ACTS Blog Selection
We use machine learning technology to do auto-translation. Click "English" on top navigation bar to check Chinese version.
Delegated administrator support for Amazon Web Services Backup
[Update: 12/13/2022 – Under Step 2. Delegate backup policy in Amazon Web Services Organizations console, the JSON policy paragraph and sample JSON policy were updated.]
Until today, backup administrators had to use the
With Amazon Web Services Backup
In this blog post, I walk through the process of delegating Amazon Web Services Backup policy administration and jobs monitoring to a member account and share considerations while configuring this new functionality.
Walkthrough of process to add delegated administrator for backup
The cross-account management feature has two capabilities. First, the ability to create backup policies across an Amazon Web Services Organizations and second is the ability to monitor cross-account backup, restore and copy jobs across all the member accounts where backup policies have been applied to.
Prerequisites
- To delegate Amazon Web Services Backup policy administration, you need credentials for the management account of your Amazon Web Services Organization and the member account numbers you want to delegate administration to.
- To delegate Amazon Web Services Backup jobs monitoring, you need to enable cross-account management in Amazon Web Services Backup. Refer to the
documentation for more information.
To delegate both capabilities to a member account, a two-step process is required. First, registering a member account in the Amazon Web Services Backup console; and then, delegating permissions to manage backup policies through the Amazon Web Services Organizations console.
Step 1: Delegate jobs monitoring in Amazon Web Services Backup console
1. Log in using your management account credentials and go to the Amazon Web Services Backup console. Under Settings, scroll down to the new section, Delegated administrator.
Figure 1: Register delegated administrator
2. To register a delegated administrator, choose Register delegated administrator. This will display the list of accounts that belong to your organization. Select the account you want to delegate access to and choose Register delegated administrator.
Figure 2: Register delegated administrator
3. In the Settings section, under Delegated administrator you should now see the account that was registered.
Figure 3: Delegated administrator registration summary
Note: Up to 5 member accounts can be registered as delegated administrators.
Step 2. Delegate backup policy in Amazon Web Services Organizations console
1. In the management account, navigate to Settings, scroll down and you will see a new section called Delegated administrator for Amazon Web Services Organizations. Select Delegate as shown in Figure 4.
Figure 4: Delegated administrator for Amazon Web Services Organizations
2. In the JSON editor, define a policy for delegating Amazon Web Services Backup administration using the same member account ID that were delegated jobs monitoring in Amazon Web Services Backup in the previous step.
As a reference, use the following sample JSON policy which provides permissions to fully administrate backup policies. Remember to replace Amazon Web Services-member-account-ID with the account ID you are delegating access to and the Amazon Web Services-management-account-ID with the account ID of your Amazon Web Services Organizations management account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOrganizationsRead",
"Effect": "Allow",
"Principal": {
"AWS": "AWS-member-account-ID"
},
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Sid": "AllowBackupPoliciesCreation",
"Effect": "Allow",
"Principal": {
"AWS": "AWS-member-account-ID"
},
"Action": [
"organizations:CreatePolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesModification",
"Effect": "Allow",
"Principal": {
"AWS": "AWS-member-account-ID"
},
"Action": [
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy"
],
"Resource": [
"arn:aws:organizations::AWS-management-account-ID:policy/*/backup_policy/*" ],
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesAttachmentAndDetachmentToAllAccountsAndOUs",
"Effect": "Allow",
"Principal": {
"AWS": "AWS-member-account-ID"
},
"Action": [
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": [
"arn:aws:organizations::AWS-management-account-ID:root/*",
"arn:aws:organizations::AWS-management-account-ID:ou/*",
"arn:aws:organizations::AWS-management-account-ID:account/*",
"arn:aws:organizations::AWS-management-account-ID:policy/*/backup_policy/*"
],
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
}
]
}
If you need to delegate permissions to more than one member account, use an array in the principal section to add multiple account IDs. Here is an example on how that section looks with multiple account IDs.
"Principal" : {
"AWS": [
"123456789012",
"555555555555"
]
}
Validation
Once the above steps have been completed, you can validate that the required permissions have been delegated. Log into the account that was registered as delegated administrator, in the Amazon Web Services Backup console and go to Settings. Under the Delegated administrator section, you should see the member account registered.
Within the Amazon Web Services Backup console, select Cross-account monitoring from the side menu on the left of the screen, and confirm that you can monitor the status of backup, restore and copy activity across multiple accounts within your Amazon Web Services Organization. Lastly, verify you can create, delete and modify backup policies by going to Backup policies on the left of the screen.
Cleaning up
The delegated administrator capability does not incur into any additional charges, but if you want to revert the configuration that was implemented through this blog post, you can de-register the delegated member account in the Amazon Web Services Backup console and remove the policy in the Amazon Web Services Organizations delegated administrator section.
Conclusion
In this post, we showed how to configure delegated administration for Amazon Web Services Backup, delegating administration of Amazon Web Services Backup and cross-account management capabilities to non-management Amazon Web Services accounts without requiring access to the Amazon Web Services Organizations management account. This follows the Amazon Web Services recommended best practice of restricting access to the management account since you no longer need to use your management account to perform daily data protection tasks.
To learn more about Amazon Web Services Backup cross-account management and delegated administration, see the