@@ -58,7 +58,7 @@ func ListBackupVaultAccessPolicies(sess *session.Session) ([]Resource, error) {
5858}
5959
6060func (b * BackupVaultAccessPolicy ) Remove () error {
61- // Set the policy to a policy that allows deletion before removal.
61+ // Set a policy that allows deletion before removal.
6262 //
6363 // This is required to delete the policy for the automagically created vaults
6464 // such as "aws/efs/automatic-backup-vault" from EFS automatic backups
@@ -87,21 +87,31 @@ func (b *BackupVaultAccessPolicy) Remove() error {
8787 // ]
8888 // }
8989 //
90- // While deletion is Denied, you can update the policy with one that
91- // doesn't deny and then delete at will.
90+ // Update the default policy to remove the Deny on Delete* actions
91+ // and then delete the policy.
92+ //
93+ // Why not putting a policy that allows `backup:DeleteBackupVaultAccessPolicy` in the first place?
94+ // Because that throws an error:
95+ // ' The specified policy cannot be added to the vault due to cross-account sharing restrictions.
96+ // Amend the policy or the vault's settings, then retry request'
97+ //
9298 allowDeletionPolicy := `{
93- "Version": "2012-10-17",
94- "Statement": [
95- {
96- "Effect": "Allow",
97- "Principal": {
98- "AWS": "*"
99- },
100- "Action": "backup:DeleteBackupVaultAccessPolicy",
101- "Resource": "*"
102- }
103- ]
104- }`
99+ "Version": "2012-10-17",
100+ "Statement": [
101+ {
102+ "Effect": "Deny",
103+ "Principal": {
104+ "AWS": "*"
105+ },
106+ "Action": [
107+ "backup:StartCopyJob",
108+ "backup:StartRestoreJob",
109+ "backup:UpdateRecoveryPointLifecycle"
110+ ],
111+ "Resource": "*"
112+ }
113+ ]
114+ }`
105115 // Ignore error from if we can't put permissive backup vault policy in for some reason, that's OK.
106116 _ , _ = b .svc .PutBackupVaultAccessPolicy (& backup.PutBackupVaultAccessPolicyInput {
107117 BackupVaultName : & b .backupVaultName ,
0 commit comments