amazon-web-servicesamazon-ec2aws-backup

AWS Backup Job failed with unknow reason


I am a beginner in AWS

I created a new role to perform backup only for EC2 instances by Tag with AWS Backup. The only policy I make to attach to this role is as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:CopySnapshot",
                "ec2:DeleteSnapshot",
                "ec2:DescribeSnapshots",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeImages",
                "ec2:CopyImage",
                "ec2:DeregisterImage",
                "ec2:CreateVolume",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DeleteVolume"
            ],
            "Resource": "*"
        }
    ]
}

Then I went to create a backup plan with backup rule and assign the EC2 resource as the following backup plan resource assignment

However when the backup job the job failed, the error message is: "You are not authorized to perform this operation" backup job failed

When I edit the above policy to:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": "*"
        }
    ]
}

meaning the EC2FullAccess, the backup job executed successfully. But the EC2FullAccess is not a security way grant permission to a role so I think there are something missing in the first policy.

Can I ask you for any advices?

Thank you very much.


Solution

  • I'm not sure exactly which permissions are required for backups, but if you have CloudTrail enabled, you could use AWS Access Analyzer to generate a least privilege policy for you. Go to your role in the console and scroll down to "Generate policy based on CloudTrail events":

    Generate policy based on CloudTrail events

    AWS can also create a new role for you with the correct permissions for backup if you select "Default role" when creating the backup.