By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How can I get notifications for AWS Backup jobs that fail?

4 minute read
3

I want to set up email notifications to notify me when my AWS Backup job fails.

Resolution

The following resolution uses Amazon Simple Notification Service (Amazon SNS) to deliver vault-based notifications for supported events in AWS Backup. The solution notifies you when AWS Backup jobs in a single vault fail. For more information, see How can I configure Amazon EventBridge notifications for failed AWS Backup Jobs?

To receive notifications for other events, see Amazon SNS and AWS Backup events.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you use the most recent AWS CLI version.

Create an SNS topic to send AWS Backup notifications

  1. Open the Amazon SNS console.
  2. From the navigation pane, choose Topics.
  3. Under Details, for Type, choose Standard.
  4. Choose Create topic.
  5. For Name, enter a name for the topic.
  6. Choose Create topic.
  7. Under Details, copy the value for ARN.
  8. Choose Edit, and then expand Access policy.
  9. In the JSON editor, enter the following permissions into the policy:
    {
        "Sid": "My-statement-id",
        "Effect": "Allow",
        "Principal": {
            "Service": "backup.amazonaws.com"
        },
        "Action": "SNS:Publish",
        "Resource": "arn:aws:sns:eu-west-1:111111111111:exampletopic"
    }
    Note: Replace the value for Resource with the Amazon Resource Name (ARN). You can configure your Amazon SNS topic as unencrypted, or you can use encryption at rest. If you use the default AWS Key Management Service (AWS KMS) for the encryption, then AWS Backup can't publish messages to the SNS topic. Because Amazon manages the default AWS KMS key, you can't edit the policy. Instead, you must use a customer managed key. The customer managed key must grant decrypt and generateDataKey permissions to backup.amazonaws.com.
  10. Choose Save changes.

After you save your changes, the updated Access Policy appears and is similar to the following example:

{
    "Version": "2008-10-17",
    "Id": "__default_policy_ID",
    "Statement": [{
        "Sid": "__default_statement_ID",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": ["SNS:Publish", "SNS:RemovePermission", "SNS:SetTopicAttributes", "SNS:DeleteTopic", "SNS:ListSubscriptionsByTopic", "SNS:GetTopicAttributes", "SNS:Receive", "SNS:AddPermission", "SNS:Subscribe"],
        "Resource": "arn:aws:sns:eu-west-1:111111111111:exampletopic",
        "Condition": {
            "StringEquals": {
                "AWS:SourceOwner": "111111111111"
            }
        }
    }, {
        "Sid": "My-statement-id",
        "Effect": "Allow",
        "Principal": {
            "Service": "backup.amazonaws.com"
        },
        "Action": "SNS:Publish",
        "Resource": "arn:aws:sns:eu-west-1:111111111111:exampletopic"
    }]
}

Create an Amazon SNS subscription to receive notifications for a failed backup job

  1. Open the Amazon SNS console.
  2. From the navigation pane, choose Subscriptions.
  3. Choose Create subscription.
  4. For Topic ARN, select your SNS topic from the ARN that you created.
  5. For Protocol, choose Email-JSON.
  6. For Endpoint, enter the email address where you want to receive notifications.
  7. Choose Create subscription. Amazon SNS sends you a subscription confirmation email.
  8. Confirm the subscription.

Configure your backup vault to send notifications to the SNS topic

To send notifications to the SNS topic, complete the following steps:

  1. To turn on notifications for a backup vault, run the AWS CLI put-backup-vault-notifications command:
    aws backup put-backup-vault-notifications --backup-vault-name examplevault  --sns-topic-arn arn:aws:sns:eu-west-1:111111111111:exampletopic --backup-vault-events "BACKUP_JOB_FAILED"
    Note: Set --backup-vault-events to BACKUP_JOB_FAILED.
  2. To confirm that notifications are configured, run the AWS CLI get-backup-vault-notifications command:
    aws backup get-backup-vault-notifications --backup-vault-name examplevault

The command returns the following example output:

{
    "BackupVaultName": "examplevault",
    "BackupVaultArn": "arn:aws:backup:eu-west-1:111111111111:backup-vault:examplevault",
    "SNSTopicArn": "arn:aws:sns:eu-west-1:111111111111:exampletopic",
    "BackupVaultEvents": ["BACKUP_JOB_FAILED"]
}

Monitor emails for notifications

When your vault has an unsuccessful backup job, you receive a message similar to the following email notification:

"An AWS Backup job was stopped. Resource ARN : arn:aws:ec2:eu-west-1:111111111111:volume/vol-example56d7w92d4b. BackupJob ID : example4-3dd5-5678-b52d-90bd749355a5"

To test notifications, create two on-demand backups. Then, stop one of the backups. You get an email notification only for the stopped backup.

Related information

Troubleshooting AWS Backup

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago
5 Comments

This article needs help. It assumes a level of understanding of the tool that shouldn't be expected and is unclear as a result.

For anyone looking for more clear cut documentation, look here: https://cloudsbaba.com/how-can-i-get-notifications-for-aws-backup-jobs-that-completed-and-failed/

More helpful AWS docs also here: https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 years ago

Hello, I followed the documentation, but there are several issues with this:

  1. SNS filter policy must be "Message body" which is not mentioned in the article, and it is not the default selection.
  2. The filter policy is referencing the "State" but when I checked the CloudTrail message that was sent to the topic the state is all lowercase "state", which cost me a lot of time to figure this out.

For others facing a similar issue, this is the message filter that worked for me:

{
  "state": [
    {
      "anything-but": [
        "COMPLETED"
      ]
    }
  ]
}

And this is a sample CloudTrail event with FAILED status for testing:

{
    "completionDate": {
        "seconds": 1700078469,
        "nanos": 519000000
    },
    "state": "FAILED",
    "percentDone": 100,
    "restoreJobId": "XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
    "backupVaultName": "daily",
    "backupVaultArn": "arn:aws:backup:eu-central-1:000000000000:backup-vault:daily",
    "recoveryPointArn": "arn:aws:backup:eu-central-1:000000000000:recovery-point:XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
    "resourceArn": "arn:aws:dynamodb:eu-central-1:000000000000:table/mytable",
    "creationDate": {
        "seconds": 1700078313,
        "nanos": 329000000
    },
    "backupSizeInBytes": 847,
    "iamRoleArn": "arn:aws:iam::000000000000:role/backup_role",
    "resourceType": "DynamoDB"
}

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

The above doesn't work without a few modifications for the failed backup job.

With the below CLI command, you need to replace BACKUP_JOB_COMPLETED with BACKUP_JOB_FAILED if you are just looking for failed notification events and don't need any filter policy on subscription.

aws backup put-backup-vault-notifications  --backup-vault-name examplevault --sns-topic-arn arn:aws:sns:eu-west-1:111111111111:exampletopic --backup-vault-events 
BACKUP_JOB_COMPLETED
aws backup put-backup-vault-notifications  --backup-vault-name examplevault --sns-topic-arn arn:aws:sns:eu-west-1:111111111111:exampletopic --backup-vault-events BACKUP_JOB_FAILED BACKUP_JOB_EXPIRED

You can look for events for backup jobs in this doc. https://docs.aws.amazon.com/aws-backup/latest/devguide/API_GetBackupVaultNotifications.html

replied 10 months ago