AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

AWS Backup - S3 failed: access denied

1

we've a S3 bucket with policy enabled to permit access to specific IAM user only. then we create a backup plan to run a daily backup job for this S3 resource. i added the following statement in our existing bucket policy to allow also the AWS default backup role that was setup in the backup plan's resource selection

   "Sid": "Stmt1663835336196",
  "Action": "s3:*",
  "Effect": "Allow",
  "Resource": [
    "arn:aws:s3:::<BucketName>",
    "arn:aws:s3:::<Bucketname>/*"
  ],
  "Principal": {
    "AWS": [
      "arn:aws:iam::<AccountNumber>:role/service-role/AWSBackupDefaultServiceRole"
    ]

However, we are getting a failed (access denied) backup job.

hope someone can guide me to verify concern

TIA

주제
스토리지
태그
AWS Backup
언어
English
User-HN
질문됨 2년 전1545회 조회
6개 답변
1

we are using the AWSBackupDefaultServiceRole with the following attached AWS managed policies

  • AWSBackupServiceRolePolicyForBackup
  • AWSBackupServiceRolePolicyForRestores
  • AWSBackupServiceRolePolicyForS3Backup
  • AWSBackupServiceRolePolicyForS3Restore

however, still getting a failed backup job with access denied error

User-HN
답변함 2년 전
0

I upload my backups to my S3 bucket regularly and it works just fine. I think you need the s3:PutObject permission. I also have other ones, like s3:PutObjectAcl, but I'm not sure you need that. You might want s3:GetObject permissions, too, if you want to download it or read it. Let me know how it goes.

jschwar313
답변함 2년 전
  • jschwar313
    2년 전

    If this answer helped you, please accept my answer or upvote it. It will help others know it worked that way.

  • User-HN
    2년 전

    Hi, thank you for you reply.. we don't have issue reading & writing files / object to S3 from our application. the problem is, we intend to create a regular backup job for that particular bucket using AWS Backup Service however the AWS Backup Service job fails and getting access denied due to S3 bucket policy. we tried to follow this documentation, and add the RoleID of the default backup role but to no avail https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

0

Did you follow this document for creating the roles? https://docs.aws.amazon.com/aws-backup/latest/devguide/iam-service-roles.html

jschwar313
답변함 2년 전
  • User-HN
    2년 전

    Thanks for your reply Sir I believe the AWSBackupDefaultServiceRole is automatically created when we make a backup plan and choose the default role.

0

If my answer helped you, please accept the answer or upvote it. It will help others that way, too. Thanks.

jschwar313
답변함 2년 전
0

There is a way to generate a policy based on Cloud Trail logs. That might help you. See this article. Hope it helps. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html

jschwar313
답변함 2년 전
0

my posted concern here is now resolved, I updated the bucket policy and added a statement with the following condition

condition: ArnLike

Key: aws:SourceArn

Value: arn:aws:iam::<Account Number>:role/service-role/AWSBackupDefaultServiceRole

our backup job is now running.

User-HN
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠