How can I resolve the "Access Denied trying to call AWS Backup service" error when trying to create a cross-account copy in AWS Backup?

2 minute read
1

I want to resolve the "Access Denied trying to call AWS Backup service" error in AWS Backup.

Resolution

This Access Denied error can occur when the destination backup vault doesn't have a vault access policy that allows copies from a source account. To resolve this error, you must allow the backup:CopyIntoBackupVault action on your destination backup vault access policy. For more information, see Setting up cross-account backup.

The following is an example policy for a destination vault access policy:

Note: Replace the SourceAccountID with your source account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::SourceAccountID:root"
            },
            "Action": "backup:CopyIntoBackupVault",
            "Resource": "*"
        }
    ]
}

Additional troubleshooting

The destination vault access policy can also allow access to an entire organization or an organizational unit (OU). If you're using the policy for an organization or OU, then verify that the organization ID or OU ID is specified on the vault access policy. If the organization ID or OU ID isn't specified, then the cross-account copies fail.

The following is an example of a destination vault access policy that allows the entire organization:

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Effect": "Allow",  
        "Action": "backup:CopyIntoBackupVault",  
        "Resource": "",  
        "Principal": "",  
        "Condition": {  
            "StringEquals": {  
                "aws:PrincipalOrgID": [  
                    "o-xxxxxxxx11"  
                ]  
            }  
        }  
    }]  
}

The following is an example of a destination vault access policy that allows the OU:

Note: Be sure to correctly enter the aws:PrincipalOrgPaths condition key. For more information, see Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations.

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Effect": "Allow",  
        "Action": "backup:CopyIntoBackupVault",  
        "Resource": "",  
        "Principal": "",  
        "Condition": {  
            "ForAnyValue:StringLike": {  
                "aws:PrincipalOrgPaths": [  
                    "o-xxxxxxxx11/r-xxxx/ou-[OU]/*"  
                ]  
            }  
        }  
    }]  
}

Related information

Creating backup copies across AWS accounts

AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago