AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約

Permissions and configuration issues with S3 backup using AWS Backup

0

Hi,

I’m trying to set up a monthly backup of my S3 bucket using AWS Backup, but I’m encountering several issues related to permissions and IAM role configuration.

Here’s the situation:

When I attempt to use the default role for AWS Backup, I receive the following error: "IAM Role does not have sufficient permissions to execute the backup."

I then opted to use a custom IAM role, but when I try to initiate an on-demand backup, I get this error: "Unable to perform s3 on 'bucket'. The backup job failed due to missing permissions on role arn:aws:iam::394296656435 /s3-backup-role."

The current permissions attached to my custom IAM role are:

AWSBackupServiceRolePolicyForBackup AWSBackupServiceRolePolicyForRestores AWSBackupServiceRolePolicyForS3Backup AWSBackupServiceRolePolicyForS3Restore Upon further investigation, I was advised to enable Amazon EventBridge on my S3 bucket. However, when I try to enable it, I receive the following error: "Unable to validate the following destination configurations."

I’m running out of ideas on how to resolve these issues and successfully set up a simple monthly backup of my S3 bucket. Do you have any suggestions or additional steps I need to follow to make this work?

Thank you in advance for your assistance!

2回答
0

Is your bucket and/or objects within it set to use SSE-KMS encryption? If so, the KMS key policy must permit the kms:Decrypt and kms:DescribeKey actions either to the IAM role that is used to create backups or the entire AWS account (the ":root" principal of the account) that contains the IAM role. If the KMS key policy allows access to the account's ":root" principal or if the KMS key is in a different AWS account from the IAM role, the same permissions must additionally be permitted in one of the policies attached to the IAM role.

The policy statement can look like this, as it's expressed in the identity-based policy attached to the default backup role:

{
  "Sid": "KmsPermissionsForBackup",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::000000000000:role/s3-backup-role"
  },
  "Action": ["kms:Decrypt", "kms:DescribeKey"],
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "kms:ViaService": "s3.*.amazonaws.com"
    }
  }
}

and for restoring backups:

{
  "Sid": "KmsPermissionsForRestore",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::000000000000:role/s3-backup-role"
  },
  "Action": ["kms:DescribeKey","kms:GenerateDataKey","kms:Decrypt"],
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "kms:ViaService": "s3.*.amazonaws.com"
    }
  }
}

If SSE-KMS encryption isn't used, then I suggest you first check that versioning is in the "enabled" state (not disabled or suspended) for the bucket and check if any "Deny" statements exist in the bucket policy that apply to the IAM role making the backups.

エキスパート
回答済み 2ヶ月前
0

You mentioned in an earlier comment that SSE-KMS had been set for the bucket. When you change the bucket-level default encryption setting, it doesn't affect how the objects already in the bucket have been encrypted. All the objects previously placed there are probably encrypted with SSE-KMS, which you can verify by opening an individual object's properties in the console and checking what is says about the object's encryption characteristics, and in the absence of the necessary permissions in the KMS key policy, AWS Backup won't be able to decrypt the objects to back them up.

エキスパート
回答済み 2ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン