I want to resolve an Access Denied error that I get when I try to create an AWS Backup vault.
Short description
To create a backup vault using AWS Backup, you must have the following permissions in place:
- backup:CreateBackupVault
- backup-storage:MountCapsule
- kms:CreateGrant
- kms:DescribeKey
- kms:RetireGrant
- kms:Decrypt
- kms:GenerateDataKey
To troubleshoot the Access Denied error, verify that these permissions are configured correctly.
Resolution
Check that you have the required IAM permissions in place
Check that you have the AWS Identity and Access Management (IAM) policies required to create a backup vault.
If you are logged into the AWS Backup console, then verify the permissions on the logged in user or role. Or you might be using the AWS Command Line Interface (AWS CLI) or SDK. Check the permissions attached to the IAM entity configured on AWS CLI or SDK.
The following example policy grants the necessary permissions in AWS Backup and AWS Key Management Service (AWS KMS) to create a vault. The AWS KMS key is the encryption key that encrypts some of the backups placed in your vault.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt1",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:DescribeKey",
"kms:RetireGrant",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-west-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"Sid": "ExampleStmt2",
"Effect": "Allow",
"Action": [
"backup:CreateBackupVault"
],
"Resource": "arn:aws:backup:us-west-2:444455556666:backup-vault:*"
},
{
"Sid": "ExampleStmt3",
"Effect": "Allow",
"Action": [
"backup-storage:MountCapsule"
],
"Resource": "*"
}
]
}
Check if you have an IAM permissions boundary in place
Review the IAM permissions boundaries that are set on the IAM entity that you're using to create a backup vault. If there's a permissions boundary in place, confirm that it allows access to all of the actions needed to create a vault.
Check your AWS Organizations service control policy
If you're using AWS Organizations, then review your organization's service control policies (SCPs).
AWS Organizations attaches an AWS managed SCP named FullAWSAccess to every root and OU when it's created. This policy allows all services and actions. Check the organization's SCP policies that are attached to your account. Verify if there are any policies that Deny the creation of the backup vault.
Check the AWS KMS key policy
When you create an AWS KMS key using the AWS KMS console, the key policy begins with a policy statement. This policy statement allows access to the AWS account and activates IAM policies. The default key policy statement is critical. Without this permission, IAM policies that allow access to the key are ineffective, but IAM policies that deny access to the key are still effective.
Make sure that the AWS KMS key policy statements don't deny the IAM entity that you are using when creating the vault.
Related information
API permissions: actions, resources, and conditions reference
Creating a backup vault