Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
AWS Backup error: Failed to save policy. You don't have permissions to access this resource.
Hi all
I created a backup account in my organization. I made the backup account as the delegated admin account for backup. I'm using AWS Identity Center, the user has the AdmistrativeAccess for the Backup account.
But when I tried to create a backup policy in the backup account, I encountered the following error:
Failed to save policy.
You don't have permissions to access this resource.
What could be wrong?
Thanks.
- Topics
- Storage
- Tags
- AWS Backup
- Language
- English
- Newest
- Most votes
- Most comments
Hello.
If you check the CloudTrail event history, you may be able to find a more detailed error message.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/tutorial-event-history.html
Please check not only the IAM Identity Center user policy but also whether the action is being denied by SCPs, etc.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
This error suggests you're facing a permissions issue when trying to create a backup policy in your AWS Backup delegated admin account. Even though you have AdministrativeAccess for the Backup account through AWS Identity Center, there might be specific permissions missing.
When you back up and restore resources with AWS Backup, you need both permission to use AWS Backup itself and permission to access the resources you want to protect. The easiest way to ensure proper permissions is to choose the "Default role" when assigning resources to a backup plan.
For your specific issue, there are a few potential causes:
-
The IAM role you're using might not have sufficient permissions to create backup policies. Even with AdministrativeAccess, there could be specific AWS Backup policy-related permissions missing.
-
If you're trying to create an organization-level backup policy, you might need additional permissions in AWS Organizations.
-
There might be a resource-based policy restricting access to the backup vault or other AWS Backup resources.
To troubleshoot this issue:
-
Verify that your IAM role has the necessary permissions for AWS Backup operations, particularly for creating backup policies.
-
Check if there are any explicit deny statements in any policies attached to your role or user.
-
If you're working with AWS Organizations, ensure you have the proper permissions to manage organization policies.
-
You can use AWS CloudTrail to view detailed error messages or logs that might provide more specific information about the permission issue.
If the issue persists, you might need to attach specific AWS Backup service role policies to your IAM role, such as those that grant permissions for backup and restore operations for the specific resource types you're working with.
Sources
Troubleshooting AWS Backup - AWS Backup
An error when attempting a backup | AWS re:Post
Access control - AWS Backup
Relevant content
- asked 2 years ago
- asked 3 years ago
- asked 4 years ago
- AWS OFFICIALUpdated 3 years ago
@Riku_Kobayashi There are no records in the CloudTrail history, and the only SCPs in place are those created by AWS Control Tower. I came across a blog post that provides an example of using a centralized backup account: https://aws.amazon.com/blogs/storage/automate-centralized-backup-at-scale-across-aws-services-using-aws-backup/. I will review whether any additional configurations are required beyond the delegated administrator.