AWS Backup API responds with AccessDeniedException instead of ResourceNotFoundException

0

Attempting to describe an AWS Backup vault with AWS CLI results in an AccessDeniedException rather than a ResourceNotFoundException error if the vault does not exist:

$ aws backup describe-backup-vault --region eu-west-2 --backup-vault-name non-existent

An error occurred (AccessDeniedException) when calling the DescribeBackupVault operation: Insufficient privileges to perform this action.

This happens despite the credentials being used having full access to AWS Backup.


Similarly, when making authenticated DescribeBackupVault requests for a non-existent vault using curl:

curl -vvv \
     --aws-sigv4 "aws:amz:<region>:backup" \
     --user "<access-key-id>:<secret-access-key>" \
     https://backup.eu-west-2.amazonaws.com/backup-vaults/non-existent?backupVaultAccountId=<account-id>

The response indicates an AccessDeniedException error rather than a ResourceNotFoundException:

...
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 403
< date: Tue, 27 Aug 2024 21:27:58 GMT
< content-type: application/json
< content-length: 61
< x-amzn-requestid: <omitted>
< x-amzn-errortype: AccessDeniedException
<
* Connection #0 to host backup.eu-west-2.amazonaws.com left intact
{"Message":"Insufficient privileges to perform this action."}

Is this behaviour intentional or should the correct response error be ResourceNotFoundException when the backup vault does not exist? This also impacts external tools such as the AWS Provider for Terraform, which appears to treat both an AccessDeniedException and ResourceNotFoundException as simply a ResourceNotFoundException (see internal/service/backup/find.go), leading to scenarios where Terraform will attempt to create a backup vault when one already exists (e.g. if the Terraform state file already contains metadata for a backup vault previously created, but the credentials being used to generate a new Terraform plan are legitimately denied the DescribeBackupVault action, then Terraform will assume the resource does not exist and attempt to create it rather than reporting a permissions issue).

profile picture
asked 2 months ago99 views
2 Answers
1
  1. When you receive an AccessDeniedException, AWS is indicating that the credentials used do not have the necessary permissions to perform the requested operation (DescribeBackupVault in this case).

    AWS often prefers to return AccessDeniedException instead of ResourceNotFoundException when there are permission issues. This is a security measure to prevent unauthorized users from probing the existence of resources in an AWS account. If an unauthorized user were to receive a ResourceNotFoundException, it would confirm the non-existence of the resource, which can be considered sensitive information.

  2. This behavior is by design to ensure that users without proper permissions do not get hints about the existence or non-existence of resources. This way, AWS protects against potential information disclosure through error messages.

  3. Tools like Terraform might interpret AccessDeniedException as ResourceNotFoundException, leading to unintended behavior, such as trying to create a resource that already exists but cannot be accessed due to insufficient permissions.

To avoid this, it's essential to ensure that the IAM policies associated with the credentials used by such tools are appropriately configured to have the necessary permissions for the operations being performed.

  1. Review IAM Permissions:

    Ensure that the IAM policy associated with the credentials has the necessary permissions for the DescribeBackupVault action. For example:

    {
      "Effect": "Allow",
      "Action": "backup:DescribeBackupVault",
      "Resource": "*"
    }
    
    

    Ensure the credentials have the necessary permissions to list and describe backup vaults.

  2. Handle Errors Appropriately:

    When integrating with external tools like Terraform, handle AccessDeniedException errors separately from ResourceNotFoundException to ensure that you can differentiate between genuine permission issues and non-existent resources.

  3. Custom Error Handling in Automation:

    In your scripts or automation workflows, explicitly check for permission issues (AccessDeniedException) and handle them appropriately, such as logging a permissions issue rather than assuming the resource doesn't exist.

profile pictureAWS
EXPERT
Deeksha
answered 2 months ago
  • Thank you for the detailed response. I understand the good points you make about not intentionally leaking information about the presence of a resource when not authorised, and the general usage of the AccessDeniedException error, however the credentials being used have full administrative access (equivalent to an allow rule for backup:* actions). The same credentials can successfully describe the Default Backup vault, but if the request includes the name a non-existent vault in the target account then the error response is AccessDeniedException when I would expect to receive a ResourceNotFoundException error. Using valid credentials, I can't seem to generate a ResourceNotFoundException under any conditions using the DescribeBackupVault API request, despite this being a documented error response in the Backup API documentation.

1

Hi,

Given the fact that you have full access to AWS Backup resources, I would tend to agree with you re. the expectation of ResourceNotFoundException rather than AccessDeniedException.

So, I'd suggest you to open a ticket via the console of your AWS account: service teams do not monitor re:Post as a community site to surface and handle such issues.

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions