My AWS Backup policy for my AWS Organizations is attached to my member accounts, but I don't see any backup jobs created.
Short description
To resolve this issue, verify the following configurations:
- The role path and vault names are correctly entered in the backup policy.
Note: AWS Backup doesn't validate whether the role path and vault are correctly entered in the backup policy.
- The role and vault names exist in each member account that your backup policy is attached to.
Note: AWS Backup doesn't validate whether the role and vault are created in your member accounts.
- Service opt-in is turned on in the AWS management account.
- The backup policy is attached at the appropriate level.
Resolution
Verify that the role and vault names are correctly entered in the backup policy
Complete the following steps:
- Sign in to the organization's management account.
- Open the AWS Backup console.
- In the navigation pane, under My organization, choose Backup policies.
- Select the name of the policy.
- Expand the backup policy content. Review the target_backup_vault_name and iam_role_arn that's used in the policy.
- If you use a custom vault, default vault, custom role, or default role, then choose Edit to modify the policy.
Create vaults and specify roles
Custom vault creation
For a custom backup vault, you must create the backup vault in your member accounts.
Default vault creation
For a default backup vault, you must sign in to the AWS Backup console in each member account and AWS Region at least once. When you first sign in to the AWS Backup console, a default vault is created in the Region.
Custom role specification
If you use a custom role that you created, then you must specify it as CustomRoleName in the visual editor. The custom role appears in the backup policy JSON in the following example format:
arn:aws:iam::$account:role/CustomRoleName
Important: Don't modify the $account portion of the ARN.
To create a custom AWS Identity and Access Management (IAM) role that AWS Backup can assume, see Create an IAM role.
Default role specification
If you use the service-created default role, then you must specify it as service-role/AWSBackupDefaultServiceRole in the visual editor. The default role appears in the backup policy JSON in the following example format:
arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole
Important: Don't modify the $account portion of the ARN.
To create a default role, see Creating the default service role in the console.
Verify that service opt-in is turned on in the management account
To make sure that the services in your backup plan are activated, you must opt in to use AWS Backup to protect supported resource types. Because AWS Organizations backup policies inherit resource opt-in settings from the management account, turn on service opt-in the management account.
For backup plans that Organizations manages, the resource opt-in settings in the management account override the settings in a member account. When you use a delegated administrator account, the resource opt-in setting of the management account is inherited and the delegated administrator account opt-in setting isn't. For more information, see Resource opt-in rules.
Verify that the backup policy is attached at the appropriate level
Verify that the backup policy is attached to the appropriate hierarchical level to an account, organizational unit (OU), or organization root that you want to create backups for.
Turn on cross-account monitoring
To view jobs that are created in your member account from the management account, turn on cross-account monitoring in your management account.
Related information
Backup policy syntax and examples
Policy updates for AWS Backup