We're using centrally managed backup policies in our AWS Organization to backup our data via AWS Backup. This works flawlessly for all resources except for s3 buckets.
When I create the same backup plan in one of the member accounts and specify, that the resource type is s3, it works.
I've checked our CloudTrail log and somehow AWS Backup does not include s3 when searching for resources with the specified tag.
Here is the GetResources
event when the job is run by the backup plan of the organization:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "XXXXXXXYYYYYYYZZZZZZ:AWSBackup-AWSServiceRoleForBackup",
"arn": "arn:aws:sts::123456789012:assumed-role/AWSServiceRoleForBackup/AWSBackup-AWSServiceRoleForBackup",
"accountId": "123456789012",
"accessKeyId": "ASIA4ROB5DISLEP4KV7D",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XXXXXXXYYYYYYYZZZZZZ",
"arn": "arn:aws:iam::123456789012:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup",
"accountId": "123456789012",
"userName": "AWSServiceRoleForBackup"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-17T10:41:44Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "backup.amazonaws.com"
},
"eventTime": "2022-08-17T10:41:44Z",
"eventSource": "tagging.amazonaws.com",
"eventName": "GetResources",
"awsRegion": "eu-central-1",
"sourceIPAddress": "backup.amazonaws.com",
"userAgent": "backup.amazonaws.com",
"requestParameters": {
"paginationToken": "",
"tagFilters": [
{
"key": "BackupPlan",
"values": [
"OrganizationDailyBackupPlan"
]
}
],
"resourcesPerPage": 100,
"resourceTypeFilters": [
"dynamodb:table",
"ec2:volume",
"rds:db",
"storagegateway:gateway",
"elasticfilesystem:file-system",
"rds:cluster",
"ec2:instance",
"fsx:file-system",
"fsx:volume"
]
},
"responseElements": null,
"requestID": "e37c2f72-f088-42ab-b1c7-0bc4d8e07dc1",
"eventID": "72f91800-6225-49e6-8a34-5ac56581f936",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
And here is the GetResources
event when the job is run by the backup plan that was created inside the member account:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "XXXXXXXYYYYYYYZZZZZZ:AWSBackup-AWSServiceRoleForBackup",
"arn": "arn:aws:sts::123456789012:assumed-role/AWSServiceRoleForBackup/AWSBackup-AWSServiceRoleForBackup",
"accountId": "123456789012",
"accessKeyId": "ASIA4ROB5DISPULAFFWS",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XXXXXXXYYYYYYYZZZZZZ",
"arn": "arn:aws:iam::123456789012:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup",
"accountId": "123456789012",
"userName": "AWSServiceRoleForBackup"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-17T10:27:06Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "backup.amazonaws.com"
},
"eventTime": "2022-08-17T10:27:06Z",
"eventSource": "tagging.amazonaws.com",
"eventName": "GetResources",
"awsRegion": "eu-central-1",
"sourceIPAddress": "backup.amazonaws.com",
"userAgent": "backup.amazonaws.com",
"requestParameters": {
"paginationToken": "",
"tagFilters": [
{
"key": "BackupPlan",
"values": [
"OrganizationDailyBackupPlan"
]
}
],
"resourcesPerPage": 100,
"resourceTypeFilters": [
"s3"
]
},
"responseElements": null,
"requestID": "78798635-8a5a-4012-acbb-2bcda6e910c8",
"eventID": "90bc2e81-2423-44e6-b041-f561c98dd086",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
So the only difference is resourceTypeFilters
.
So, why does the backup plan generated by the organizations backup policy exclude S3?
EDIT: The backup selection of the backup plan that was generated from the organizations backup policy does not specify any resources at all:
{
"BackupSelection": {
"SelectionName": "tf-organization-daily-backup-selection",
"IamRoleArn": "arn:aws:iam::123456789012:role/tf-backup-role",
"Resources": [],
"ListOfTags": [
{
"ConditionType": "STRINGEQUALS",
"ConditionKey": "BackupPlan",
"ConditionValue": "OrganizationDailyBackupPlan"
}
],
"NotResources": [],
"Conditions": {
"StringEquals": [],
"StringNotEquals": [],
"StringLike": [],
"StringNotLike": []
}
},
"SelectionId": "ee883d39-7528-313b-8b72-54de063d5cf0",
"BackupPlanId": "orgs/d67a7e29-20b5-3e2b-98a7-24a42ca1a2aa",
"CreationDate": "2022-08-17T14:56:07.810000+02:00"
}
While the selection for the test plan does specify, that all s3 arns are allowed.
{
"BackupSelection": {
"SelectionName": "test",
"IamRoleArn": "arn:aws:iam::123456789012:role/tf-backup-role",
"Resources": [
"arn:aws:s3:::*"
],
"ListOfTags": [],
"NotResources": [],
"Conditions": {
"StringEquals": [
{
"ConditionKey": "aws:ResourceTag/BackupPlan",
"ConditionValue": "OrganizationDailyBackupPlan"
}
],
"StringNotEquals": [],
"StringLike": [],
"StringNotLike": []
}
},
"SelectionId": "ffa87c07-e463-42a1-9086-f45109fec02f",
"BackupPlanId": "2e3367c9-9d9a-446e-9feb-3a4c1ba0b7d3",
"CreationDate": "2022-08-17T12:18:01.314000+02:00",
"CreatorRequestId": "26592555-4a3c-4fc2-a73f-25b3a4473519"
}
Sri, what did your policy look like to specify the resources? I can't see to find an example anywhere. Here's our policy's plan rule section: "rules": { "run_daily0200est_keep15": { "lifecycle": { "delete_after_days": { "@@assign": "15" } }, "complete_backup_window_minutes": { "@@assign": "180" }, "target_backup_vault_name": { "@@assign": "VaultABC123" }, "start_backup_window_minutes": { "@@assign": "60" }, "recovery_point_tags": { "Creator": { "tag_value": { "@@assign": "cdk" }, "tag_key": { "@@assign": "Creator" } } }, "schedule_expression": { "@@assign": "cron(0 5 ? * * *)" } } }