Permissions and configuration issues with S3 backup using AWS Backup

0

Hi,

I’m trying to set up a monthly backup of my S3 bucket using AWS Backup, but I’m encountering several issues related to permissions and IAM role configuration.

Here’s the situation:

When I attempt to use the default role for AWS Backup, I receive the following error: "IAM Role does not have sufficient permissions to execute the backup."

I then opted to use a custom IAM role, but when I try to initiate an on-demand backup, I get this error: "Unable to perform s3 on 'bucket'. The backup job failed due to missing permissions on role arn:aws:iam::394296656435 /s3-backup-role."

The current permissions attached to my custom IAM role are:

AWSBackupServiceRolePolicyForBackup AWSBackupServiceRolePolicyForRestores AWSBackupServiceRolePolicyForS3Backup AWSBackupServiceRolePolicyForS3Restore Upon further investigation, I was advised to enable Amazon EventBridge on my S3 bucket. However, when I try to enable it, I receive the following error: "Unable to validate the following destination configurations."

I’m running out of ideas on how to resolve these issues and successfully set up a simple monthly backup of my S3 bucket. Do you have any suggestions or additional steps I need to follow to make this work?

Thank you in advance for your assistance!

2 Risposte
0

Is your bucket and/or objects within it set to use SSE-KMS encryption? If so, the KMS key policy must permit the kms:Decrypt and kms:DescribeKey actions either to the IAM role that is used to create backups or the entire AWS account (the ":root" principal of the account) that contains the IAM role. If the KMS key policy allows access to the account's ":root" principal or if the KMS key is in a different AWS account from the IAM role, the same permissions must additionally be permitted in one of the policies attached to the IAM role.

The policy statement can look like this, as it's expressed in the identity-based policy attached to the default backup role:

{
  "Sid": "KmsPermissionsForBackup",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::000000000000:role/s3-backup-role"
  },
  "Action": ["kms:Decrypt", "kms:DescribeKey"],
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "kms:ViaService": "s3.*.amazonaws.com"
    }
  }
}

and for restoring backups:

{
  "Sid": "KmsPermissionsForRestore",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::000000000000:role/s3-backup-role"
  },
  "Action": ["kms:DescribeKey","kms:GenerateDataKey","kms:Decrypt"],
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "kms:ViaService": "s3.*.amazonaws.com"
    }
  }
}

If SSE-KMS encryption isn't used, then I suggest you first check that versioning is in the "enabled" state (not disabled or suspended) for the bucket and check if any "Deny" statements exist in the bucket policy that apply to the IAM role making the backups.

ESPERTO
con risposta 2 mesi fa
0

You mentioned in an earlier comment that SSE-KMS had been set for the bucket. When you change the bucket-level default encryption setting, it doesn't affect how the objects already in the bucket have been encrypted. All the objects previously placed there are probably encrypted with SSE-KMS, which you can verify by opening an individual object's properties in the console and checking what is says about the object's encryption characteristics, and in the absence of the necessary permissions in the KMS key policy, AWS Backup won't be able to decrypt the objects to back them up.

ESPERTO
con risposta 2 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande