Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I resolve the error "Access Denied trying to call AWS Backup service" when I try to create a cross-account copy in AWS Backup?

2 minute read
2

I want to resolve the "Access Denied trying to call AWS Backup service" error that I get when I try to create a copy across AWS accounts in AWS Backup.

Resolution

Add the backup:CopyIntoBackupVault action your policies

The Access Denied error can occur when you don't have permission to copy backups from a source AWS account.

To resolve this issue, add the backup:CopyIntoBackupVault action to your AWS Identity and Access Management (IAM) identity-based policy and destination vault access policy. For more information, see Setting up cross-account backup.

To allow your IAM role to copy the backup, include the following statement to the identity-based policy that's attached to your IAM role:

{  
  "Version": "2012-10-17",  
  "Statement": [  
    {  
      "Action": "backup:CopyIntoBackupVault",  
      "Resource": "*",  
      "Effect": "Allow"  
    }  
  ]  
}

To allow AWS Backup access to the source account, include the following statement to your destination vault access policy:

{  
    "Version": "2012-10-17",  
    "Statement": [  
        {  
            "Effect": "Allow",  
            "Principal": {  
                "AWS": "arn:aws:iam::SourceAccountID:root"  
            },  
            "Action": "backup:CopyIntoBackupVault",  
            "Resource": "*"  
        }  
    ]  
}

Note: Replace the SourceAccountID with your source account ID.

Allow access to an organization in Organizations or OU

The destination vault access policy can also allow access to an organization in AWS Organizations or an organizational unit (OU). If you're using the policy for an organization or OU, then specify the organization ID or OU ID in the vault access policy. If you don't specify the organization ID or OU ID, then the cross-account copies fail.

The following is an example of a destination vault access policy that allows the entire organization:

{  
     "Version": "2012-10-17",    
    "Statement": [{    
        "Effect": "Allow",    
        "Action": "backup:CopyIntoBackupVault",    
        "Resource": "",    
        "Principal": "",    
        "Condition": {    
            "StringEquals": {    
                "aws:PrincipalOrgID": [    
                    "o-xxxxxxxx11"    
                ]    
            }    
        }    
    }]    
}

The following is an example of a destination vault access policy that allows the OU:

{   
    "Version": "2012-10-17",    
    "Statement": [{    
        "Effect": "Allow",    
        "Action": "backup:CopyIntoBackupVault",    
        "Resource": "",    
        "Principal": "",    
        "Condition": {    
            "ForAnyValue:StringLike": {    
                "aws:PrincipalOrgPaths": [    
                    "o-xxxxxxxx11/r-xxxx/ou-[OU]/*"    
                ]    
            }    
        }    
    }]    
}

Note: Make sure to correctly enter the aws:PrincipalOrgPaths condition key. For more information, see Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations.

Related information

Creating backup copies across AWS accounts

Topics
Storage
Tags
AWS Backup
Language
English
AWS OFFICIALUpdated 6 months ago
1 Comment

Note that Bucket Versioning must be enabled on the S3 bucket to facilitate a successful backup: s3-backup-prerequisites

replied a year ago

Relevant content