupPlan ×
CreateBackupSelection backupPlan ×
DeleteBackupPlan backupPlan ×
DeleteBackupSelection backupPlan ×
GetBackupPlan backupPlan ×
GetBackupSelection backupPlan ×
ListBackupPlanVersions backupPlan ×
ListBackupSelections backupPlan ×
UpdateBackupPlan backupPlan ×
CreateFramework framework ×
DeleteFramework framework ×
DescribeFramework framework ×
UpdateFramework framework ×
CancelLegalHold legalHold ×
CreateLegalHold legalHold ×
GetLegalHold legalHold ×
ListRecoveryPointsByLegalHold legalHold ×
DescribeBackupJob not required ×
DescribeCopyJob not required ×
DescribeGlobalSettings not required ×
DescribeProtectedResource not required ×
DescribeRegionSettings not required ×
DescribeReportJob not required ×
DescribeRestoreJob not required ×
ExportBackupPlanTemplate not required ×
GetBackupPlanFromJSON not required ×
GetBackupPlanFromTemplate not required ×
GetSupportedResourceTypes not required ×
ListBackupJobs not required ×
ListBackupPlans not required ×
ListBackupPlanTemplates not required ×
ListBackupVaults not required ×
ListCopyJobs not required ×
ListFrameworks not required ×
ListLegalHolds not required ×
ListProtectedResources not required ×
ListRecoveryPointsByResource not required ×
ListReportJobs not required ×
ListReportPlans not required ×
ListRestoreJobs not required ×
ListTags not required ×
StopBackupJob not required ×
TagResource not required ×
UntagResource not required ×
UpdateGlobalSettings not required ×
UpdateRegionSettings not required ×
CreateReportPlan reportPlan ×
DeleteReportPlan reportPlan ×
DescribeReportPlan reportPlan ×

BackupVaultのAccess policyに適用可能なAction一覧を適用したCFnサンプル

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[youraccount]:root"
            },
            "Action": [
                "backup:CopyFromBackupVault",
                "backup:CopyIntoBackupVault",
                "backup:DeleteBackupVault",
                "backup:DeleteBackupVaultAccessPolicy",
                "backup:DeleteBackupVaultLockConfiguration",
                "backup:DeleteBackupVaultNotifications",
                "backup:DeleteRecoveryPoint",
                "backup:DescribeBackupVault",
                "backup:DescribeRecoveryPoint",
                "backup:DisassociateRecoveryPoint",
                "backup:DisassociateRecoveryPointFromParent",
                "backup:GetBackupVaultAccessPolicy",
                "backup:GetBackupVaultNotifications",
                "backup:GetRecoveryPointRestoreMetadata",
                "backup:ListRecoveryPointsByBackupVault",
                "backup:PutBackupVaultAccessPolicy",
                "backup:PutBackupVaultLockConfiguration",
                "backup:PutBackupVaultNotifications",
                "backup:StartBackupJob",
                "backup:StartCopyJob",
                "backup:StartRestoreJob",
                "backup:UpdateRecoveryPointLifecycle"
            ],
            "Resource": "*"
        }
    ]
}
2
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
0