Backup policy copy_action to multiple location error
Hi all
I created a Backup account and send EBS and RDS backup from other accounts in my organization. In the Backup account, I want to use multi-region so I created two central vaults in two regions, one in each region. I.e., I'm doing the cross-region and cross-account vault-copy.
I used cloud formation template and added the followings:
"copy_actions":
{
"CENTRAL_VAULT_ARN": {
"target_backup_vault_arn": {
"@@assign": "CENTRAL_VAULT_ARN"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "365"
}
}
},
"CENTRAL_VAULT_WEST_ARN": {
"target_backup_vault_arn": {
"@@assign": "CENTRAL_VAULT_WEST_ARN"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "365"
}
}
}
}
But I encountered the following error.
Exception: An error occurred (MalformedPolicyDocumentException) when calling the CreatePolicy operation: The provided policy document does not meet the requirements of the specified policy type
I modified the cloud formation template provided in https://aws.amazon.com/blogs/storage/automate-centralized-backup-at-scale-across-aws-services-using-aws-backup/ to create the centralized backup policy.
- Topics
- Storage
- Tags
- AWS Backup
- Language
- English
- Newest
- Most votes
- Most comments
When setting up cross-region and cross-account backup copies using AWS Backup policies, there are some specific requirements for the ARN format that need to be followed.
The issue with your configuration is likely related to how you're specifying the target backup vault ARNs. In your template, you're using placeholder values "CENTRAL_VAULT_ARN" and "CENTRAL_VAULT_WEST_ARN" which need to be replaced with actual ARNs that follow the required format.
For cross-account backup copies, you need to specify the complete ARN of the destination backup vault, which should look like:
arn:aws:backup:region:account-id:backup-vault:vault-name
For example: arn:aws:backup:us-east-1:123456789012:backup-vault:CentralBackupVault
When copying to a different region in the same account, you can use the $account variable which automatically gets replaced with the account ID in which the backup policy is running. For example:
arn:aws:backup:us-west-2:$account:backup-vault:WestRegionVault
Additionally, it's important to note that there are limitations when trying to perform both cross-account and cross-region copies for certain services like RDS. You can do one or the other, but not both simultaneously for RDS resources. For such scenarios, you would need to create separate backup plans - one for RDS resources that only does cross-account (same region) copies, and another for non-RDS resources that can do both cross-account and cross-region copies.
Make sure your backup vaults in the destination account have the appropriate permissions policy to allow the source account to copy backups into them.
Sources
Best practices for using backup policies - AWS Organizations
Creating backup copies across AWS accounts - AWS Backup
CopyAction - AWS Backup
Using AWS Backup to backup cross-account to multiple regions | AWS re:Post
Hello.
Looking at the example backup policy, there doesn't seem to be any syntax issues.
What kind of error are you currently getting?
Can you share the error message you're getting?
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html#backup-policy-examples
"copy_actions": {
"arn:aws:backup:us-east-1:123456789012:backup-vault:secondary_vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:us-east-1:123456789012:backup-vault:secondary_vault"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "120"
},
"opt_in_to_archive_for_supported_resources": {
"@@assign": "false"
}
}
},
"arn:aws:backup:us-west-1:123456789012:backup-vault:tertiary_vault": {
"target_backup_vault_arn": {
"@@assign": "arn:aws:backup:us-west-1:123456789012:backup-vault:tertiary_vault"
},
"lifecycle": {
"move_to_cold_storage_after_days": {
"@@assign": "30"
},
"delete_after_days": {
"@@assign": "120"
},
"opt_in_to_archive_for_supported_resources": {
"@@assign": "false"
}
}
}
}
Relevant content
asked 5 years ago- asked 2 years ago
- asked 9 months ago
- AWS OFFICIALUpdated 21 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 18 days ago
@Riku_Kobayashi Thanks for your answer. I added error message in the question. Seems like the problems is "there are limitations when trying to perform both cross-account and cross-region copies for certain services like RDS. You can do one or the other, but not both simultaneously" as the AI agent commented, since both cross-account only and cross-region only worked. Only the cross-account and cross-region vault copy did not work.