Expired s3 Backup Recovery Point

2

I configured AWS Backup in CDK to enable continuous backups for s3 buckets with this configuration :

Later I deleted the stack in CDK and ,as expected, all the resources were deleted except for the vault that was orphaned. The problem happens when trying to delete the recovery points inside the vault, I get back the status as Expired with a message Insufficient permission to delete recovery point.

  • I am logged in as a user with AdministratorAccess
  • I changed the access policy of the vault to allow anyone to delete the vault / recovery point
  • even when logged as the root of the account, I still get the same message.

  • For reference, this is aws managed policy attached to my user : AdministratorAccess , it Allows (325 of 325 services) including AWS Backup obviously.
  • Here's the vault access policy that I set :
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "backup:DeleteBackupVault",
                "backup:DeleteBackupVaultAccessPolicy",
                "backup:DeleteRecoveryPoint",
                "backup:StartCopyJob",
                "backup:StartRestoreJob",
                "backup:UpdateRecoveryPointLifecycle"
            ],
            "Resource": "*"
        }
    ]
}

Any ideas what I'm missing here ?

**Update ** :

  • A full week after creating the backup recovery point, and still unable to delete it.
  • I tried deleting it from the AWS CLI but no luck.
  • I tried suspending the versioning for the bucket in question and tried, but no luck too.
  • Have a similar issue:

    1. First I created a plan manually for continuous S3 backup just to test how it works. It was using the Default vault.
    2. Then, after the test was successful, I deleted the plan together with its resource assignment, rule, and also an automatically created IAM role (AWSBackupDefaultServiceRole). Simply to remove all test artifacts.
    3. Then I created a new backup plan via CDK. It targets another (newly created) vault. And uses another (newly created) IAM role.
    4. Unfortunately, it fails to create a recovery point - the status is Expired with message saying, that this S3 bucket is already configured for a continuous backup in another vault.
    5. So, I tried to remove the recovery point, created by a manually created backup plan before. And it fails with the same error as you have described. I've tried multiple things to overcome the problem, but none of them helped:
    • adding an explicit policy to the vault to allow recovery points deletion
    • adding AWSBackupFullAccess policy to my IAM user
    • "restoring" the default AWSBackupDefaultServiceRole IAM role, that I removed at step 2; and also extending it with a AWSBackupFullAccess permission.

    This is now a showstopper for me, because the the manually created backup plan has already been deleted, but the new one has not yet started to work properly.

  • Was a solution for this ever found? What happens after "delete after" date is reached/passed?

Anis
asked 7 months ago134 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions