17

I am trying to setup a simple on-demand backup of an s3 bucket in AWS and anything I try I always get an access denied. See screenshot:

AWS Backup

I have tried create a new bucket which is completely public, I've tried setting the access policy on the Vault, I've tried in different regions, all have the same result. Access Denied!

The messaging doesn't advise anything other than Access Denied, really helpful!

Can anyone give me some insight into what this message is referring to and more over how I can resolve this issue.

Benzine
  • 472
  • 1
  • 5
  • 19

2 Answers2

33

For aws backup, you need to set up a service role. Traditionally you need 2 policies attached.

[AWSBackupServiceRolePolicyForBackup] 
[AWSBackupServiceRolePolicyForRestore]

For S3, it seems there is a separate policy that you need to attach to your service role.

[AWSBackupServiceRolePolicyForS3Backup]
[AWSBackupServiceRolePolicyForS3Restore]

Screenshot of Service Role

Daniel Gartmann
  • 11,678
  • 12
  • 45
  • 60
M.m.j.S
  • 346
  • 3
  • 3
  • 4
    Thank you so much for this response, this did the trick! Interestingly, AWS advises that the Default Role would be created with the correct permissions when chosing it, but obviously it did not add the S3 policies, do u know why this is the case? – Benzine Jun 10 '22 at 03:10
  • 2
    Initially, aws-backup didn't provide s3, so my guess is that for every additional feature we'll have to add additional policies because changing the original policy might otherwise break security for many others. – M.m.j.S Jun 10 '22 at 09:09
  • 2
    Yes, now reading about this online it looks like that is the case. They should update their messaging tho as this is misleading. – Benzine Jun 12 '22 at 21:09
  • Just for info. now copy service is also available for S3. – user3420561 Aug 02 '22 at 11:30
  • 1
    You still have to do this! So odd that AWS doesn't add these roles by default – Kyle Hotchkiss Jan 10 '23 at 21:56
  • Odd that the documentation also does not mention it. Thank you for the answer. – CarlR Jul 08 '23 at 08:21
0

Just putting this here for those who will be looking for this answer.

To solve this problem for AWS CDK (javascript/typescript) you can use the following examples:

https://github.com/SimonJang/blog-aws-backup-s3/blob/68a05f8cb443411a23f02aa0c188adfe15bab0ff/infrastructure/lib/infrastructure-stack.ts#L63-L200

or this:

https://github.com/finnishtransportagency/hassu/blob/8adc0bea3193ff016a9aaa6abe0411292714bbb8/deployment/lib/hassu-database.ts#L230-L312

Danil Valov
  • 605
  • 1
  • 7
  • 16