Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Unable to perform cloudwatch:GetMetricData job fails when backing up S3 with AWS Backup

0

We're getting the error below when trying to backup S3 resources using AWS Backup. The service role used to run the job has had multiple AWS managed policies applied with the same issue, including the 'AWSBackupFullAccess' and the AWSBackupServiceRolePolicyForBackup' policies assigned. The S3 bucket is using an CMK with permissions shared to the role. The role can successfully backup any other supported resource to any vault but fails on any S3 bucket. The "cloudwatch:GetMetricData on *" permission stated in the error is included in the above policies.

Backup Job Error: "Unable to perform cloudwatch:GetMetricData on * The backup job failed to create a recovery point for your resource arn:aws:s3:::<s3-bucket-name> due to missing permissions on role arn:aws:iam::<account-number:role/<iam-service-role>."

Has anyone seen this error before when backing up S3?

Themen
SpeicherSicherheit, Identität & Konformität
Tags
AWS DatensicherungIAM-Richtlinien
Sprache
English
rePost-User-0529671
gefragt vor 10 Monaten502 Aufrufe
2 Antworten
1

Hi, it seems that you didn't apply the right policy: it should be AWSBackupServiceRolePolicyForS3Backup (with S3 in the name) instead of AWSBackupServiceRolePolicyForBackup'.

Can you try it ? Its definition is the following and contains the auth mentioned by the error message:


 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cloudwatch:GetMetricData",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:PutTargets",
                "events:DescribeRule",
                "events:EnableRule",
                "events:PutRule",
                "events:RemoveTargets",
                "events:ListTargetsByRule",
                "events:DisableRule"
            ],
            "Resource": [
                "arn:aws:events:*:*:rule/AwsBackupManagedRule*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "events:ListRules",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.*.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketTagging",
                "s3:GetInventoryConfiguration",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation",
                "s3:GetBucketAcl",
                "s3:PutInventoryConfiguration",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

Hope it helps!

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 10 Monaten
  • rePost-User-0529671
    vor 10 Monaten

    My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

0

Hello, it looks like both of those policies you attached are missing the permissions to access CloudWatch metrics which AWS Backup needs in order to perform a backup on an S3 bucket. As per here, I would recommend adding both of the following managed policies.

AWSBackupServiceRolePolicyForS3Backup
AWSBackupServiceRolePolicyForS3Restore

AWSBackupServiceRolePolicyForS3Backup has the necessary permissions to get cloud watch metrics.

AWS
Andrew Langford
beantwortet vor 10 Monaten
  • rePost-User-0529671
    vor 10 Monaten

    My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt