My AWS Backup policy for my AWS Organizations is attached to my member accounts, but I don't see any backup jobs created.
Short Description
To resolve this issue, verify the following:
- The role path and vault names are correctly entered in the backup policy.
Note: AWS Backup doesn't validate whether the role path and vault are correctly entered in the backup policy.
- The role and vault names exist in each member account that your backup policy is attached to.
Note: AWS Backup doesn't validate whether the role and vault are created in your member accounts.
- Service opt-in is turned on in the AWS management account because AWS Organizations Backup policies inherit resource opt-in settings from the management account.
- The backup policy is attached at the proper hierarchical level to an account, organizational unit (OU), or organization root.
Resolution
Creation of role and vault in a member account
To verify that the role and vault names are correctly entered in the backup policy, complete the following steps:
- Sign in to the organization’s management account.
- Open the AWS Backup console.
- In the navigation pane, under My organization, choose Backup policies.
- Choose the name of the affected policy.
- Expand the Backup Policy content. Note the target_backup_vault_name and iam_role_arn that's used in the policy.
- If you're using a custom vault, default vault, custom role, or default role, then choose Edit to modify the policy.
Custom vault
If you're using a custom backup vault, then you must create the vault in your member accounts. For instructions on creating a backup vault, see Creating a backup vault.
Default vault
If you're using a default backup vault, then you must visit the AWS Backup console in each member account and AWS Region at least once. When you first sign in to the AWS Backup console, a default vault is created in the Region.
Custom role
If you're using a custom role you that you created, then you must specify it as CustomRoleName in the visual editor. The custom role appears in the backup policy JSON with the following example format:
arn:aws:iam::$account:role/CustomRoleName
Important: Don't modify the $account portion of these ARNs.
To create a custom IAM role that AWS Backup can assume, see Create an IAM role.
Default role
If you're using the service-created default role, then you must specify it as service-role/AWSBackupDefaultServiceRole in the visual editor. The default role appears in the backup policy JSON with the following example format:
arn:aws:iam::$account:role/service-role/AWSBackupDefaultServiceRole
Important: Don't modify the $account portion of these ARNs.
To create a default role, see Creating the default service role.
Additional troubleshooting
Service opt-in
To make sure that the services in your backup plan are activated, you must opt in to use AWS Backup to protect all supported resource types.
You must turn on service opt-in the management account. For backup plans that Organizations manages, the resource opt-in settings in the management account override the settings in a member account. When using a delegated administrator account, the resource opt-in setting of the management account is inherited and the delegated administrator account opt-in setting isn't. For more information, see Resource opt-in rules.
Backup policy attached to an OU or single account
Verify that the backup policy is attached to the OU or the account that you're intending to create backups for.
Cross-account monitoring
To view jobs that are created in your member account from the management account, turn on cross-account monitoring in your management account. You can also turn on cross-account monitoring in your delegated administrator accounts to view jobs created in member accounts.
Related Information
Backup policy syntax and examples
Policy updates for AWS Backup