Cannot create S3 Backup using AWS Backup

0

I am trying to make an S3 Backup using AWS Backup.

The error message I'm getting is (I have deliberately changed the bucket name and account number)

Unable to perform s3:PutBucketNotification on my-bucket-name-123 The backup job failed to create a recovery point for your resource arn:aws:s3:::my-bucket-name-123 due to missing permissions on role arn:aws:iam::123456789000:role/service-role/AWSBackupDefaultServiceRole.

I have attached the inline policies described in the documentation to AWSBackupDefaultServiceRole

(note: the role also contains the AWS managed policy AWSBackupServiceRolePolicyForBackup as well as the following)

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"S3BucketBackupPermissions",
      "Action":[
        "s3:GetInventoryConfiguration",
        "s3:PutInventoryConfiguration",
        "s3:ListBucketVersions",
        "s3:ListBucket",
        "s3:GetBucketVersioning",
        "s3:GetBucketNotification",
        "s3:PutBucketNotification",
        "s3:GetBucketLocation",
        "s3:GetBucketTagging"
      ],
      "Effect":"Allow",
      "Resource":[
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid":"S3ObjectBackupPermissions",
      "Action":[
        "s3:GetObjectAcl",
        "s3:GetObject",
        "s3:GetObjectVersionTagging",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectTagging",
        "s3:GetObjectVersion"
      ],
      "Effect":"Allow",
      "Resource":[
        "arn:aws:s3:::*/*"
      ]
    },
    {
      "Sid":"S3GlobalPermissions",
      "Action":[
        "s3:ListAllMyBuckets"
      ],
      "Effect":"Allow",
      "Resource":[
        "*"
      ]
    },
    {
      "Sid":"KMSBackupPermissions",
      "Action":[
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Effect":"Allow",
      "Resource":"*",
      "Condition":{
        "StringLike":{
          "kms:ViaService":"s3.*.amazonaws.com"
        }
      }
    },
    {
      "Sid":"EventsPermissions",
      "Action":[
        "events:DescribeRule",
        "events:EnableRule",
        "events:PutRule",
        "events:DeleteRule",
        "events:PutTargets",
        "events:RemoveTargets",
        "events:ListTargetsByRule",
        "events:DisableRule"
      ],
      "Effect":"Allow",
      "Resource":"arn:aws:events:*:*:rule/AwsBackupManagedRule*"
    },
    {
      "Sid":"EventsMetricsGlobalPermissions",
      "Action":[
        "cloudwatch:GetMetricData",
        "events:ListRules"
      ],
      "Effect":"Allow",
      "Resource":"*"
    }
  ]
}

This to me, looks correct and it not should be giving that error.

Is there a bug? Or is there a step which is not described in the documentation? I would really appreciate some help.

Many thanks

asked 3 years ago2.1K views
1 Answer
0

Hi there, I understand you want to create an S3 backup using AWS backup but you are unable to.Please correct me if I misunderstood.

The error mentioned on the notes occurs if the S3 bucket you are trying to backup has a faulty S3 event notification.

You can use the Amazon S3 Event Notifications feature to receive notifications when certain events happen in your S3 bucket.S3 offers link [1] and [2] APIs that allows you to interact with the s3 event notification feature.

I recommend you check : -Ensure that all the current S3 event notification destination still exists. -Check that all the current S3 event notification destination have a valid resource based policy. -Ensure that the KMS Key policy is valid for KMS encrypted topics and queues.For the policies follow for necessary permissions please use this link [3] -Add s3:PutBucketNotification to the policy arn:aws:iam::123456789000:role/service-role/AWSBackupDefaultServiceRole -Lastly ensure that the Bucket Resource Policy is not restrictive

I hope this was helpful.

Reference

[1]https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketNotificationConfiguration.html

[2]https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketNotificationConfiguration.html

[3]https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#key-policy-sns-sqs

[4]https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#sns-topic-policy

[5]https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#sqs-queue-policy

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions