Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I create a logically air-gapped vault in AWS Backup with a Multi-party approval team?

3 minute read
1

To improve the security of my backups, I want to use Multi-party approval for AWS Organizations to create a logically air-gapped vault in AWS Backup.

Resolution

Set up Multi-party approval and create your approval team

Complete the following steps:

  1. Activate an AWS IAM Identity Center instance.
  2. Open the AWS Organizations console.
  3. In the navigation pane, choose Multi-party approval, and then choose Set up multi-party approval.
  4. Choose your IAM Identity Center instance, and then choose Complete setup.
  5. In the Approval teams section of the Multi-party approval page, choose Create team.
  6. For Name, enter your approval team name, and for Description, enter a description for your team.
  7. Choose Add approvers. In the Assign users dialog box, choose the users that you want to assign, and then choose Done.
    Note: Your approval team must have at least three approvers and can have a maximum of 20 approvers.
  8. For Minimum required approvals, enter a minimum of two approvers.
  9. Choose Create team.

Organizations sends email invitations to the users in your approval team. If all your users accept the invitations, then the approval team becomes active. If at least one approver declines an invitation, then the approval team becomes inactive. Invitations expire after 24 hours.

Important: Remind the users on your approval team to accept their invitations. To accept an invitation, a user must sign in to the AWS Management Console as an AWS Identity and Access Management (IAM) user.

Share your Multi-party approval team with your logically air-gapped vault account

Complete the following steps:

  1. Open the AWS Organizations console.
  2. In the navigation pane, choose Multi-party-approval.
  3. In the Approval teams section, choose Manage sharing. This opens the AWS Resource Access Manager (AWS RAM) console.
  4. In the Resource shares section, choose Create resource share.
  5. On the Specify resource share details page, in the Resource share name section, for Name, enter a name for your resource share.
  6. In the Resources section, choose Multi-Party Approval Team.
  7. Select the Amazon Resource Name (ARN) for the new team that appears, and then choose Next.
  8. On the Associate managed permissions page, choose the default AWSMultiPartyApprovalDefaultPermission, and then choose Next.
    Note: To create your own permissions, such as list, read, or write, choose Create customer managed permissions.
  9. In the Principals section, for Select principal type, choose the AWS account or organization that's hosting your logically air-gapped vault. Then, enter the account ID or your organization's ID.
  10. Choose Next, and then choose Create resource share.

Related information

AWS Backup adds new Multi-party approval for logically air-gapped vaults

Improve recovery resilience with AWS Backup support for Multi-party approval

Logically air-gapped vault

What is Multi-party approval?

Topics
Management & GovernanceStorage
Tags
AWS BackupAWS Organizations
Language
English
AWS OFFICIALUpdated 3 months ago
No comments

Relevant content