Ensure that an Amazon Backup vault access policy is configured to prevent the deletion (accidentally or intentionally) of AWS backups in the backup vault. A backup vault is a container used to organize AWS backups.
The ability to delete recovery points (i.e. backups) stored within your AWS Backup vaults is determined by the permissions that you grant to your users. You can enforce deletion protection and restrict deleting recovery points by configuring the resource-based access policies associated with your vaults.
To determine the configuration of the access policies associated with your Amazon Backup vaults, perform the following actions:
The resource-based access policy associated with an AWS vault allows you to specify who has access to the backups within that vault and what actions they can perform on these backups. To define and implement an access policy that denies all users the ability to delete existing or future backups inside a backup vault, perform the following actions: