How do I troubleshoot "Access denied" errors for cross-account copy operations in AWS Backup?
When I try to create a copy of a backup across AWS accounts in AWS Backup, I get "Access denied" errors.
Resolution
"Call to AWS Backup service" error
If your destination vault access policy doesn't have the backup:CopyIntoBackupVault permission, then you receive the following error message:
"Access denied when trying to call AWS Backup service"
This error also occurs if the backup vault name is incorrect or doesn't exist in the destination account.
To resolve this error, complete the following steps:
-
To allow your AWS Identity and Access Management (IAM) role to copy the backup, add the following statement to your IAM role's policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": "backup:CopyIntoBackupVault", "Resource": "*", "Effect": "Allow" } ] } -
To allow AWS Backup access to the source account, include the following statement in your destination vault access policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::SourceAccountID:root" }, "Action": "backup:CopyIntoBackupVault", "Resource": "*" } ] }Note: Replace SourceAccountID with your source account ID.
-
Verify that your IAM role for the copy job includes a trust relationship that allows the backup.amazonaws.com service. Example policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
Verify that you have the correct destination backup vault name. Backup vault names are case-sensitive. For example, ProdVault and prodvault are two different vaults.
-
Make sure that the vault exists in the destination account before you attempt to copy backups into the vault.
For more information, see Setting up cross-account backup.
"Insufficient privileges" error
If an IAM entity doesn't have the backup:StartCopyJob permission to perform the copy action, then you receive the following error message:
"Access denied Insufficient privileges to perform this action. Please consult with the account administrator for necessary permissions."
To resolve this error, attach the backup:StartCopyJob permission to the IAM entity that creates your backup copy. Attach the following statement to your IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Action": "backup:StartCopyJob", "Resource": "*", "Effect": "Allow" } ] }
Then, verify that your vault access policy doesn't explicitly deny the backup:StartCopyJob action.
"Source and destination account" error
If your source and destination accounts aren't members of the same AWS Organizations, then you receive the following error message:
"Copy job failed. Both source and destination account must be a member of the same organization."
To resolve this issue, move either the source or destination account into the same organization as the other account.
"Region to Region initiation error" error
If a feature isn't supported for the provided resource type, then you receive the following error message:
"Copy job from us-west-2 to us-east-1 cannot be initiated for RDS resources. Feature is not supported for provided resource type."
You can also receive this error if your resource doesn't support a combined cross-account and cross-Region copy action. For example, this error occurs if Amazon Relational Database Service (Amazon RDS) doesn't support cross-Region and cross-account backup copying in a single operation. This means that you can't use this feature.
To resolve this issue, verify that your AWS service's resources support both cross-account and cross-Region backups. To see what features each AWS service supports in AWS Backup, check the feature availability by resource. To view feature availability across different Regions, check the feature availability by AWS Region.
"Given key ID" or "source snapshot KMS key does not exist" error
If the destination account doesn't have permission to use the encryption key, then you receive one of the following error messages:
- "Given key ID is not accessible"
- "The source snapshot KMS key does not exist, is not enabled or you do not have permissions to access it"
To resolve these errors, complete the following tasks:
- Make sure that the source account's AWS Key Management Service (AWS KMS) key policy includes the destination account's root user. Then, the destination account's root user can delegate the required IAM permissions to users and roles.
- Update your key policies based on whether your resources have full AWS Backup management support or don't have full AWS Backup management support.
For example, Amazon Simple Storage Service (Amazon S3) and Amazon Elastic File System (Amazon EFS) resources have full support. For such resources, keep the following in mind:
- The vault's encryption key serves as the source AWS KMS key.
- You can have either a customer managed key or AWS managed key.
- If you use a customer managed key, then you must update the key policy to include the destination account.
For more information, see How AWS Backup works with supported AWS services.
Key policies work differently for resources that don't have full support, such as Amazon Elastic Compute Cloud (Amazon EC2) and Amazon RDS. For such resources, keep the following in mind:
- The original resource's encryption key serves as the source AWS KMS key.
- The key must be a customer managed key.
- You must modify the key policy to include the destination account.
Important: You can't use an AWS managed key as the source AWS KMS key for the following reasons:
- You can't modify the key policy of an AWS managed key.
- You can't share an AWS managed key with a destination account.
For more information, see How can I resolve the "Given key ID not accessible" error when performing a cross-account copy in AWS Backup?
Related information
Creating backup copies across AWS accounts
- Topics
- Storage
- Tags
- AWS Backup
- Language
- English
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated a month ago
