AWS announces preview of AWS Interconnect - multicloud

AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.

Why does my cross-account copy fail in AWS Backup?

6 minute read

I want to troubleshoot why my cross-account copy job fails in AWS Backup.

Short description

To troubleshoot why your copy job fails across AWS accounts, check the following configurations:

Confirm that your source and destination accounts belong to the same organization in AWS Organizations.
Make sure that the resource type supports cross-account copy in the specified AWS Regions.
Review the encryption criteria for your source account backup.
Confirm that the source AWS Key Management Service (AWS KMS) key policy allows the destination account.
Verify that the destination vault access policy allows the source account.
Make sure that you correctly configured the organization's tag policy.

Resolution

Important: When you copy a backup to a new Region or across accounts for the first time, AWS Backup copies the backup in full. If a service supports incremental backups, then subsequent copies of the backup in the same Region or account are incremental. AWS Backup encrypts your copy with the customer managed key of your destination vault. Cross-account copy requires appropriate authorization and permissions between the source and destination accounts.

For more information, see Encryption for copies of a backup to a different account or AWS Region.

Check your organization's member accounts

If your source and destination accounts aren't in the same organization, then you receive the following error message: "Copy job failed. Both source and destination account must be a member of the same organization".

To resolve this issue, migrate one of your accounts to the same organization as the other account.

Check whether the resource type supports the copy action

Make sure that the AWS service for your resources supports cross-account and cross-Region backups. For a list of the features that the AWS services support for AWS Backup, see Feature availability by resource. For a list of features that are available by Region, see Feature availability by AWS Region.

If your resource doesn't support a copy action that performs both cross-account and cross-Region copy backups, then you might receive the following error message:

"Copy job from us-west-2 to us-east-1 cannot be initiated for RDS resources. Feature is not supported for provided resource type."

The following services don't support the copy action to perform both cross-account and cross-Region backups:

Amazon Relational Database Service (Amazon RDS)
Amazon Aurora
Amazon DocumentDB (with MongoDB compatibility)
Amazon Neptune

For the preceding services, you must perform either a cross-account backup or a cross-Region backup. For Amazon DynamoDB, you must turn on DynamoDB with AWS Backup advanced features to perform cross-account backups.

Review the encryption criteria

If your cross-account backup job fails because of encryption issues, then you might receive one of the following error messages:

"Copy job failed because the destination Backup vault is encrypted with the default Backup service managed key. The contents of this vault cannot be copied. Only the contents of a Backup vault encrypted by a customer master key (CMK) may be copied".

"Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameter; Request ID: ; Proxy: null)".

To resolve the error, complete the following steps:

Create a new backup of the resource.
Restore the resource, and then select an AWS KMS customer managed key.
Create a new backup of the restored resource.
Perform the cross-account copy.

For resources that AWS Backup doesn't fully manage, the backups use the same AWS KMS key as the source resource. For fully managed resources, the backups use the backup vault's encryption key.

For more information, see Encryption for backups in AWS Backup.

Note: AWS Backup only supports cross-account copy with AWS managed keys for resources that AWS Backup fully manages.

Check the source AWS KMS key policy

If the source account's AWS KMS key policy doesn't allow the destination account, then you might receive one of the following error messages:

"The source snapshot KMS key does not exist, is not enabled or you do not have permissions to access it".

"AMI snapshot copy failed with error: Given key ID is not accessible. You must have DescribeKey permissions on the default CMK".

To resolve the error, add permissions for the destination account to the source AWS KMS key policy.

Use the following example policy:

{  "Version": "2012-10-17",  "Id": "cab-kms-key",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SourceAccountID :root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::SourceAccountID :root",
          "arn:aws:iam::DestinationAccountID:root"
        ]
      },
      "Action": [
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::SourceAccountID:root",
          "arn:aws:iam::DestinationAccountID:root"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

Note: Replace SourceAccountID with your source account ID, and DestinationAccountID with your destination account ID.

Check the destination vault access policy

If you don't share the destination AWS Backup vault with the source account, then you might receive the following error message: "Access Denied trying to call AWS Backup service".

To resolve the error, add permissions for your source account to the destination vault access policy.

Use the following example policy:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SourceAccountID:root"
      },
      "Action": "backup:CopyIntoBackupVault",
      "Resource": "*"
    }
  ]
}

Note: Replace SourceAccountID with your source account ID.

Check your organization's tag policy

AWS Backup copies tags from resources to recovery points. For example, if you back up an Amazon Elastic Block Store (Amazon EBS) volume, then AWS Backup copies the tags to the snapshot. For more information, see Copy tags during a restore.

If your cross-account backup job fails because of an incorrect tag policy, then you might receive one of the following error messages:

"We are unable to copy resource tags to your backup because of the Internal Failure".

"The tag policy does not allow the specified value for the following tag key: 'xyz'".

To resolve the error, confirm that your tags follow the tagging best practices. Also, verify that the resource tags match the tag that's in the tag policies.

Topics: Storage
Tags: AWS Backup
Language: English

AWS OFFICIALUpdated 2 months ago

1 Comment

Based on the article above:

To perform required cryptographic operations during a cross-account copy, the source account KMS key policy must allow the destination account on the KMS key policy. For resources that aren't fully managed by AWS Backup, the source KMS key is the resource KMS key. For resources that are full managed by AWS Backup, the source KMS key is the backup vault key.

From my personal experience, for resources fully managed by AWS Backup, the source account KMS key policy doesn't need to allow the destination account. However, the article uses the word "must" — can you confirm if this is truly required for resources fully managed by AWS Backup?

Also, according to this AWS Storage Blog article: How encryption works in AWS Backup:

Also, in terms of the KMS key permissions, since the AWS Backup service handles copy operation, no additional permissions are required on the customer managed KMS key.

This seems to contradict your statement, doesn't it?

replied 8 months ago

Relevant content

Why is cross-region copy of S3 buckets in AWS backup failing?
rePost-User-3708451
asked a year ago
S3 Backup Copy to destination no errors yet nothing copied
Accepted Answer
HappyFeat
asked a year ago
S3 AWS Backup with a copy action
rePost-User-6059415
asked 4 years ago
AWS Backup Copy Job is running for almost two months
Stan Vitkovskiy
asked a year ago
S3 Backup Vault - Cross-Account Copy Job Slow?
Steven Pilch
asked 2 years ago
How do I troubleshoot Amazon EC2 VSS failures in AWS Backup?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot "Access denied" errors for cross-account copy operations in AWS Backup?
AWS OFFICIALUpdated a month ago
Why does my AWS Backup PITR job fail when it overlaps with Amazon RDS maintenance windows?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot failed backup jobs in AWS Backup?
AWS OFFICIALUpdated a month ago
AWS Control Tower Backup Integration: Best Practices Guide
EXPERT
Tyler_P
published 7 months ago