By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS Backup

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

DescribeFrameworkByUUID permission missing on service-linked role AWSServiceRoleForBackupReports

This is causing CloudTrail to log many access denied attempts, triggering an alarm: ```json { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxxxxxxxx:StorageDescribeFrameworkUUID", "arn": "arn:aws:sts::xxxxxxxxxxxxxxxxxxx:assumed-role/AWSServiceRoleForBackupReports/StorageDescribeFrameworkUUID", "accountId": "xxxxxxxxxxxxxxxxxxx", "accessKeyId": "xxxxxxxxxxxxxxxxxxx", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "xxxxxxxxxxxxxxxxxxx", "arn": "arn:aws:iam::xxxxxxxxxxxxxxxxxxx:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports", "accountId": "xxxxxxxxxxxxxxxxxxx", "userName": "AWSServiceRoleForBackupReports" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-09-28T08:56:37Z", "mfaAuthenticated": "false" } }, "invokedBy": "reports.backup.amazonaws.com" }, "eventTime": "2022-09-28T08:56:37Z", "eventSource": "backup.amazonaws.com", "eventName": "DescribeFrameworkByUUID", "awsRegion": "ca-central-1", "sourceIPAddress": "reports.backup.amazonaws.com", "userAgent": "reports.backup.amazonaws.com", "errorCode": "AccessDenied", "requestParameters": null, "responseElements": null, "requestID": "xxxxxxxxxxxxxxxxxxx", "eventID": xxxxxxxxxxxxxxxxxxx", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "xxxxxxxxxxxxxxxxxxx", "eventCategory": "Management" } ``` It is impossible to delete the role: ``` Errors during deleting roles. Role AWSServiceRoleForBackupReports not deleted. There are resources that rely on this role. ``` And it is not possible to add custom permissions to the service-linked role. It does not seem to be possible to configure a custom role for the backup reports either. What can I do ?
0
answers
0
votes
20
views
asked 6 days ago

AWS Backup VSS timeout

I'm trying to set up AWS Backup for EC2 instance with Windows Server 2022 and MS SQL Server, following this instruction https://docs.aws.amazon.com/aws-backup/latest/devguide/windows-backups.html I've done all the steps, but the on-demand backup job finishes with the message: > "Windows VSS Backup attempt failed because of timeout on VSS enabled snapshot creation" The file "C:\Program Files\Amazon\AwsVssComponents\vsserr.log" is empty, "C:\Program Files\Amazon\AwsVssComponents\vssout.log" contains information about Shadow copies of devices and ends with the message "Snapshot creation done." There are several messages related to VSS in Windows Log, for example: ``` Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered. This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider. The error returned from CoCreateInstance on class with CLSID {4baeabae-7018-43e6-8bfb-fb15aaa3a675} and Name SW_PROV is [0x80040154, Class not registered ]. Operation: Obtain a callable interface for this provider List interfaces for all providers supporting this context Check If Volume Is Supported by Provider Add a Volume to a Shadow Copy Set Context: Provider ID: {4aaed461-b7bb-4125-a906-31c79791b47d} Class ID: {4baeabae-7018-43e6-8bfb-fb15aaa3a675} Snapshot Context: 2 Snapshot Context: 2 Execution Context: Coordinator Provider ID: {00000000-0000-0000-0000-000000000000} ``` What else can be checked and how to fix the timeout error?
0
answers
0
votes
5
views
asked 6 days ago

Backup plan created from organizations backup policy does not include s3 buckets

We're using centrally managed backup policies in our AWS Organization to backup our data via AWS Backup. This works flawlessly for all resources except for s3 buckets. When I create the same backup plan in one of the member accounts and specify, that the resource type is s3, it works. I've checked our CloudTrail log and somehow AWS Backup does not include s3 when searching for resources with the specified tag. Here is the `GetResources` event when the job is run by the backup plan of the organization: ```json { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "XXXXXXXYYYYYYYZZZZZZ:AWSBackup-AWSServiceRoleForBackup", "arn": "arn:aws:sts::123456789012:assumed-role/AWSServiceRoleForBackup/AWSBackup-AWSServiceRoleForBackup", "accountId": "123456789012", "accessKeyId": "ASIA4ROB5DISLEP4KV7D", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "XXXXXXXYYYYYYYZZZZZZ", "arn": "arn:aws:iam::123456789012:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup", "accountId": "123456789012", "userName": "AWSServiceRoleForBackup" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-08-17T10:41:44Z", "mfaAuthenticated": "false" } }, "invokedBy": "backup.amazonaws.com" }, "eventTime": "2022-08-17T10:41:44Z", "eventSource": "tagging.amazonaws.com", "eventName": "GetResources", "awsRegion": "eu-central-1", "sourceIPAddress": "backup.amazonaws.com", "userAgent": "backup.amazonaws.com", "requestParameters": { "paginationToken": "", "tagFilters": [ { "key": "BackupPlan", "values": [ "OrganizationDailyBackupPlan" ] } ], "resourcesPerPage": 100, "resourceTypeFilters": [ "dynamodb:table", "ec2:volume", "rds:db", "storagegateway:gateway", "elasticfilesystem:file-system", "rds:cluster", "ec2:instance", "fsx:file-system", "fsx:volume" ] }, "responseElements": null, "requestID": "e37c2f72-f088-42ab-b1c7-0bc4d8e07dc1", "eventID": "72f91800-6225-49e6-8a34-5ac56581f936", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management" } ``` And here is the `GetResources` event when the job is run by the backup plan that was created inside the member account: ```json { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "XXXXXXXYYYYYYYZZZZZZ:AWSBackup-AWSServiceRoleForBackup", "arn": "arn:aws:sts::123456789012:assumed-role/AWSServiceRoleForBackup/AWSBackup-AWSServiceRoleForBackup", "accountId": "123456789012", "accessKeyId": "ASIA4ROB5DISPULAFFWS", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "XXXXXXXYYYYYYYZZZZZZ", "arn": "arn:aws:iam::123456789012:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup", "accountId": "123456789012", "userName": "AWSServiceRoleForBackup" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-08-17T10:27:06Z", "mfaAuthenticated": "false" } }, "invokedBy": "backup.amazonaws.com" }, "eventTime": "2022-08-17T10:27:06Z", "eventSource": "tagging.amazonaws.com", "eventName": "GetResources", "awsRegion": "eu-central-1", "sourceIPAddress": "backup.amazonaws.com", "userAgent": "backup.amazonaws.com", "requestParameters": { "paginationToken": "", "tagFilters": [ { "key": "BackupPlan", "values": [ "OrganizationDailyBackupPlan" ] } ], "resourcesPerPage": 100, "resourceTypeFilters": [ "s3" ] }, "responseElements": null, "requestID": "78798635-8a5a-4012-acbb-2bcda6e910c8", "eventID": "90bc2e81-2423-44e6-b041-f561c98dd086", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management" } ``` So the only difference is `resourceTypeFilters`. **So, why does the backup plan generated by the organizations backup policy exclude S3?** **EDIT:** The backup selection of the backup plan that was generated from the organizations backup policy does not specify any resources at all: ```json { "BackupSelection": { "SelectionName": "tf-organization-daily-backup-selection", "IamRoleArn": "arn:aws:iam::123456789012:role/tf-backup-role", "Resources": [], "ListOfTags": [ { "ConditionType": "STRINGEQUALS", "ConditionKey": "BackupPlan", "ConditionValue": "OrganizationDailyBackupPlan" } ], "NotResources": [], "Conditions": { "StringEquals": [], "StringNotEquals": [], "StringLike": [], "StringNotLike": [] } }, "SelectionId": "ee883d39-7528-313b-8b72-54de063d5cf0", "BackupPlanId": "orgs/d67a7e29-20b5-3e2b-98a7-24a42ca1a2aa", "CreationDate": "2022-08-17T14:56:07.810000+02:00" } ``` While the selection for the test plan does specify, that all s3 arns are allowed. ```json { "BackupSelection": { "SelectionName": "test", "IamRoleArn": "arn:aws:iam::123456789012:role/tf-backup-role", "Resources": [ "arn:aws:s3:::*" ], "ListOfTags": [], "NotResources": [], "Conditions": { "StringEquals": [ { "ConditionKey": "aws:ResourceTag/BackupPlan", "ConditionValue": "OrganizationDailyBackupPlan" } ], "StringNotEquals": [], "StringLike": [], "StringNotLike": [] } }, "SelectionId": "ffa87c07-e463-42a1-9086-f45109fec02f", "BackupPlanId": "2e3367c9-9d9a-446e-9feb-3a4c1ba0b7d3", "CreationDate": "2022-08-17T12:18:01.314000+02:00", "CreatorRequestId": "26592555-4a3c-4fc2-a73f-25b3a4473519" } ```
1
answers
0
votes
25
views
asked 2 months ago