You can grant the ZCSPM data collector role access to your AWS Backup service to enable a security policy. ZCSPM requires the following access permissions to collect necessary configuration metadata:

• ListBackupVaults
• DescribeBackupVault
• ListTags

• See additional security policy covered with AWS Backup service access.

  Security Policy Category	Security Policy Title
  AWS - Data Protection	Ensure that Amazon Backup vaults are using AWS CMKs for encryption of backup data

  Close

To grant AWS Backup service access to the ZCSPM data collector role, you must create an AWS IAM policy which grants access to AWS Backup service permissions:

1. Log in to the AWS Console and navigate to the IAM service.
2. In the left pane menu, click Roles under Access management.
3. Select the demo-security-audit role.

See image.

4. In the Permissions tab, click Attach policies.
5. Click Create policy.
6. In the Service drop-down menu, click Choose a service, then select Backup.
7. In the Actions drop-down menu:
   • Select List, then select ListBackupVaults
   • Select Read, then select DescribeBackupVault and ListTags.
8. In the Resources drop-down menu, select All resources.
9. Click Next: Tags.

See image.

10. On the Review policy page, enter the policy name.
11. Click Create policy.

After you create the policy, you must associate the policy to the demo-security-audit role:

1. In the left pane menu, click Roles under Access management.
2. Select the demo-security-audit role.
3. In the Permissions tab, click Attach policies.
4. Select the created policy, then select Attach policy.