How do I resolve "insufficient privileges" and "access denied" errors when I use AWS Backup to perform an Amazon EFS restore?

2 minute read

I get an error when I use AWS Backup to perform an Amazon Elastic File System (Amazon EFS) restore. The error is "Insufficient privileges to perform this action" or "access denied."

Resolution

Confirm that your IAM identity has the required permissions

Check the policy of the AWS Identity and Access Management (IAM) role that creates the restore job to confirm that it has the backup:StartRestoreJob action.

If you turned on encryption, then make sure that your IAM policy or AWS Key Management Service (AWS KMS) key policy has the following actions:

"kms:DescribeKey"
"kms:GenerateDataKeyWithoutPlaintext"
"kms:CreateGrant"

Confirm that you included the required Amazon EFS actions

The IAM policy that's attached to the IAM role that's in the restore request must include the following Amazon EFS actions:

"elasticfilesystem:Restore"
"elasticfilesystem:CreateFilesystem"
"elasticfilesystem:DescribeFilesystems"
"elasticfilesystem:DeleteFilesystem"

Remove Deny statements

Remove Deny statements for the backup:StartRestoreJob action in the vault access policy. For example, the following access policy for the default Amazon EFS aws/efs/automatic-backup-vault vault denies the backup:StartRestoreJob action:

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Effect": "Deny",  
        "Principal": {  
            "AWS": "*"  
        },  
        "Action": [  
            "backup:DeleteBackupVault",  
            "backup:DeleteBackupVaultAccessPolicy",  
            "backup:DeleteRecoveryPoint",  
            "backup:StartCopyJob",  
            "backup:StartRestoreJob",  
            "backup:UpdateRecoveryPointLifecycle"  
        ],  
        "Resource": "*"  
    }]  
}

Also, remove Deny statements from your IAM policies and AWS Organizations service control policies (SCPs) that deny required actions for the following services:

AWS Backup
Amazon EFS
AWS KMS

Topics: Storage
Tags: AWS Backup
Language: English

AWS OFFICIALUpdated a month ago

1 Comment

This problem can be resolved by editing the vault policy. By default, it contains an explicit deny, so you need to remove backup:StartRestoreJob and then save the policy. After that, you can proceed with restoring your backup.

James Nharayakoma

replied 2 months ago

Relevant content

Unable to restore EFS
Qadeer
asked a year ago
Can I programatically retrieve the location an EFS backup was restored to?
frederik-field
asked 3 years ago
Creating EC2 backup and getting "Access denied: Insufficient privileges..." error
Joseph
asked 2 years ago
Restoring EFS using boto3 client does not work if EFS has already been restored once
Accepted Answer
rePost-User-3928851
asked 3 years ago
AWS Backup EFS restore jobs stuck in PENDING status for 4+ hours
Roi
asked 22 days ago
How can I check the progress of an AWS Backup restore job for Amazon EFS?
AWS OFFICIALUpdated 2 years ago
How do I restore an Amazon EFS file system from an AWS Backup recovery point using the AWS CLI?
AWS OFFICIALUpdated a year ago
How can I turn off automatic backups in Amazon EFS and remove the stored backup data?
AWS OFFICIALUpdated a year ago
How do I resolve errors that might occur when I use native backup and restore for my Amazon RDS for SQL Server DB instance?
AWS OFFICIALUpdated 3 months ago
Customizing the Network Settings When Using AWS Backup to Restore VMware-Based Instances to Amazon EC2
EXPERT
Darren Roback
published 5 months ago