Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Cannot create S3 Backup using AWS Backup

0

I am trying to make an S3 Backup using AWS Backup.

The error message I'm getting is (I have deliberately changed the bucket name and account number)

Unable to perform s3:PutBucketNotification on my-bucket-name-123 The backup job failed to create a recovery point for your resource arn:aws:s3:::my-bucket-name-123 due to missing permissions on role arn:aws:iam::123456789000:role/service-role/AWSBackupDefaultServiceRole.

I have attached the inline policies described in the documentation to AWSBackupDefaultServiceRole

(note: the role also contains the AWS managed policy AWSBackupServiceRolePolicyForBackup as well as the following)

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"S3BucketBackupPermissions",
      "Action":[
        "s3:GetInventoryConfiguration",
        "s3:PutInventoryConfiguration",
        "s3:ListBucketVersions",
        "s3:ListBucket",
        "s3:GetBucketVersioning",
        "s3:GetBucketNotification",
        "s3:PutBucketNotification",
        "s3:GetBucketLocation",
        "s3:GetBucketTagging"
      ],
      "Effect":"Allow",
      "Resource":[
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid":"S3ObjectBackupPermissions",
      "Action":[
        "s3:GetObjectAcl",
        "s3:GetObject",
        "s3:GetObjectVersionTagging",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectTagging",
        "s3:GetObjectVersion"
      ],
      "Effect":"Allow",
      "Resource":[
        "arn:aws:s3:::*/*"
      ]
    },
    {
      "Sid":"S3GlobalPermissions",
      "Action":[
        "s3:ListAllMyBuckets"
      ],
      "Effect":"Allow",
      "Resource":[
        "*"
      ]
    },
    {
      "Sid":"KMSBackupPermissions",
      "Action":[
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Effect":"Allow",
      "Resource":"*",
      "Condition":{
        "StringLike":{
          "kms:ViaService":"s3.*.amazonaws.com"
        }
      }
    },
    {
      "Sid":"EventsPermissions",
      "Action":[
        "events:DescribeRule",
        "events:EnableRule",
        "events:PutRule",
        "events:DeleteRule",
        "events:PutTargets",
        "events:RemoveTargets",
        "events:ListTargetsByRule",
        "events:DisableRule"
      ],
      "Effect":"Allow",
      "Resource":"arn:aws:events:*:*:rule/AwsBackupManagedRule*"
    },
    {
      "Sid":"EventsMetricsGlobalPermissions",
      "Action":[
        "cloudwatch:GetMetricData",
        "events:ListRules"
      ],
      "Effect":"Allow",
      "Resource":"*"
    }
  ]
}

This to me, looks correct and it not should be giving that error.

Is there a bug? Or is there a step which is not described in the documentation? I would really appreciate some help.

Many thanks

Themen
Speicher
Tags
Amazon Simple Storage ServiceAWS Datensicherung
Sprache
English
AWS-User-6439945
gefragt vor 2 Jahren1835 Aufrufe
1 Antwort
0

Hi there, I understand you want to create an S3 backup using AWS backup but you are unable to.Please correct me if I misunderstood.

The error mentioned on the notes occurs if the S3 bucket you are trying to backup has a faulty S3 event notification.

You can use the Amazon S3 Event Notifications feature to receive notifications when certain events happen in your S3 bucket.S3 offers link [1] and [2] APIs that allows you to interact with the s3 event notification feature.

I recommend you check : -Ensure that all the current S3 event notification destination still exists. -Check that all the current S3 event notification destination have a valid resource based policy. -Ensure that the KMS Key policy is valid for KMS encrypted topics and queues.For the policies follow for necessary permissions please use this link [3] -Add s3:PutBucketNotification to the policy arn:aws:iam::123456789000:role/service-role/AWSBackupDefaultServiceRole -Lastly ensure that the Bucket Resource Policy is not restrictive

I hope this was helpful.

Reference

[1]https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketNotificationConfiguration.html

[2]https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketNotificationConfiguration.html

[3]https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#key-policy-sns-sqs

[4]https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#sns-topic-policy

[5]https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#sqs-queue-policy

Karabo
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt