2

I am currently logged in as the root user. I am trying to delete the following EFS backup vault:

aws/efs/automatic-backup-vault

When I do I receive the following error:

Insufficient privileges to perform this action. Please consult with the account administrator for necessary permissions.

When I try and go to the policies to give myself the ability to do this, enter the following policy:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": "*",
        "Action": "*",
        "Resource": "*"
    }]
}

The json enter shares the following error:

This policy JSON contains 3 errors that require attention starting on line 7 See the individual validation errors in the JSON editor for more information.

Additionally, I used AWS-Nuke to try and clear everything out, and this little bit of configuration remained. Previously I was getting:

The specified policy cannot be added to the vault due to cross-account sharing restrictions. Amend the policy or the vault's settings, then retry request.

I am unsure of what to do next or if the second error is still relevant here as the JSON is being denied. I also was having an error around Thanks!

Improve this question

2 Answers 2

Reset to default
5

You need to Fix the Policy in Backup Vault in two steps. 1 - Change the AWS Principal: "*" to "arn:aws:iam::[AWSAccountID]:root" 2 - After that, you can change the policy: Deny to Allow.

Is this a necessary because you can't change the effect with single account actions with a principal "*".

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

does this work for someone?
yes, this works.
1

I also struggled with deleting this vault; AWS would not let me change the backup vault access policy according to this answer.

Note that aws/efs/automatic-backup-vault is an AWS-managed backup vault that gets created automatically when you toggle Automatic backups: Enabled on a given EFS file system.

To disable these backups themselves, take a look at the recovery points present in this vault to determine which EFS file systems are targeted (it should be all EFS file systems with the aws:elasticfilesystem:default-backup: enabled tag) and modify those EFS file systems to disable Automatic backup.

Improve this answer

3 Comments

fyi i can change the access policy but still cannot delete the vault
@milan Do you have any EFS file systems with the aws:elasticfilesystem:default-backup: enabled tag, or that are otherwise configured to automatically back up? Are you getting any particular errors?
nope, zero EFS instances atm. I had them some years ago and AWS probably created these vaults then. Now I cant remove them.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.