Backup policy copy_action to multiple location error

Question

Hi all

I created a Backup account and send EBS and RDS backup from other accounts in my organization. In the Backup account, I want to use multi-region so I created two central vaults in two regions, one in each region. I.e., I'm doing the cross-region and cross-account vault-copy.

I used cloud formation template and added the followings:

```
"copy_actions": 
{                                   
    "CENTRAL_VAULT_ARN": {
      "target_backup_vault_arn": {
        "@@assign": "CENTRAL_VAULT_ARN"
      },
      "lifecycle": {
        "move_to_cold_storage_after_days": {
          "@@assign": "30"
        },
        "delete_after_days": {
          "@@assign": "365"
        }
      }
    },                                    
    "CENTRAL_VAULT_WEST_ARN": {
      "target_backup_vault_arn": {
        "@@assign": "CENTRAL_VAULT_WEST_ARN"
      },
      "lifecycle": {
        "move_to_cold_storage_after_days": {
          "@@assign": "30"
        },
        "delete_after_days": {
          "@@assign": "365"
        }
      }
    }
}
```

But I encountered the following error.

```
Exception: An error occurred (MalformedPolicyDocumentException) when calling the CreatePolicy operation: The provided policy document does not meet the requirements of the specified policy type
```

I modified the cloud formation template provided in https://aws.amazon.com/blogs/storage/automate-centralized-backup-at-scale-across-aws-services-using-aws-backup/ to create the centralized backup policy.

re:Post Agent · Accepted Answer

When setting up cross-region and cross-account backup copies using AWS Backup policies, there are some specific requirements for the ARN format that need to be followed.

The issue with your configuration is likely related to how you're specifying the target backup vault ARNs. In your template, you're using placeholder values "CENTRAL_VAULT_ARN" and "CENTRAL_VAULT_WEST_ARN" which need to be replaced with actual ARNs that follow the required format.

For cross-account backup copies, you need to specify the complete ARN of the destination backup vault, which should look like:
`arn:aws:backup:region:account-id:backup-vault:vault-name`

For example: `arn:aws:backup:us-east-1:123456789012:backup-vault:CentralBackupVault`

When copying to a different region in the same account, you can use the `$account` variable which automatically gets replaced with the account ID in which the backup policy is running. For example:
`arn:aws:backup:us-west-2:$account:backup-vault:WestRegionVault`

Additionally, it's important to note that there are limitations when trying to perform both cross-account and cross-region copies for certain services like RDS. You can do one or the other, but not both simultaneously for RDS resources. For such scenarios, you would need to create separate backup plans - one for RDS resources that only does cross-account (same region) copies, and another for non-RDS resources that can do both cross-account and cross-region copies.

Make sure your backup vaults in the destination account have the appropriate permissions policy to allow the source account to copy backups into them.  
**Sources**  
[Best practices for using backup policies - AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup_best-practices.html)  
[Creating backup copies across AWS accounts - AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-cross-account-backup.html)  
[CopyAction - AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_CopyAction.html)  
[Using AWS Backup to backup cross-account to multiple regions | AWS re:Post](https://repost.aws/questions/QUpMW26PEGQPuDOvVJ6x2adg/using-aws-backup-to-backup-cross-account-to-multiple-regions)

Riku_Kobayashi · Answer

Hello.

Looking at the example backup policy, there doesn't seem to be any syntax issues.  
What kind of error are you currently getting?  
Can you share the error message you're getting?  
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html#backup-policy-examples  
```
                    "copy_actions": {
                        "arn:aws:backup:us-east-1:123456789012:backup-vault:secondary_vault": {
                            "target_backup_vault_arn": {
                                "@@assign": "arn:aws:backup:us-east-1:123456789012:backup-vault:secondary_vault"
                            },
                            "lifecycle": {
                                "move_to_cold_storage_after_days": {
                                    "@@assign": "30"
                                },
                                "delete_after_days": {
                                    "@@assign": "120"
                                },
                                "opt_in_to_archive_for_supported_resources": {
                                    "@@assign": "false"
                                }
                            }
                        },
                        "arn:aws:backup:us-west-1:123456789012:backup-vault:tertiary_vault": {
                            "target_backup_vault_arn": {
                                "@@assign": "arn:aws:backup:us-west-1:123456789012:backup-vault:tertiary_vault"
                            },
                            "lifecycle": {
                                "move_to_cold_storage_after_days": {
                                    "@@assign": "30"
                                },
                                "delete_after_days": {
                                    "@@assign": "120"
                                },
                                "opt_in_to_archive_for_supported_resources": {
                                    "@@assign": "false"
                                }
                            }
                        } 
                    }
```

Backup policy copy_action to multiple location error

답변 추가

관련 콘텐츠