How do I troubleshoot common errors for Amazon S3 backups that are failing in AWS Backup?
I receive an error when I back up an Amazon Simple Storage Service (Amazon S3) bucket in AWS Backup.
Resolution
Prerequisites
To avoid configuration issues, check that you meet the prerequisites to create an Amazon S3 backup.
The IAM role is missing permissions
You see the following example error message:
"Your backup job failed as AWS Backup does not have permission to describe resource arn:aws:s3:::test-bucket. Please review your IAM policies to ensure AWS Backup can protect your resources."
The preceding error occurs because the backup AWS Identity and Access Management (IAM) role is missing permissions to take a backup of an S3 bucket. This applies to the default backup service role, AWSBackupDefaultServiceRole, or a custom IAM role.
To resolve this error, attach the following AWS managed policies for S3 backup and restore:
For more information, see Permissions and policies for Amazon S3 backup and restore.
Note:
- If the IAM role that you use is only for backup operations, then only the AWSBackupServiceRolePolicyForS3Backup policy is required.
- The default role that you create for AWS Backup doesn't include these AWS managed policies. You must attach these policies to the role.
S3 bucket versioning isn't turned on
You see the following example error message:
"Versioning is not enabled on test-bucket. The backup job failed to create a recovery point for your resource arn:aws:s3:::test-bucket due to missing permissions on role arn:aws:iam::1111111111:role/service-role/AWSBackupDefaultServiceRole."
The preceding error occurs because you didn't turn on versioning for your Amazon S3 bucket. To resolve this error, you must turn on versioning for your Amazon S3 bucket before you take a backup.
Continuous and periodic backups are configured in two different vaults
You see the following example error message:
"Bucket testing-s3-backup already has continuous backup enabled for another vault The backup job failed to create a recovery point for your resource arn:aws:s3:::test-bucket due to missing permissions on role arn:aws:iam::111111111111:role/service-role/AWSBackupDefaultServiceRole."
The preceding error occurs because the S3 backup for continuous and periodic backups are in different vaults. To resolve this error, you must use the same vault to write Amazon S3 recovery points for both continuous and periodic backups.
The s3:PutBucketNotification action is denied or incorrect
AWS Backup uses event notifications for S3 backup. At the time of the backup, AWS Backup calls the s3:PutBucketNotification action on the bucket. You see the following example error message:
"Unable to perform s3:PutBucketNotification on test-bucket The backup job failed to create a recovery point for your resource arn:aws:s3:::test-bucket due to missing permissions on role arn:aws:iam::111111111111:role/service-role/AWSBackupDefaultServiceRole."
The preceding error occurs in the following situations:
- The event notification is incorrectly configured on the S3 bucket. For example, the event notification destination isn't correct or valid.
- The S3 bucket policy or service control policies (SCPs) deny the s3:PutBucketNotification action.
To resolve these errors, check the following configurations:
- Make sure that all S3 event notification destinations on the S3 bucket are valid and correct.
- Verify that Amazon EventBridge is activated on the bucket.
- Check the permissions policies for any deny actions for the s3:PutBucketNotification permission. If the backup role is missing the S3:PutBucketNotification permission, then the job fails. For more information, see PutBucketNotificationConfiguration.
Permissions are missing for object-level Amazon SNS notifications
When you back up an object in Amazon S3, some of the objects might not back up because of permissions issues. Turn on Amazon Simple Notification Service (Amazon SNS) event notifications to receive notice when an object fails to back up or restore.
You might see the following example status messages:
"Completed with issues"
-or-
"One or more objects failed to be backed up from the source bucket testing-s3-backup. You can enable vault based SNS notifications for S3 events S3_BACKUP_OBJECT_FAILED and S3_RESTORE_OBJECT_FAILED to receive SNS notifications whenever a object fails to backup or restore."
To resolve these messages, attach the following AWS managed policies for S3 backup and restore:
Then, make sure that you add the account root or AWS Backup role to the AWS Key Management Service (AWS KMS) key policy.
Related information
相关内容
- 已提问 5 个月前lg...
- AWS 官方已更新 2 年前
- AWS 官方已更新 3 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前