AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Unable to perform cloudwatch:GetMetricData job fails when backing up S3 with AWS Backup

0

We're getting the error below when trying to backup S3 resources using AWS Backup. The service role used to run the job has had multiple AWS managed policies applied with the same issue, including the 'AWSBackupFullAccess' and the AWSBackupServiceRolePolicyForBackup' policies assigned. The S3 bucket is using an CMK with permissions shared to the role. The role can successfully backup any other supported resource to any vault but fails on any S3 bucket. The "cloudwatch:GetMetricData on *" permission stated in the error is included in the above policies.

Backup Job Error: "Unable to perform cloudwatch:GetMetricData on * The backup job failed to create a recovery point for your resource arn:aws:s3:::<s3-bucket-name> due to missing permissions on role arn:aws:iam::<account-number:role/<iam-service-role>."

Has anyone seen this error before when backing up S3?

주제
스토리지보안, 신원 및 규정 준수
태그
AWS BackupIAM 정책
언어
English
rePost-User-0529671
질문됨 10달 전502회 조회
2개 답변
1

Hi, it seems that you didn't apply the right policy: it should be AWSBackupServiceRolePolicyForS3Backup (with S3 in the name) instead of AWSBackupServiceRolePolicyForBackup'.

Can you try it ? Its definition is the following and contains the auth mentioned by the error message:


 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cloudwatch:GetMetricData",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:PutTargets",
                "events:DescribeRule",
                "events:EnableRule",
                "events:PutRule",
                "events:RemoveTargets",
                "events:ListTargetsByRule",
                "events:DisableRule"
            ],
            "Resource": [
                "arn:aws:events:*:*:rule/AwsBackupManagedRule*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "events:ListRules",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.*.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketTagging",
                "s3:GetInventoryConfiguration",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation",
                "s3:GetBucketAcl",
                "s3:PutInventoryConfiguration",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

Hope it helps!

Didier

profile pictureAWS
전문가
Didier_Durand
답변함 10달 전
  • rePost-User-0529671
    10달 전

    My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

0

Hello, it looks like both of those policies you attached are missing the permissions to access CloudWatch metrics which AWS Backup needs in order to perform a backup on an S3 bucket. As per here, I would recommend adding both of the following managed policies.

AWSBackupServiceRolePolicyForS3Backup
AWSBackupServiceRolePolicyForS3Restore

AWSBackupServiceRolePolicyForS3Backup has the necessary permissions to get cloud watch metrics.

AWS
Andrew Langford
답변함 10달 전
  • rePost-User-0529671
    10달 전

    My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠