How do I troubleshoot a backup policy that doesn't create any jobs in my member accounts in an organization?

4 minute read
0

My AWS Backup policy for my AWS Organizations is attached to my member accounts, but I don't see any backup jobs created.

Short description

To resolve this issue, verify the following configurations:

  • The role path and vault names are correctly entered in the backup policy.
    Note: AWS Backup doesn't validate whether the role path and vault are correctly entered in the backup policy.
  • The role and vault names exist in each member account that your backup policy is attached to.
    Note: AWS Backup doesn't validate whether the role and vault are created in your member accounts.
  • Service opt-in is turned on in the AWS management account.
  • The backup policy is attached at the appropriate level.

Resolution

Verify that the role and vault names are correctly entered in the backup policy

Complete the following steps:

  1. Sign in to the organization's management account.
  2. Open the AWS Backup console.
  3. In the navigation pane, under My organization, choose Backup policies.
  4. Select the name of the policy.
  5. Expand the backup policy content. Review the target_backup_vault_name and iam_role_arn that's used in the policy.
  6. If you use a custom vault, default vault, custom role, or default role, then choose Edit to modify the policy.

Create vaults and specify roles

Custom vault creation

For a custom backup vault, you must create the backup vault in your member accounts.

Default vault creation

For a default backup vault, you must sign in to the AWS Backup console in each member account and AWS Region at least once. When you first sign in to the AWS Backup console, a default vault is created in the Region.

Custom role specification

If you use a custom role that you created, then you must specify it as CustomRoleName in the visual editor. The custom role appears in the backup policy JSON in the following example format:

arn:aws:iam::$account:role/CustomRoleName

Important: Don't modify the $account portion of the ARN.

To create a custom AWS Identity and Access Management (IAM) role that AWS Backup can assume, see Create an IAM role.

Default role specification

If you use the service-created default role, then you must specify it as service-role/AWSBackupDefaultServiceRole in the visual editor. The default role appears in the backup policy JSON in the following example format:

arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole

Important: Don't modify the $account portion of the ARN.

To create a default role, see Creating the default service role in the console.

Verify that service opt-in is turned on in the management account

To make sure that the services in your backup plan are activated, you must opt in to use AWS Backup to protect supported resource types. Because AWS Organizations backup policies inherit resource opt-in settings from the management account, turn on service opt-in the management account.

For backup plans that Organizations manages, the resource opt-in settings in the management account override the settings in a member account. When you use a delegated administrator account, the resource opt-in setting of the management account is inherited and the delegated administrator account opt-in setting isn't. For more information, see Resource opt-in rules.

Verify that the backup policy is attached at the appropriate level

Verify that the backup policy is attached to the appropriate hierarchical level to an account, organizational unit (OU), or organization root that you want to create backups for.

Turn on cross-account monitoring

To view jobs that are created in your member account from the management account, turn on cross-account monitoring in your management account.

Related information

Backup policy syntax and examples

Policy updates for AWS Backup

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago