AWS Backup 现已推出多方审批功能，与逻辑气隙库集成，即使在 AWS 账户无法访问的情况下，也能确保备份数据的安全与可恢复性。该功能通过创建由可信成员组成的审批团队，提供独立的身份验证路径，即使账户被恶意访问，也能保障数据恢复。用户可以创建审批团队，将团队与逻辑气隙库关联，并在账户受损时，通过审批流程快速访问备份，从而加快恢复速度，增强对恢复时间的控制。

🛡️ 创建审批团队：用户首先在 AWS Organizations 管理账户中创建审批团队，该团队由可信成员组成，负责审批备份库共享请求。成员通过审批门户接收邀请。

🤝 关联备份库：创建审批团队后，通过 AWS Resource Access Manager (AWS RAM) 将团队与拥有逻辑气隙库的账户共享，确保仅来自授权账户的请求能够获得审批。

🔑 应对账户受损：当 AWS 账户受损时，用户可以从其他账户（恢复账户）请求访问备份。请求需包含逻辑气隙库的 ARN 以及可选的库名称和备注。

✅ 多方审批流程：请求将发送至审批团队，团队成员通过审批门户进行审核。当达到最低审批人数要求时，备份库将自动共享给请求账户。所有请求和审批操作均记录在 AWS CloudTrail 中。

🚀 恢复流程启动：获得访问权限后，用户可以立即在新恢复账户中开始恢复或复制数据，无需等待受损账户的修复。

<section class="blog-post-content lb-rtxt"><table id="amazon-polly-audio-table"><tbody><tr><td id="amazon-polly-audio-tab"><p></p></td></tr></tbody></table><p>Today, we’re announcing the general availability of a new capability that integrates <a href="https://docs.aws.amazon.com/aws-backup/latest/devguide/logicallyairgappedvault.html&quot;&gt;AWS Backup logically air-gapped vaults</a> with <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html&quot;&gt;Multi-party approval</a> to provide access to your backups even when your AWS account is inaccessible due to inadvertent or malicious events. AWS Backup is a fully managed service that centralizes and automates data protection across AWS services and hybrid workloads. It provides core data protection features, ransomware recovery capabilities, and compliance insights and analytics for data protection policies and operations.</p><p>As a backup administrator, you use AWS Backup logically air-gapped vaults to securely share backups across accounts and organizations, logically isolate your backup storage, and support direct restore to help reduce recovery time following an inadvertent or malicious event. However, if a bad or unintended actor gains root access to your backup account or the management account of your organization, your backups suddenly become inaccessible, even though they’re still safely stored in the logically air-gapped vault. While traditional account recovery involved working through support channels, AWS Backup with Multi-party approval delivers immediate access to recovery tools, empowering you with faster resolution times and greater control over your recovery timeline.</p><p>Multi-party approval for AWS Backup logically air-gapped vaults adds an additional layer of protection for you to recover your application data even when your AWS account becomes completely inaccessible. Using Multi-party approval, you can create approval teams which consist of highly trusted individuals in your organization, then associate them with your logically air-gapped vault. If you get locked out of your AWS accounts due to inadvertent or malicious actions, you can request your own approval team to authorize sharing of your vault from any account, even those outside your <a href="https://aws.amazon.com/organizations/&quot;&gt;AWS Organizations</a> account. Once approved, you gain authorized access to your backups and can begin your recovery process.</p><p><strong>How it works</strong><br />Multi-party approval for AWS Backup logically air-gapped vaults combines the security of logically air-gapped vaults with the governance of Multi-party approval to create a recovery mechanism that works even when your AWS account is compromised. Here’s how it works:</p><p><strong>1. Approval team creation</strong><br />First, you create an approval team in your AWS Organizations management account. If the management account is new, first <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html&quot;&gt;create an AWS Identity and Access Management (IAM) Identity Center instance</a> before creating the approval team. The approval team consists of trusted individuals (IAM Identity Center users) who will be authorized to approve vault sharing requests. Each approver receives an invitation to join the approval team through a new Approval portal.<br /><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa1.png&quot;&gt;&lt;img class="size-large wp-image-96868 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa1-1024x458.png&quot; alt="" width="1024" height="458" /></a></p><p><strong>2. Vault association</strong><br />When your approval team is active, you share it with accounts that own logically air-gapped vaults using <a href="https://aws.amazon.com/ram/&quot;&gt;AWS Resource Access Manager (AWS RAM)</a> to safeguard against requests for approval from arbitrary accounts. Backup administrators can then associate this approval team with new or existing logically air-gapped vaults.</p><p><strong>3. Protection against compromise</strong><br />If your AWS account becomes compromised or inaccessible, you can request access to your backups from a different account (a clean recovery account). This request includes the <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-backup-logicallyairgappedbackupvault.html&quot;&gt;Amazon Resource Name (ARN) of the logically air-gapped vault</a> in the format <code>arn:aws:backup:&lt;region&gt;:&lt;account&gt;:backup-vault:&lt;name&gt;</code> and an optional vault name and comment.</p><p><strong>4. Multi-party approval</strong><br />The request is sent to the approval team, who review it through the approval portal. When the minimum required number of approvers authorize the request, the vault is automatically shared with the requesting account. All requests and approvals are comprehensively logged in <a href="https://aws.amazon.com/cloudtrail/&quot;&gt;AWS CloudTrail</a>.</p><p><strong>5. Recovery process</strong><br />With access granted, you can immediately start restoring or copying your data in the new recovery account without waiting for your compromised account to be remediated.</p><p>This approach provides an entirely separate authentication path to access and recover your backups, completely independent of your AWS account credentials. Even if the bad actor has root access to your account, they can’t prevent the approval team-based recovery process.</p><p><strong>1. Create a new logically air-gapped vault</strong><br />To create a new logically air-gapped vault, provide a <strong>name</strong>, <strong>tags</strong> (optional), and <strong>vault lock properties</strong>.<br /><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa2-5.png&quot;&gt;&lt;img class="size-large wp-image-96874 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa2-5-1024x405.png&quot; alt="" width="1024" height="405" /></a><br /><strong>2. Assign an approval team</strong><br />When the vault has been created, choose <strong>Assign approval team</strong> to assign it with an existing approval team.<br /><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa3.png&quot;&gt;&lt;img class="size-large wp-image-96881 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa3-1024x193.png&quot; alt="" width="1024" height="193" /></a></p><p>Choose an existing approval team from the drop-down menu then select <strong>Submit</strong> to finalize the assignment.<br /><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa4.png&quot;&gt;&lt;img class="size-large wp-image-96882 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa4-1024x202.png&quot; alt="" width="1024" height="202" /></a></p><p>Now your approval team is assigned to your logically air-gapped vault.<br /><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa5.png&quot;&gt;&lt;img class="size-large wp-image-96883 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/05/newmpa5-1024x135.png&quot; alt="" width="1024" height="135" /></a></p><p><strong>Good to know</strong><br />It’s essential to test your recovery process before an actual emergency:</p><ol><li>From a different AWS account, use the AWS Backup console or API to request sharing of your logically air-gapped vault by providing the vault ID and ARN.</li><li>Request approval of your request from the approval team.</li><li>Once approved, verify that you can access and restore backups from the vault in your testing account.</li></ol><p><strong>As a best practice</strong>, monitor the health of your approval team regularly using <a href="https://docs.aws.amazon.com/aws-backup/latest/devguide/aws-backup-audit-manager.html&quot;&gt;AWS Backup Audit Manager</a> to ensure they have sufficient active participants to meet your approval threshold.</p><p><strong>Multi-party approval for enhanced cloud governance</strong><br />Today, we’re also announcing the general availability of a new capability that AWS account administrators can use to add <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html&quot;&gt;Multi-party approval</a> to their product offerings. As highlighted in this post, AWS Backup is the first service to integrate this capability. With Multi-party approval, administrators can enable application owners to guard sensitive service operations with a distributed review process.</p><p><strong>Good to know</strong><br />Multi-party approval provides several significant security advantages:</p><ul><li>Distributed decision-making, eliminating single points of failure</li><li>Full auditability through AWS CloudTrail integration</li><li>Protection against compromised credentials</li><li>Formal governance for compliance-sensitive operations</li><li>Consistent approval experience across integrated services</li></ul><p><strong>Now available</strong></p><p>Multi-party approval is available today in all <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-supported-regions.html&quot;&gt;AWS Regions</a> where <a href="https://aws.amazon.com/organizations/&quot;&gt;AWS Organizations</a> is available. Multi-party approval for AWS Backup logically air-gapped vaults is available in all AWS Regions where <a href="https://aws.amazon.com/backup/&quot;&gt;AWS Backup</a> is available.</p><p>– <a href="https://linkedin.com/veliswa-boya&quot;&gt;Veliswa&lt;/a&gt;.&lt;/p&gt;&lt;/section&gt;&lt;aside id="Comments" class="blog-comments"><div data-lb-comp="aws-blog:cosmic-comments" data-env="prod" data-content-id="44553faf-adbf-4d78-b489-16ec494491a0" data-title="AWS Backup adds new Multi-party approval for logically air-gapped vaults" data-url="https://aws.amazon.com/blogs/aws/aws-backup-adds-new-multi-party-approval-for-logically-air-gapped-vaults/&quot;&gt;&lt;p data-failed-message="Comments cannot be loaded… Please refresh and try again.">Loading comments…</p></div></aside>