By using AWS re:Post, you agree to the Terms of Use

Unanswered Questions tagged with AWS Backup

Sort by most recent
  • 1
  • 12 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Expired s3 Backup Recovery Point

I configured AWS Backup in CDK to enable continuous backups for s3 buckets with this configuration : - backup rule : with `enableContinuousBackup: true` and `deleteAfter 35 days` - backup selection : with `resources` array having the ARN of the bucket directly set and roles setup following the docs of aws : https://docs.aws.amazon.com/aws-backup/latest/devguide/s3-backups.html Later I deleted the stack in CDK and ,as expected, all the resources were deleted except for the vault that was orphaned. The problem happens when trying to delete the recovery points inside the vault, I get back the status as `Expired` with a message `Insufficient permission to delete recovery point`. - I am logged in as a user with AdministratorAccess - I changed the access policy of the vault to allow anyone to delete the vault / recovery point - even when logged as the root of the account, I still get the same message. --- - For reference, this is aws managed policy attached to my user : `AdministratorAccess` , it Allows (325 of 325 services) including AWS Backup obviously. - Here's the vault access policy that I set : ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "backup:DeleteBackupVault", "backup:DeleteBackupVaultAccessPolicy", "backup:DeleteRecoveryPoint", "backup:StartCopyJob", "backup:StartRestoreJob", "backup:UpdateRecoveryPointLifecycle" ], "Resource": "*" } ] } ``` Any ideas what I'm missing here ? **Update ** : - A full week after creating the backup recovery point, and still unable to delete it. - I tried deleting it from the AWS CLI but no luck. - I tried suspending the versioning for the bucket in question and tried, but no luck too.
0
answers
2
votes
117
views
asked 5 months ago

CloudFormation - Importing existing AWS Backup

Hi, I have an existing AWS Backup setup for Aurora, which I created via the console UI. I have now put together a cloudformation template for that which I'd like to import - I'm following through the import with existing resources wizard, but hitting an error I'm unable to understand. After selecting the new template I am asked to enter on the UI AWS::Backup::BackupVault - BackupVaultName AWS::Backup::BackupPlan - BackupPlanId AWS::Backup::BackupSelection - Id On entering these value and then hitting next a few times to get to the final screen. It will load for a few moments calculating the change set and then say "Backup Plan ID and Selection ID must be provided" Although I do enter those values during the wizard. Any suggestions? Thanks Template below - This work all as expected if the Backup Plan does not currently exist ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Create RDS Backup Parameters: OnlyCreateVault: Description: This is for the DR region. Only other required parameters are Environment and CostAllocation Type: String Default: false AllowedValues: [true, false] DestinationBackupVaultArn: Type: String ResourceSelectionIamRoleArn: Type: String ResourceSelectionArn: Description: Comma separated list of resource ARNs Type: String CostAllocation: Type: String AllowedValues: - 'Dev' - 'Demo' - 'Test' - 'Live' Environment: Type: String AllowedValues: - 'develop' - 'testing' - 'testenv' - 'demo' - 'live' - 'dr' Conditions: CreateAllResources: !Equals [!Ref OnlyCreateVault, false] Resources: Vault: Type: AWS::Backup::BackupVault DeletionPolicy: Delete Properties: BackupVaultName: !Sub backup-vault-${Environment}-rds-1 BackupVaultTags: CostAllocation: !Ref CostAllocation Plan: Condition: CreateAllResources Type: AWS::Backup::BackupPlan DeletionPolicy: Delete Properties: BackupPlan: BackupPlanName: !Sub backup-plan-${Environment}-rds-1 BackupPlanRule: - RuleName: !Sub backup-rule-${Environment}-daily-1 CompletionWindowMinutes: 720 CopyActions: - DestinationBackupVaultArn: !Ref DestinationBackupVaultArn Lifecycle: DeleteAfterDays: 7 EnableContinuousBackup: true Lifecycle: DeleteAfterDays: 35 StartWindowMinutes: 120 ScheduleExpression: cron(0 1 ? * * *) TargetBackupVault: !Sub backup-vault-${Environment}-rds-1 - RuleName: !Sub backup-rule-${Environment}-weekly-1 CompletionWindowMinutes: 720 CopyActions: - DestinationBackupVaultArn: !Ref DestinationBackupVaultArn Lifecycle: DeleteAfterDays: 35 EnableContinuousBackup: false Lifecycle: DeleteAfterDays: 42 StartWindowMinutes: 120 ScheduleExpression: cron(0 1 ? * * *) TargetBackupVault: !Sub backup-vault-${Environment}-rds-1 - RuleName: !Sub backup-rule-${Environment}-monthly-1 CompletionWindowMinutes: 720 CopyActions: - DestinationBackupVaultArn: !Ref DestinationBackupVaultArn Lifecycle: MoveToColdStorageAfterDays: 365 EnableContinuousBackup: false Lifecycle: DeleteAfterDays: 365 StartWindowMinutes: 120 ScheduleExpression: cron(0 1 ? * * *) TargetBackupVault: !Sub backup-vault-${Environment}-rds-1 BackupPlanTags: CostAllocation: Ref: CostAllocation ResourceSelection: Condition: CreateAllResources Type: AWS::Backup::BackupSelection DeletionPolicy: Delete Properties: BackupPlanId: !Ref Plan BackupSelection: IamRoleArn: !Ref ResourceSelectionIamRoleArn Resources: !Split [",", !Ref ResourceSelectionArn] SelectionName: !Sub backup-resource-${Environment}-rds-1 ```
0
answers
0
votes
34
views
asked 6 months ago

How to build a mechanism to govern multiple AWS data locking features?

**Background** There is identified need to govern multiple data locking features that AWS Provides in a context of multi-account environment with independent teams. If there is no governance - data locking might be enabled in various AWS accounts (in various regions) causing potential compliance nightmare and related challenges to rollback if data is accidentally locked for multiple years. It seems the only way to exit from compliance mode data locking is to fully close the related AWS account ( data seems then to be deleted after 90 days, even when locked). Optimally the use of AWS locking features would be allowed only by exception (after human review of each use-case). Governance mode could be by default allowed for all accounts/resources, but it should be possible to prevent the use of compliance mode (in any AWS service that provide data locking) with SCPs in AWS Organization. It has been identified at least these three are related operations for data locking: * backup:PutBackupVaultLockConfiguration * glacier:CompleteVaultLock * s3:PutBucketObjectLockConfiguration **Questions** 1. To deny all AWS data locking features - what IAM actions need to be denied with SCP - in addition to to the ones above? 2. Is the only way to exit the Backup Vault lock is to close the related AWS account (with 90 days grace period)? 3. How can one confirm the deletion of data related to question above. The assumption is that data remains until grace period has passed (90 days). Does AWS emit some logs (when account is being closed) that prove that data has been actually wiped? 4. How one can list what various data locks are currently in use? Is Cloudtrail the only option? 5. Are there any other best practise to share - to centrally govern the various AWS data locking features?
0
answers
0
votes
78
views
asked 6 months ago
  • 1
  • 12 / page