Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Unable to perform cloudwatch:GetMetricData job fails when backing up S3 with AWS Backup

0

We're getting the error below when trying to backup S3 resources using AWS Backup. The service role used to run the job has had multiple AWS managed policies applied with the same issue, including the 'AWSBackupFullAccess' and the AWSBackupServiceRolePolicyForBackup' policies assigned. The S3 bucket is using an CMK with permissions shared to the role. The role can successfully backup any other supported resource to any vault but fails on any S3 bucket. The "cloudwatch:GetMetricData on *" permission stated in the error is included in the above policies.

Backup Job Error: "Unable to perform cloudwatch:GetMetricData on * The backup job failed to create a recovery point for your resource arn:aws:s3:::<s3-bucket-name> due to missing permissions on role arn:aws:iam::<account-number:role/<iam-service-role>."

Has anyone seen this error before when backing up S3?

Temas
AlmacenamientoSeguridad, identidad y cumplimiento
Etiquetas
AWS BackupPolíticas de IAM
Idioma
English
rePost-User-0529671
preguntada hace 10 meses501 visualizaciones
2 Respuestas
1

Hi, it seems that you didn't apply the right policy: it should be AWSBackupServiceRolePolicyForS3Backup (with S3 in the name) instead of AWSBackupServiceRolePolicyForBackup'.

Can you try it ? Its definition is the following and contains the auth mentioned by the error message:


 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cloudwatch:GetMetricData",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:PutTargets",
                "events:DescribeRule",
                "events:EnableRule",
                "events:PutRule",
                "events:RemoveTargets",
                "events:ListTargetsByRule",
                "events:DisableRule"
            ],
            "Resource": [
                "arn:aws:events:*:*:rule/AwsBackupManagedRule*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "events:ListRules",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.*.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketTagging",
                "s3:GetInventoryConfiguration",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation",
                "s3:GetBucketAcl",
                "s3:PutInventoryConfiguration",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

Hope it helps!

Didier

profile pictureAWS
EXPERTO
Didier_Durand
respondido hace 10 meses
  • rePost-User-0529671
    hace 10 meses

    My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

0

Hello, it looks like both of those policies you attached are missing the permissions to access CloudWatch metrics which AWS Backup needs in order to perform a backup on an S3 bucket. As per here, I would recommend adding both of the following managed policies.

AWSBackupServiceRolePolicyForS3Backup
AWSBackupServiceRolePolicyForS3Restore

AWSBackupServiceRolePolicyForS3Backup has the necessary permissions to get cloud watch metrics.

AWS
Andrew Langford
respondido hace 10 meses
  • rePost-User-0529671
    hace 10 meses

    My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante