使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Unable to perform cloudwatch:GetMetricData job fails when backing up S3 with AWS Backup

0

We're getting the error below when trying to backup S3 resources using AWS Backup. The service role used to run the job has had multiple AWS managed policies applied with the same issue, including the 'AWSBackupFullAccess' and the AWSBackupServiceRolePolicyForBackup' policies assigned. The S3 bucket is using an CMK with permissions shared to the role. The role can successfully backup any other supported resource to any vault but fails on any S3 bucket. The "cloudwatch:GetMetricData on *" permission stated in the error is included in the above policies.

Backup Job Error: "Unable to perform cloudwatch:GetMetricData on * The backup job failed to create a recovery point for your resource arn:aws:s3:::<s3-bucket-name> due to missing permissions on role arn:aws:iam::<account-number:role/<iam-service-role>."

Has anyone seen this error before when backing up S3?

主題
儲存空間安全性、身分識別與合規
標籤
AWS BackupIAM 政策
語言
English
rePost-User-0529671
已提問 10 個月前檢視次數 502 次
2 個答案
1

Hi, it seems that you didn't apply the right policy: it should be AWSBackupServiceRolePolicyForS3Backup (with S3 in the name) instead of AWSBackupServiceRolePolicyForBackup'.

Can you try it ? Its definition is the following and contains the auth mentioned by the error message:


 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cloudwatch:GetMetricData",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:PutTargets",
                "events:DescribeRule",
                "events:EnableRule",
                "events:PutRule",
                "events:RemoveTargets",
                "events:ListTargetsByRule",
                "events:DisableRule"
            ],
            "Resource": [
                "arn:aws:events:*:*:rule/AwsBackupManagedRule*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "events:ListRules",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.*.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketTagging",
                "s3:GetInventoryConfiguration",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation",
                "s3:GetBucketAcl",
                "s3:PutInventoryConfiguration",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

Hope it helps!

Didier

profile pictureAWS
專家
Didier_Durand
已回答 10 個月前
  • rePost-User-0529671
    10 個月前

    My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

0

Hello, it looks like both of those policies you attached are missing the permissions to access CloudWatch metrics which AWS Backup needs in order to perform a backup on an S3 bucket. As per here, I would recommend adding both of the following managed policies.

AWSBackupServiceRolePolicyForS3Backup
AWSBackupServiceRolePolicyForS3Restore

AWSBackupServiceRolePolicyForS3Backup has the necessary permissions to get cloud watch metrics.

AWS
Andrew Langford
已回答 10 個月前
  • rePost-User-0529671
    10 個月前

    My typepo on the original post. I already have both the AWSBackupServiceRolePolicyForS3Backup & AWSBackupServiceRolePolicyForS3Restore policies assigned to my role with the same error.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容