[SOLVED] Aws cross-account backup copy and restoration failing due to insufficient privileges

Aws cross-account backup copy and restoration failing due to insufficient privileges

I am creating backups of my DynamoDB tables using AWS Backup in my source account A and storing the recovery point ARNs in a vault named X in source account A .

I need to copy and restore the backup in another account named B. I am following the steps below, but my process is failing with the error:

software.amazon.awssdk.services.backup.model.BackupException: Insufficient privileges to perform this action. (Service: Backup, Status Code: 403)

Steps to recreate:

Create backup and store the backup in vault X in account A.
Give permission to target account B to perform action "CopyFromBackupVault" using the vault access policy for vault X of source account.

         {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::account_B_id:root"
          },
          "Action": "backup:CopyFromBackupVault",
          "Resource": "*"
        }
      ]

Give permission to source account A to perform action "CopyIntoBackupVault" using the vault access policy for vault Y of target account.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": ["arn:aws:iam::account_A_id:root",
                    "arn:aws:iam::account_B_id:root"]
          },
          "Action": "backup:CopyIntoBackupVault",
          "Resource": "*"
        }
      ]
    }

After these steps from target account B, I am initiating the copy job but it is failing with error with error > software.amazon.awssdk.services.backup.model.BackupException: Insufficient privileges to perform this action. (Service: Backup, Status Code: 403).
Restore backup (Not able to reach this step)

Please note, the role I am using has all the permissions required to perform backup actions. I reckon the issue lies in the vault access policies . Please help. Thank you!

I have tried every step mentioned in the AWS documentation that I could find. I have checked with ChatGPT but nothing resolved my issue.

I am expecting my backup to be copied and then restored without any issue.

Solution

Creating a cross-account copy of a recovery point from AWS Backup requires the correct access policies on both source and destination vault, correct IAM role with policies that allows to create a copy job and cross-account backup to be enabled within the Organization's management account.

From the details provided in the comments, you seem to have everything except enabling cross-account backup within the AWS Organization. This can be done from the Management Account, within the AWS Backup console under My account and Settings.

Lastly, two final points to check, the destination vault cannot be the default vault of the account and the copy job must be started from the source account.