I get an "Insufficient privileges to perform this action" or "Access Denied" error when I try to perform an Amazon Elastic File System (Amazon EFS) restore using AWS Backup.
To restore an Amazon EFS recovery point using AWS Backup, you must have the following permissions:
- The AWS Identity and Access Management (IAM) identity that creates the restore job must have the backup:StartRestoreJob permission.
- The IAM role that's used to restore must have EFS permissions.
- You might be restoring EFS to a new file system with encryption turned on. In this case, the IAM role that is passed in the restore request must have AWS Key Management Service (AWS KMS) permissions.
To troubleshoot the "Insufficient privileges to perform this action" or "Access Denied" error, follow these steps:
1. Confirm that the IAM identity that creates the restore job has the backup:StartRestoreJob AWS Backup action. This permission must be allowed through an attached IAM policy.
2. Confirm that the IAM role that was passed in the restore request has the following EFS actions allowed through the attached IAM policy.
3. If you're restoring to a new file system with encryption turned on, then confirm that the IAM role also has the following AWS KMS permissions . These permissions must be allowed in the AWS KMS key policy or allowed through the attached IAM policy.
AWS KMS actions:
4. Verify that there's no explicit deny for backup:StartRestoreJob action in the vault access policy. For example, the default EFS vault aws/efs/automatic-backup-vault receives the following access policy upon creation, which denies the backup:StartRestoreJob action.
"backup:StartRestoreJob", <--- This action restricts restore
5. Verify that there are no deny statements in the IAM policies and AWS Organisation SCPs that are denying the required Backup, EFS and AWS KMS actions.
- You can restore EFS to either a new file system or an existing file system. You can perform a Full restore, which restores the entire file system. Or, you can perform an Item-level restore, which restores specific files and directories. Either way, AWS Backup restores the recovery point to the restore directory aws-backup-restore_timestamp-of-restore.
- When the restore is finished, you can see the restore directory at the root of the file system. If the restore fails to finish, then you can see the directory aws-backup-failed-restore_timestamp-of-restore.
- The data fragments that can't be restored to the restore directory are placed in the aws-backup-lost+found directory. If modifications are made to the file system while the backup is occurring, then fragments might be moved to this directory.
- When performing an Item-level restore, you must specify the relative path related to the mount point. For example, if the file system is mounted to /user/home/myname/efs and the file path is user/home/myname/efs/file1, then you enter /file1. Paths are case sensitive and can't contain special characters, wildcard characters, or regular expression (regex) strings.