5

I swear, I've read all the docs I can find, and have tried everything including the AWS policy generator UI and manually editing policy JSON, but no matter what I try, when I try to delete any of these resources, I just get the big red header with Access denied Insufficient privileges to perform this action. Please consult with the account administrator for necessary permissions.

It seems like all I should need to do is to explicitly list the arn's in the policy without using wildcards, for example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "backup:DeleteBackupPlan",
            "Resource": "arn:aws:backup:<and the rest of the actual arn here>>"
        }
    ]
}

but no luck.

Can anyone point me to docs or describe how to actually delete AWS backup vault, recovery point, and backup plan resources? Am I missing some required permissions, or just doing it wrong?

-- UPDATE --

After plenty of trial and error, deleting backup restore points worked.
I had to go to the containing backup vault and edit the resource policy. It was this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "backup:DeleteBackupVault",
                "backup:DeleteBackupVaultAccessPolicy",
                "backup:DeleteRecoveryPoint",
                "backup:StartCopyJob",
                "backup:StartRestoreJob",
                "backup:UpdateRecoveryPointLifecycle"
            ],
            "Resource": "*"
        }
    ]
}

... and I changed "Deny" to "Allow".
Then, along with the permisions I had set for the IAM user, I was able to delete each of the restore points.

Still zero progress on deleting vaults and backup plans. Policy editor keeps providing this nonsensical message: Resource vendor must be fully qualified and cannot contain regexes.

Tom Wilson
  • 151
  • 1
  • 4
  • It's probably not this, but check your Service Control Policies if you have them. Of course IAM policy need to be checked, again probably not that. I only created an AWS backup vault once as a quick test, it deleted fine. In the resource policy try granting wildcard (ie * ). Not that helpful sorry, but maybe it'll give you an idea that might help. – Tim Dec 30 '20 at 19:56

1 Answers1

0

In case anyone else comes across this post, as I did, here is the probable solution. AWS EFS, and presumably other services, create an automatic backup using AWS Backup and set it to Enabled by default. This backup plan and vault cannot be deleted. Instead you need to go the the service, e.g. EFS, and disable the Automatic Backup.

Here are two links that describe the actions required fully:

https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html#automatic-backups https://aws.amazon.com/premiumsupport/knowledge-center/efs-disable-automatic-backups/

Chris Robinson
  • 101