AWS Managed Policies. A maze of twisty passages all alike. Explore them here. If it looks like a button, it's clickable. Always up to date.
AWSBackupServiceRolePolicyForBackup details (in AWS console)
Policy Name
AWSBackupServiceRolePolicyForBackup
Description
Provides AWS Backup permission to create backups on your behalf across AWS services
ARN
arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
Path
/service-role/
PolicyId
ANPAIOOYZSLZZXWFJJ5N2
AttachmentCount
dynamodb rds storagegateway ec2 backup elasticfilesystem kms tag ssm fsx backup-gateway cloudformation redshift timestream ssm-sap
[
  {
    "Effect": "Allow",
    "Action": [
      "dynamodb:DescribeTable",
      "dynamodb:CreateBackup"
    ],
    "Resource": [
      "arn:aws:dynamodb:*:*:table/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "dynamodb:DescribeBackup",
      "dynamodb:DeleteBackup"
    ],
    "Resource": [
      "arn:aws:dynamodb:*:*:table/*/backup/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "rds:AddTagsToResource",
      "rds:ListTagsForResource",
      "rds:DescribeDBSnapshots",
      "rds:CreateDBSnapshot",
      "rds:CopyDBSnapshot",
      "rds:DescribeDBInstances",
      "rds:CreateDBClusterSnapshot",
      "rds:DescribeDBClusters",
      "rds:DescribeDBClusterSnapshots",
      "rds:CopyDBClusterSnapshot",
      "rds:DescribeDBClusterAutomatedBackups"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "rds:ModifyDBInstance"
    ],
    "Resource": [
      "arn:aws:rds:*:*:db:*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "rds:ModifyDBCluster"
    ],
    "Resource": [
      "arn:aws:rds:*:*:cluster:*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "rds:DeleteDBClusterAutomatedBackup"
    ],
    "Resource": [
      "arn:aws:rds:*:*:cluster-auto-backup:*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "rds:DeleteDBSnapshot",
      "rds:ModifyDBSnapshotAttribute"
    ],
    "Resource": [
      "arn:aws:rds:*:*:snapshot:awsbackup:*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "rds:DeleteDBClusterSnapshot",
      "rds:ModifyDBClusterSnapshotAttribute"
    ],
    "Resource": [
      "arn:aws:rds:*:*:cluster-snapshot:awsbackup:*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "storagegateway:CreateSnapshot",
      "storagegateway:ListTagsForResource"
    ],
    "Resource": [
      "arn:aws:storagegateway:*:*:gateway/*/volume/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ec2:CopySnapshot"
    ],
    "Resource": [
      "arn:aws:ec2:*::snapshot/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ec2:CopyImage"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ec2:CreateTags",
      "ec2:DeleteSnapshot"
    ],
    "Resource": [
      "arn:aws:ec2:*::snapshot/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ec2:CreateImage",
      "ec2:DeregisterImage",
      "ec2:DescribeSnapshots",
      "ec2:DescribeTags",
      "ec2:DescribeImages",
      "ec2:DescribeInstances",
      "ec2:DescribeInstanceAttribute",
      "ec2:DescribeInstanceCreditSpecifications",
      "ec2:DescribeNetworkInterfaces",
      "ec2:DescribeElasticGpus",
      "ec2:DescribeSpotInstanceRequests",
      "ec2:DescribeSnapshotTierStatus"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ec2:CreateTags"
    ],
    "Resource": [
      "arn:aws:ec2:*:*:image/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ec2:ModifySnapshotAttribute",
      "ec2:ModifyImageAttribute"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ec2:ModifySnapshotTier"
    ],
    "Resource": [
      "arn:aws:ec2:*::snapshot/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "backup:DescribeBackupVault",
      "backup:CopyIntoBackupVault"
    ],
    "Resource": [
      "arn:aws:backup:*:*:backup-vault:*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "backup:CopyFromBackupVault"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "elasticfilesystem:Backup",
      "elasticfilesystem:DescribeTags"
    ],
    "Resource": [
      "arn:aws:elasticfilesystem:*:*:file-system/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ec2:CreateSnapshot",
      "ec2:DeleteSnapshot",
      "ec2:DescribeVolumes",
      "ec2:DescribeSnapshots"
    ],
    "Resource": [
      "arn:aws:ec2:*::snapshot/*",
      "arn:aws:ec2:*:*:volume/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt",
      "kms:GenerateDataKey"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:DescribeKey"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:CreateGrant"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:GenerateDataKeyWithoutPlaintext"
    ],
    "Resource": [
      "arn:aws:kms:*:*:key/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "tag:GetResources"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ssm:CancelCommand",
      "ssm:GetCommandInvocation"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ssm:SendCommand"
    ],
    "Resource": [
      "arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot",
      "arn:aws:ec2:*:*:instance/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "fsx:DescribeBackups"
    ],
    "Resource": [
      "arn:aws:fsx:*:*:backup/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "fsx:CreateBackup"
    ],
    "Resource": [
      "arn:aws:fsx:*:*:file-system/*",
      "arn:aws:fsx:*:*:backup/*",
      "arn:aws:fsx:*:*:volume/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "fsx:DescribeFileSystems"
    ],
    "Resource": [
      "arn:aws:fsx:*:*:file-system/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "fsx:DescribeVolumes"
    ],
    "Resource": [
      "arn:aws:fsx:*:*:volume/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "fsx:ListTagsForResource"
    ],
    "Resource": [
      "arn:aws:fsx:*:*:file-system/*",
      "arn:aws:fsx:*:*:volume/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "fsx:DeleteBackup"
    ],
    "Resource": [
      "arn:aws:fsx:*:*:backup/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "fsx:ListTagsForResource",
      "fsx:ManageBackupPrincipalAssociations",
      "fsx:CopyBackup",
      "fsx:TagResource"
    ],
    "Resource": [
      "arn:aws:fsx:*:*:backup/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "dynamodb:StartAwsBackupJob",
      "dynamodb:ListTagsOfResource"
    ],
    "Resource": [
      "arn:aws:dynamodb:*:*:table/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "backup-gateway:Backup",
      "backup-gateway:ListTagsForResource"
    ],
    "Resource": [
      "arn:aws:backup-gateway:*:*:vm/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "cloudformation:ListStacks",
      "cloudformation:GetTemplate",
      "cloudformation:DescribeStacks",
      "cloudformation:ListStackResources"
    ],
    "Resource": [
      "arn:aws:cloudformation:*:*:stack/*/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "redshift:CreateClusterSnapshot",
      "redshift:DescribeClusterSnapshots",
      "redshift:DescribeTags"
    ],
    "Resource": [
      "arn:aws:redshift:*:*:snapshot:*/*",
      "arn:aws:redshift:*:*:cluster:*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "redshift:DeleteClusterSnapshot"
    ],
    "Resource": [
      "arn:aws:redshift:*:*:snapshot:*/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "redshift:DescribeClusters"
    ],
    "Resource": [
      "arn:aws:redshift:*:*:cluster:*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "redshift:CreateTags"
    ],
    "Resource": [
      "arn:aws:redshift:*:*:snapshot:*/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "timestream:StartAwsBackupJob",
      "timestream:GetAwsBackupStatus",
      "timestream:ListTables",
      "timestream:ListDatabases",
      "timestream:ListTagsForResource",
      "timestream:DescribeTable",
      "timestream:DescribeDatabase"
    ],
    "Resource": [
      "arn:aws:timestream:*:*:database/*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "timestream:DescribeEndpoints"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ssm-sap:GetOperation",
      "ssm-sap:ListDatabases"
    ],
    "Resource": [
      "*"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "ssm-sap:BackupDatabase",
      "ssm-sap:UpdateHanaBackupSettings",
      "ssm-sap:GetDatabase",
      "ssm-sap:ListTagsForResource"
    ],
    "Resource": [
      "arn:aws:ssm-sap:*:*:*"
    ]
  }
]