AWS Backup Job failed with unknow reason
I am a beginner in AWS
I created a new role to perform backup only for EC2 instances by Tag with AWS Backup. The only policy I make to attach to this role is as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:CopySnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeImages",
"ec2:CopyImage",
"ec2:DeregisterImage",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume"
],
"Resource": "*"
}
]
}
Then I went to create a backup plan with backup rule and assign the EC2 resource as the following backup plan resource assignment
However when the backup job the job failed, the error message is: "You are not authorized to perform this operation" backup job failed
When I edit the above policy to:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
}
]
}
meaning the EC2FullAccess, the backup job executed successfully. But the EC2FullAccess is not a security way grant permission to a role so I think there are something missing in the first policy.
Can I ask you for any advices?
Thank you very much.
I'm not sure exactly which permissions are required for backups, but if you have CloudTrail enabled, you could use AWS Access Analyzer to generate a least privilege policy for you. Go to your role in the console and scroll down to "Generate policy based on CloudTrail events":
AWS can also create a new role for you with the correct permissions for backup if you select "Default role" when creating the backup.
- AWS CLI Create Default VPC
- Email address is not verified (AWS SES)
- RDS Proxy: PENDING_PROXY_CAPACITY and "DBProxy Target unavailable due to an internal error"
- mTLS on AWS ALBs across multiple regions
- How to debug a aws lambda function?
- AWS SAM retrieve secret value from Secret Manager with dynamic referencing
- Cloudfront redirect when signed cookies not present
- Is there a wildcard character in AWS EventBridge rules?
- Laravel file upload s3 Multipart
- Increase EC2 disk storage without losing any data
- AWS Lambda triggers SES in VPC
- Setting HTTP Headers with Lambda@Edge
- How to find an Amazon EC2 AMI if I only have the id?
- AWS Lambda - Can't set memory larger than 3008 MB
- Which one is the cheapest to use AWS RDS or my own database?
- AWS Glue Please verify role's TrustPolicy
- How to create event bus events with source 'aws.'?
- Terraform and AWS: No Configuration Files Found Error
- How to transfer the packets through NAT gateway instead of public IP?
- Is Aws well architected framework supports API's?
- Can't delete AWS internet Gateway
- Unable to Trigger Lambda function in AWS using Python code from my local setup
- How to login with AWS CLI using credentials profiles
- How to retrieve multiple endpoints using data "aws_vpc_endpoint" resource?
- When pushing to ECS, Docker image errors out with module not found error
- Is there a way to drop file extensions when using AWS CLI with --recursive?
- On-demand self-hosted AWS EC2 runner for GitHub Actions
- How to manage dev and prod environments in a SAM project with CloudFormation Stacks, API Gateway, Lambda, and other AWS services?
- EC2 Instance error telling me multiple IAM Roles are attached when I try to change it...?
- (NoSuchVersion) when calling the GetObject operation: The specified version does not exist