How do I troubleshoot a backup policy that doesn't create jobs in my member accounts in an organization?

Short description

To resolve this issue, verify the following configurations:

• You correctly entered the role path and vault names in the backup policy.
  Note: AWS Backup doesn't validate whether you correctly entered the role path and vault in the backup policy.
• The role and vault names exist in each member account that your backup policy is attached to.
  Note: AWS Backup doesn't validate whether you created the role and vault in your member accounts.
• You turned on the service opt-in setting on in the AWS management account.
• You attached the backup policy at the appropriate level.
• There are no conflicting backup rules that overlap.

Resolution

Verify that you correctly entered the role and vault names in the backup policy

Complete the following steps:

1. Sign in to the organization's management account.
2. Open the AWS Backup console.
3. In the navigation pane, under My organization, choose Backup policies.
4. Select the name of the policy.
5. Expand the backup policy content, and then review the target_backup_vault_name and iam_role_arn that's used in the policy.
6. If you use a custom vault, default vault, custom role, or default role, then choose Edit to modify the policy.

Create vaults and specify roles

Custom vault creation

For a custom backup vault, you must create the backup vault in your member accounts.

Default vault creation

For a default backup vault, you must sign in to the AWS Backup console in each member account and AWS Region at least once. When you first sign in to the AWS Backup console, a AWS Backup creates a default vault in the Region.

Custom role specification

If you use a custom AWS Identity and Access Management (IAM) role, then you must specify the role in the visual editor. The custom role appears in the backup policy JSON in the following example format:

arn:aws:iam::$account:role/CustomRoleName

Note: Replace CustomRoleName with the name of your custom role, and don't modify the $account portion of the ARN.

Default role specification

If you use the default service role, then you must specify it as service-role/AWSBackupDefaultServiceRole in the visual editor. The default role appears in the backup policy JSON in the following example format:

arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole

Important: Don't modify the $account portion of the ARN.

To create a default role, see Creating the default service role in the console.

Verify that you turned on the service opt-in setting in the management account

To make sure that the services in your backup plan are activated, you must opt in to use AWS Backup to protect supported resource types. Because AWS Organizations backup policies inherit resource opt-in setting from the management account, turn on service opt-in the management account.

For backup plans that Organizations manages, the resource opt-in setting in the management account overrides the setting in a member account. When you use a delegated administrator account, the backup policy inherits the resource opt-in setting of the management account, not the delegated administrator account. For more information, see Resource opt-in rules.

Verify that you attached the backup policy at the appropriate level

Verify that you attached the backup policy to the appropriate hierarchical level of an account, organizational unit (OU), or organization root that you want to backup.

Turn on cross-account monitoring

To view jobs that you create in your member account from the management account, turn on cross-account monitoring in your management account.

Verify that there aren't conflicting backup rules that overlap

When a backup plan includes multiple backup rules with overlapping start windows, AWS Backup retains the backup under the rule with the longer retention period. For more information, see Overlapping backup rules.

Related information

Backup policy syntax and examples

Policy updates for AWS Backup