I am a beginner in AWS
I created a new role to perform backup only for EC2 instances by Tag with AWS Backup. The only policy I make to attach to this role is as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:CopySnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeImages",
"ec2:CopyImage",
"ec2:DeregisterImage",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume"
],
"Resource": "*"
}
]
}
Then I went to create a backup plan with backup rule and assign the EC2 resource as the following
backup plan resource assignment
However when the backup job the job failed, the error message is: "You are not authorized to perform this operation"
backup job failed
When I edit the above policy to:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
}
]
}
meaning the EC2FullAccess, the backup job executed successfully. But the EC2FullAccess is not a security way grant permission to a role so I think there are something missing in the first policy.
Can I ask you for any advices?
Thank you very much.
2
Answers
I’m not sure exactly which permissions are required for backups, but if you have CloudTrail enabled, you could use AWS Access Analyzer to generate a least privilege policy for you. Go to your role in the console and scroll down to "Generate policy based on CloudTrail events":
AWS can also create a new role for you with the correct permissions for backup if you select "Default role" when creating the backup.
I’ve found it much easier & cost-effective to use Clumio for AWS Backups but like the other answer says, check CloudTrail and AA to look at policies and events.
CloudTrail will give you an event feed and AA will help you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles.