AWSBackupServiceRolePolicyForS3Backup details (in AWS console)
Policy Name
AWSBackupServiceRolePolicyForS3Backup
Description
Policy containing permissions necessary for AWS Backup to backup data in any S3 bucket. This includes read access to all S3 objects and any decrypt access for all KMS keys.
ARN
arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup
Path
/
PolicyId
ANPAZKAPJZG4CGZAHUZ2D
AttachmentCount
0
[
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:PutTargets",
"events:DescribeRule",
"events:EnableRule",
"events:PutRule",
"events:RemoveTargets",
"events:ListTargetsByRule",
"events:DisableRule"
],
"Resource": [
"arn:aws:events:*:*:rule/AwsBackupManagedRule*"
]
},
{
"Effect": "Allow",
"Action": [
"events:ListRules"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:GetBucketLocation",
"s3:GetBucketAcl",
"s3:PutInventoryConfiguration",
"s3:GetBucketNotification",
"s3:PutBucketNotification"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::*/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
}
]