Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Correct permissions to Restore an Aurora Backup from AWS Backup with KMS

0

Hello, here is the situation, we have AWS Backup configured to backup Aurora Clusters, the Aurora Cluster is encrypted with a CMK of KMS. Now, that we want to restore a backup using the AWS Backup Console, the process says it finished successfully but the restored Aurora Cluster has 0 instances. So I think there is an issue of permissions to use the KMS key, but I have tried different permissions to no avail. Is there a document that specifies the correct permissions for this to work ?

Thanks in advanced. Kind Regards,

Themen
Sicherheit, Identität & KonformitätSpeicherAnalysenDatenbank
Tags
AWS-SchlüsselverwaltungsserviceSicherung & WiederherstellungAWS DatensicherungAmazon Aurora
Sprache
English
profile picture
Higher
gefragt vor 2 Jahren454 Aufrufe
2 Antworten
1
Akzeptierte Antwort

I feel just that in case of Aurora Cluster restored from restore point only restore the Aurora cluster. You need to manually attach the instances with the cluster. Second would be if you can see the KMS used for encryption of source Aurora has permission's granted to the account you are trying to perform the restore.

AWS
SSaxena
beantwortet vor 10 Monaten
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat
  • Higher
    vor 10 Monaten

    I will make some tests and update. I think the restore from AWS Backup should create at least one instance, doesn't make sense to restore to cluster with 0 instances, in that case as I do now, I prefer to restore from Snapshot from the RDS Consosole.

  • Higher
    vor 8 Monaten

    Update: exactly as @SSaxena said, the Aurora Cluster is created without Instance, you havce to manually add a new Instance, I think I will stick to the restore from the RDS Console for now

0

You can look at CloudTrail event history around the time when you run the restore to see if any CreateDBInstance call is failing/giving an error. The error code would tell the missing permission.

Please also look at any other API calls around that timestamp to note any additional API calls which gave an error.

AWS
Shivam_G
beantwortet vor 2 Jahren
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat
  • Higher
    vor 2 Jahren

    Hello Shivam, I did and I got no errors, I see the following actions: StartRestoreJob, RestoreDBClusterFromSnapshot, CreateGrant, RestoreStarted

    I could not find any error in CloudTrail, the Bakcup Restore Job shows as Completed, the RDS Cluster is there with status of Available but with 0 instances.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt