How can I troubleshoot a backup policy that's not creating any jobs in my member accounts in an organization?

Short Description

To resolve this issue, verify the following:

• The role path and vault names are correctly entered in the backup policy.
  Note: AWS Backup doesn't validate whether the role path and vault are correctly entered in the backup policy.
• The role and vault names exist in each member account that your backup policy is attached to.
  Note: AWS Backup doesn't validate whether the role and vault are created in your member accounts.
• Service opt-in is turned on in the AWS management account because AWS Organizations Backup policies inherit resource opt-in settings from the management account.
• The backup policy is attached at the proper hierarchical level to an account, organizational unit (OU), or organization root.

Resolution

Creation of role and vault in a member account

To verify that the role and vault names are correctly entered in the backup policy, complete the following steps:

1. Sign in to the organization’s management account.
2. Open the AWS Backup console.
3. In the navigation pane, under My organization, choose Backup policies.
4. Choose the name of the affected policy.
5. Expand the Backup Policy content. Note the target_backup_vault_name and iam_role_arn that's used in the policy.
6. If you're using a custom vault, default vault, custom role, or default role, then choose Edit to modify the policy.

Custom vault

If you're using a custom backup vault, then you must create the vault in your member accounts. For instructions on creating a backup vault, see Creating a backup vault.

Default vault

If you're using a default backup vault, then you must visit the AWS Backup console in each member account and AWS Region at least once. When you first sign in to the AWS Backup console, a default vault is created in the Region.

Custom role

If you're using a custom role you that you created, then you must specify it as CustomRoleName in the visual editor. The custom role appears in the backup policy JSON with the following example format:

arn:aws:iam::$account:role/CustomRoleName

Important: Don't modify the $account portion of these ARNs.

To create a custom IAM role that AWS Backup can assume, see Create an IAM role.

Default role

If you're using the service-created default role, then you must specify it as service-role/AWSBackupDefaultServiceRole in the visual editor. The default role appears in the backup policy JSON with the following example format:

arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole

Important: Don't modify the $account portion of these ARNs.

To create a default role, see Creating the default service role.

Additional troubleshooting

Service opt-in

To make sure that the services in your backup plan are activated, you must opt in to use AWS Backup to protect all supported resource types.

You must turn on service opt-in the management account. For backup plans that Organizations manages, the resource opt-in settings in the management account override the settings in a member account. When using a delegated administrator account, the resource opt-in setting of the management account is inherited and the delegated administrator account opt-in setting isn't. For more information, see Resource opt-in rules.

Backup policy attached to an OU or single account

Verify that the backup policy is attached to the OU or the account that you're intending to create backups for.

Cross-account monitoring

To view jobs that are created in your member account from the management account, turn on cross-account monitoring in your management account. You can also turn on cross-account monitoring in your delegated administrator accounts to view jobs created in member accounts.

Related Information

Backup policy syntax and examples

Policy updates for AWS Backup