{"id":"backup-encrypted-restore-needs-kms-permissions","text":"Restoring encrypted AWS Backup recovery points requires either KMS key policy allowlisting or explicit KMS permissions (`KMSDescribePermissions`, `KMSPermissions`, `KMSCreateGrantPermissions`) on the restore role.","truth_value":"IN","source":"entries/2026/03/12/aws-backup-latest-devguide-security-iam-awsmanpolhtml.md","source_url":"","source_hash":"1d526fa19beb8a5b","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"backup-encrypted-restore-needs-kms-permissions","truth_value":"IN","reason":"premise"}]}}