AWS Backup Audit Manager - S3 Permissions

Question

Issue  
When attempting to create an on-demand backup using AWS Backup Audit Manager Reports, I receive the following error, regardless of how permissive I make the permissions on the bucket and the bucket policy.  
  
Can't access the S3 bucket backup-report-temporary for job 984C78DC-E74E-AFF9-77AA-4AD9CDF933CB. Make sure bucket exists and bucket policy is valid and try again.  
  
Steps taken to troubleshoot  
1. Copied and pasted the recommended configuration from the 'Create report plan' workflow in AWS Backup to the target S3 bucket  
2. Created multiple buckets in multiple regions  
3. Created multiple report plans in multiple regions  
4. Modified the recommended configuration from the 'Create report plan' workflow to be more permissive. (Resource wildcards, action wildcards, removing StringEquals condition check)  
5. Enabled CloudTrail object level logging and did not see PutObject attempts to the bucket under observation  
  
I had this working previously, but it appears that the behavior of the user interface changed in the past few days as well. Previously, when I would enter a bucket prefix, the suggested bucket policy would change to account for the prefix. It is no longer doing that. There may have been a deployment that broke this feature.

Answer

A new feature was added to the front end of the AWS Backup 'Create/Edit Report' workflow that prompts the user with the correct security principal to allow via the S3 Bucket Policy. I expect that the security principal used was updated but the prompt was not when the new security principal was originally implemented. The backups are now working correctly.

Answer

I'm having the same error with a brand new report using the copy/pasted policy for the bucket.

AWS Backup Audit Manager - S3 Permissions

Relevant content