I am having issues setting up the required IAM access for cross account backups. As I understand the requirements there are four places to configure IAM access:
Source Account (management account) Backup Vault
Source Account (management account) Resource Assignment
Target Account Backup Vault
Target Account IAM access role
From the AWS Backup Developer Guide p162 I understand that the IAM roles in the Source and Target accounts, Backup Vaults, and the Backup Vault permissions need to match.
I have the following configured:
Source Account Backup Vault Access – “Allow Access to Backup Vault from Organisation”
Source Account Resource Assignment – Role with default policy called “AWSBackupOrganizationAdminAccess”
Target Account Backup Vault Access - “Allow Access to Backup Vault from Organisation”
Target Account IAM access role - Role with default policy called “AWSBackupOrganizationAdminAccess”
I have followed the setup guide to enable cross account backups for my AWS organization.
When I run a backup job for an EC2 server in the target account I get the following error:
Your backup job failed as AWS Backup does not have permission to describe resource <aws ec2 arn>
I assume that somewhere I do not have the IAM access configured correctly. As there are four places where I can configure IAM access how do I track down where the issue is?