Questions tagged with AWS Backup

This is causing CloudTrail to log many access denied attempts, triggering an alarm: ```json { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxxxxxxxx:StorageDescribeFrameworkUUID", "arn": "arn:aws:sts::xxxxxxxxxxxxxxxxxxx:assumed-role/AWSServiceRoleForBackupReports/StorageDescribeFrameworkUUID", "accountId": "xxxxxxxxxxxxxxxxxxx", "accessKeyId": "xxxxxxxxxxxxxxxxxxx", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "xxxxxxxxxxxxxxxxxxx", "arn": "arn:aws:iam::xxxxxxxxxxxxxxxxxxx:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports", "accountId": "xxxxxxxxxxxxxxxxxxx", "userName": "AWSServiceRoleForBackupReports" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-09-28T08:56:37Z", "mfaAuthenticated": "false" } }, "invokedBy": "reports.backup.amazonaws.com" }, "eventTime": "2022-09-28T08:56:37Z", "eventSource": "backup.amazonaws.com", "eventName": "DescribeFrameworkByUUID", "awsRegion": "ca-central-1", "sourceIPAddress": "reports.backup.amazonaws.com", "userAgent": "reports.backup.amazonaws.com", "errorCode": "AccessDenied", "requestParameters": null, "responseElements": null, "requestID": "xxxxxxxxxxxxxxxxxxx", "eventID": xxxxxxxxxxxxxxxxxxx", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "xxxxxxxxxxxxxxxxxxx", "eventCategory": "Management" } ``` It is impossible to delete the role: ``` Errors during deleting roles. Role AWSServiceRoleForBackupReports not deleted. There are resources that rely on this role. ``` And it is not possible to add custom permissions to the service-linked role. It does not seem to be possible to configure a custom role for the backup reports either. What can I do ?lg...

I'm trying to set up AWS Backup for EC2 instance with Windows Server 2022 and MS SQL Server, following this instruction https://docs.aws.amazon.com/aws-backup/latest/devguide/windows-backups.html I've done all the steps, but the on-demand backup job finishes with the message: > "Windows VSS Backup attempt failed because of timeout on VSS enabled snapshot creation" The file "C:\Program Files\Amazon\AwsVssComponents\vsserr.log" is empty, "C:\Program Files\Amazon\AwsVssComponents\vssout.log" contains information about Shadow copies of devices and ends with the message "Snapshot creation done." There are several messages related to VSS in Windows Log, for example: ``` Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered. This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider. The error returned from CoCreateInstance on class with CLSID {4baeabae-7018-43e6-8bfb-fb15aaa3a675} and Name SW_PROV is [0x80040154, Class not registered ]. Operation: Obtain a callable interface for this provider List interfaces for all providers supporting this context Check If Volume Is Supported by Provider Add a Volume to a Shadow Copy Set Context: Provider ID: {4aaed461-b7bb-4125-a906-31c79791b47d} Class ID: {4baeabae-7018-43e6-8bfb-fb15aaa3a675} Snapshot Context: 2 Snapshot Context: 2 Execution Context: Coordinator Provider ID: {00000000-0000-0000-0000-000000000000} ``` What else can be checked and how to fix the timeout error?lg...

we've a S3 bucket with policy enabled to permit access to specific IAM user only. then we create a backup plan to run a daily backup job for this S3 resource. i added the following statement in our existing bucket policy to allow also the **AWS default backup role** that was setup in the backup plan's resource selection "Sid": "Stmt1663835336196", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::<BucketName>", "arn:aws:s3:::<Bucketname>/*" ], "Principal": { "AWS": [ "arn:aws:iam::<AccountNumber>:role/service-role/AWSBackupDefaultServiceRole" ] However, we are getting a failed (access denied) backup job. hope someone can guide me to verify concern TIAlg...

Hi, When I open my account today I saw that Amazon deleted my ec2 instance but everything else like my security groups, elastic ip addresses and keys etc, all of the configurations were there. When I ask my lost ec2 instance to online support, the explanation by the support team was "resources can be deleted by amazon during suspension period". My 1 month age account was put on hold since 9 September 2022 because of wrong address information. I was asked for documents related to account owner, and payment method so I provided all. The verification process took 7 days and I could verify myself at the and and I got my account reactivated today. Well, I'm not aiming to blame anyone but I just want my instance back. I know somewhere underground there must be backup images of the whole systems that's normally inaccessible visually but only some allowed tech specialists may access. Is there anyone authorized to do this or to assist me on finding the correct person in charge? Thanks in advance.lg...

I created user with full admin access and then i used that user creds to run terraform code to create backup vault/plan and create role to run it . However , if i create backup using the new role created from terraform backup fails with above error. However , if i create backup of same server using role i created manually in GUI seems to work. both roles have correct perms as following: arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestoreslg...

How to set up RDS(mysql) Continuous backups to cross region using aws backup service or RDS service itself. - Able to create continuous snapshot in same region, but in other region only snapshot is getting created which is not continuous in nature to achieve point in time restore. - RDS deployment is created without Multi AZ and standby instance in our case. attached screenshot for ref Enter image description here](/media/postImages/original/IMelsAxLSvQWS_rzoWpJy-CQ) Enter image description here](/media/postImages/original/IMwPBcTN2yRUqIMcXLRFtMbQ)lg...

I am new to AWS, and I am in the process of closing the account, but before that I need to download all the code that previous developers did for me. How can I download a copy of all the info in my PC?lg...

Let's say I have an existing DynamoDB table and the data is deleted for some reason. I have a backup of the table in AWS Backups as well as an export of the table data in S3 in DynamoDB JSON or Amazon ION format. How can I import this data to the existing DynamoDB table? And what is the easiest and cheapest solution to this? Thanks! PD: I am new to AWS and I have looked at [bulk upload data options](https://aws.amazon.com/premiumsupport/knowledge-center/dynamodb-bulk-upload/) provided by the knowledge center and an [AWS blog](https://aws.amazon.com/blogs/compute/creating-a-scalable-serverless-import-process-for-amazon-dynamodb/) for importing data via Lambda. They both require to load a json or csv to s3, but what if I want to use the existing AWS Backup or the DynamoDB JSON to re-populate this existing table? Thanks! Maybe I am complicating myself a bitlg...

Hi, I got a virus attack on my server. I didn't set up any backup. Its attacked on 18th August. Now I would like to restore my server on 17th august, so I can get back my files. Is there any way to achive this?lg...

Hi, I have EC2 mail server and AWS backup is used to backup my entire AWS EC2. Do I still need to use software level backup?lg...

Does the AWS Backup service support deduplication and compression of data backups in a backup vault?lg...

We're using centrally managed backup policies in our AWS Organization to backup our data via AWS Backup. This works flawlessly for all resources except for s3 buckets. When I create the same backup plan in one of the member accounts and specify, that the resource type is s3, it works. I've checked our CloudTrail log and somehow AWS Backup does not include s3 when searching for resources with the specified tag. Here is the `GetResources` event when the job is run by the backup plan of the organization: ```json { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "XXXXXXXYYYYYYYZZZZZZ:AWSBackup-AWSServiceRoleForBackup", "arn": "arn:aws:sts::123456789012:assumed-role/AWSServiceRoleForBackup/AWSBackup-AWSServiceRoleForBackup", "accountId": "123456789012", "accessKeyId": "ASIA4ROB5DISLEP4KV7D", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "XXXXXXXYYYYYYYZZZZZZ", "arn": "arn:aws:iam::123456789012:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup", "accountId": "123456789012", "userName": "AWSServiceRoleForBackup" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-08-17T10:41:44Z", "mfaAuthenticated": "false" } }, "invokedBy": "backup.amazonaws.com" }, "eventTime": "2022-08-17T10:41:44Z", "eventSource": "tagging.amazonaws.com", "eventName": "GetResources", "awsRegion": "eu-central-1", "sourceIPAddress": "backup.amazonaws.com", "userAgent": "backup.amazonaws.com", "requestParameters": { "paginationToken": "", "tagFilters": [ { "key": "BackupPlan", "values": [ "OrganizationDailyBackupPlan" ] } ], "resourcesPerPage": 100, "resourceTypeFilters": [ "dynamodb:table", "ec2:volume", "rds:db", "storagegateway:gateway", "elasticfilesystem:file-system", "rds:cluster", "ec2:instance", "fsx:file-system", "fsx:volume" ] }, "responseElements": null, "requestID": "e37c2f72-f088-42ab-b1c7-0bc4d8e07dc1", "eventID": "72f91800-6225-49e6-8a34-5ac56581f936", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management" } ``` And here is the `GetResources` event when the job is run by the backup plan that was created inside the member account: ```json { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "XXXXXXXYYYYYYYZZZZZZ:AWSBackup-AWSServiceRoleForBackup", "arn": "arn:aws:sts::123456789012:assumed-role/AWSServiceRoleForBackup/AWSBackup-AWSServiceRoleForBackup", "accountId": "123456789012", "accessKeyId": "ASIA4ROB5DISPULAFFWS", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "XXXXXXXYYYYYYYZZZZZZ", "arn": "arn:aws:iam::123456789012:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup", "accountId": "123456789012", "userName": "AWSServiceRoleForBackup" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-08-17T10:27:06Z", "mfaAuthenticated": "false" } }, "invokedBy": "backup.amazonaws.com" }, "eventTime": "2022-08-17T10:27:06Z", "eventSource": "tagging.amazonaws.com", "eventName": "GetResources", "awsRegion": "eu-central-1", "sourceIPAddress": "backup.amazonaws.com", "userAgent": "backup.amazonaws.com", "requestParameters": { "paginationToken": "", "tagFilters": [ { "key": "BackupPlan", "values": [ "OrganizationDailyBackupPlan" ] } ], "resourcesPerPage": 100, "resourceTypeFilters": [ "s3" ] }, "responseElements": null, "requestID": "78798635-8a5a-4012-acbb-2bcda6e910c8", "eventID": "90bc2e81-2423-44e6-b041-f561c98dd086", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management" } ``` So the only difference is `resourceTypeFilters`. **So, why does the backup plan generated by the organizations backup policy exclude S3?** **EDIT:** The backup selection of the backup plan that was generated from the organizations backup policy does not specify any resources at all: ```json { "BackupSelection": { "SelectionName": "tf-organization-daily-backup-selection", "IamRoleArn": "arn:aws:iam::123456789012:role/tf-backup-role", "Resources": [], "ListOfTags": [ { "ConditionType": "STRINGEQUALS", "ConditionKey": "BackupPlan", "ConditionValue": "OrganizationDailyBackupPlan" } ], "NotResources": [], "Conditions": { "StringEquals": [], "StringNotEquals": [], "StringLike": [], "StringNotLike": [] } }, "SelectionId": "ee883d39-7528-313b-8b72-54de063d5cf0", "BackupPlanId": "orgs/d67a7e29-20b5-3e2b-98a7-24a42ca1a2aa", "CreationDate": "2022-08-17T14:56:07.810000+02:00" } ``` While the selection for the test plan does specify, that all s3 arns are allowed. ```json { "BackupSelection": { "SelectionName": "test", "IamRoleArn": "arn:aws:iam::123456789012:role/tf-backup-role", "Resources": [ "arn:aws:s3:::*" ], "ListOfTags": [], "NotResources": [], "Conditions": { "StringEquals": [ { "ConditionKey": "aws:ResourceTag/BackupPlan", "ConditionValue": "OrganizationDailyBackupPlan" } ], "StringNotEquals": [], "StringLike": [], "StringNotLike": [] } }, "SelectionId": "ffa87c07-e463-42a1-9086-f45109fec02f", "BackupPlanId": "2e3367c9-9d9a-446e-9feb-3a4c1ba0b7d3", "CreationDate": "2022-08-17T12:18:01.314000+02:00", "CreatorRequestId": "26592555-4a3c-4fc2-a73f-25b3a4473519" } ```lg...