AWS EFS Backup and Restore: Step-by-Step Guide & Best Practices

DevOpsofworldDevOpsofworld
2 min read

Scenario: We encountered an issue while attempting to restore an EFS backup using AWS Backup.

User: arn:aws:sts::123456789012:assumed-role/devops/dummy.com is not authorized to perform: backup:StartRestoreJob on resource: arn:aws:backup:ap-south-1:123456789012:recovery-point:f73af96d-5b4b-4f3c-b01d-24f0036c56ec with an explicit deny in a resource-based policy

Explanation: By default, when an Elastic File System (EFS) is created, automatic backups are enabled. As part of this process, AWS Backup automatically generates a backup policy and creates backup vaults. These backup vaults include a resource-based policy with an explicit deny rule. Below is an example of the default deny policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "backup:DeleteBackupVault",
        "backup:DeleteBackupVaultAccessPolicy",
        "backup:DeleteRecoveryPoint",
        "backup:StartCopyJob",
        "backup:StartRestoreJob",
        "backup:UpdateRecoveryPointLifecycle"
      ],
      "Resource": "*"
    }
  ]
}

Resolution Steps: To restore a backup successfully, you need to modify the resource-based policy associated with the backup vault and remove the explicit deny for the backup:StartRestoreJob action. Follow the steps below:

  1. Identify the Backup Vault:

    • Navigate to the AWS Backup Console.

    • Locate the backup vault associated with the recovery point mentioned in the error.

  2. Modify the Policy:

    • Open the backup vault’s resource-based policy.

    • Remove the backup:StartRestoreJob action from the "Action" array in the deny statement.

Example modified policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Deny",
          "Principal": {
            "AWS": "*"
          },
          "Action": [
            "backup:DeleteBackupVault",
            "backup:DeleteBackupVaultAccessPolicy",
            "backup:DeleteRecoveryPoint",
            "backup:StartCopyJob",
            "backup:UpdateRecoveryPointLifecycle"
          ],
          "Resource": "*"
        }
      ]
    }

  1. Save and Apply Changes:

    • Save the updated policy.

    • Ensure the changes are applied to the backup vault.

  2. Restore the Backup:

    • Retry the restore operation using the AWS Backup Console or CLI.

Reference Documentation: For more details on restoring EFS file systems, refer to the official AWS documentation:

[1] Restore an Amazon EFS File System

0
Subscribe to my newsletter

Read articles from DevOpsofworld directly inside your inbox. Subscribe to the newsletter, and don't miss out.

EFSAWSIAM

Written by

DevOpsofworld
DevOpsofworld