Unable to perform cloudwatch:GetMetricData job fails when backing up S3 with AWS Backup

0

We're getting the error below when trying to backup S3 resources using AWS Backup. The service role used to run the job has had multiple AWS managed policies applied with the same issue, including the 'AWSBackupFullAccess' and the AWSBackupServiceRolePolicyForBackup' policies assigned. The S3 bucket is using an CMK with permissions shared to the role. The role can successfully backup any other supported resource to any vault but fails on any S3 bucket. The "cloudwatch:GetMetricData on *" permission stated in the error is included in the above policies.

Backup Job Error: "Unable to perform cloudwatch:GetMetricData on * The backup job failed to create a recovery point for your resource arn:aws:s3:::<s3-bucket-name> due to missing permissions on role arn:aws:iam::<account-number:role/<iam-service-role>."

Has anyone seen this error before when backing up S3?

asked 10 months ago516 views
2 Answers
1

Hi, it seems that you didn't apply the right policy: it should be AWSBackupServiceRolePolicyForS3Backup (with S3 in the name) instead of AWSBackupServiceRolePolicyForBackup'.

Can you try it ? Its definition is the following and contains the auth mentioned by the error message:


 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cloudwatch:GetMetricData",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:PutTargets",
                "events:DescribeRule",
                "events:EnableRule",
                "events:PutRule",
                "events:RemoveTargets",
                "events:ListTargetsByRule",
                "events:DisableRule"
            ],
            "Resource": [
                "arn:aws:events:*:*:rule/AwsBackupManagedRule*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "events:ListRules",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.*.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketTagging",
                "s3:GetInventoryConfiguration",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation",
                "s3:GetBucketAcl",
                "s3:PutInventoryConfiguration",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

Hope it helps!

Didier

profile pictureAWS
EXPERT
answered 10 months ago
  • My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

0

Hello, it looks like both of those policies you attached are missing the permissions to access CloudWatch metrics which AWS Backup needs in order to perform a backup on an S3 bucket. As per here, I would recommend adding both of the following managed policies.

AWSBackupServiceRolePolicyForS3Backup
AWSBackupServiceRolePolicyForS3Restore

AWSBackupServiceRolePolicyForS3Backup has the necessary permissions to get cloud watch metrics.

AWS
answered 10 months ago
  • My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions