Question 

Currently, the Organization is activated under the Payer account to provide services to multiple linked accounts.

I want to centrally manage backups of multiple linked accounts from the Payer account.

I want to grant a specific IAM user in the Payer account only the permissions for ‘cross-account monitoring’ and access and configuration of ‘My Organization’. What IAM Policy should I create? (Minimum privilege required)

Answer 

The following IAM Policy guides are available for using only the ‘My Organization’ feature in AWS Backup service. 

• IAM Policy for using cross-account monitoring: allows listing and viewing details of backup, restore, and copy jobs in the AWS Backup Console. 

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                  "backup:ListBackupJobs",
                  "backup:ListCopyJobs",
                  "backup:ListRestoreJobs",
                  "backup:DescribeBackupJob",
                  "backup:DescribeCopyJob",
                  "backup:DescribeRestoreJob",
                  "backup:DescribeBackupVault",
                  "backup:GetBackupPlan"
              ],
              "Resource": "*"
          }
      ]
  }

• IAM Policy for backup policy management (two options): 

1. AWS Managed Policy 

   • AWSBackupOrganizationAdminAccess

     • Organization administrators have full permissions for AWS Organizations operations including creating/editing/deleting backup policies, assigning backup policies to accounts and organizational units, and monitoring backup jobs within the organization. Organization administrators must define and assign backup policies to protect the organization's accounts according to business and compliance requirements. [1] 

2. Customer Managed Policy 

   • The following policy also grants users full permissions to manage all aspects of backup policies. [2] 

     {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Sid": "ManageBackupPolicies",
                 "Effect": "Allow",
                 "Action": [
                     "organizations:AttachPolicy",
                     "organizations:CreatePolicy",
                     "organizations:DeletePolicy",
                     "organizations:DescribeAccount",
                     "organizations:DescribeCreateAccountStatus",
                     "organizations:DescribeEffectivePolicy",
                     "organizations:DescribeOrganization",
                     "organizations:DescribeOrganizationalUnit",
                     "organizations:DescribePolicy",
                     "organizations:DetachPolicy",
                     "organizations:DisableAWSServiceAccess",
                     "organizations:DisablePolicyType",
                     "organizations:EnableAWSServiceAccess",
                     "organizations:EnablePolicyType",
                     "organizations:ListAccounts",
                     "organizations:ListAccountsForParent",
                     "organizations:ListAWSServiceAccessForOrganization",
                     "organizations:ListCreateAccountStatus",
                     "organizations:ListOrganizationalUnitsForParent",
                     "organizations:ListParents",
                     "organizations:ListPolicies",
                     "organizations:ListPoliciesForTarget",
                     "organizations:ListRoots",
                     "organizations:ListTargetsForPolicy",
                     "organizations:UpdatePolicy"
                 ],
                 "Resource": "*"
             }
         ]
     }

Currently, the second policy sufficiently allows users to fully manage backup policies without issues, but as new services and API actions are introduced in the future, you will need to manually add 'Action' entries. Note that the first policy, an AWS managed policy, is maintained and updated by AWS.