Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I get notifications for AWS Backup jobs that fail?

3 minute read
3

I want to set up email notifications to notify me when my AWS Backup job fails.

Resolution

Create an SNS topic to send AWS Backup notifications

Use the Amazon Simple Notification Service (Amazon SNS) console to create an SNS topic. Expand the Access policy section. In the JSON editor, add the following permissions to your policy:

{    "Sid": "My-statement-id",
    "Effect": "Allow",
    "Principal": {
        "Service": "backup.amazonaws.com"
    },
    "Action": "SNS:Publish",
    "Resource": "arn:aws:sns:eu-west-1:111111111111:exampletopic"
}

Note: Replace the value for Resource with your topic's Amazon Resource Name (ARN).

You can configure your SNS topic as unencrypted, or you can use encryption at rest. If you use the default AWS Key Management Service (AWS KMS) for the encryption, then AWS Backup can't publish messages to the SNS topic. Because AWS manages the default AWS KMS key, you can't edit the policy. Instead, you must use a customer managed key. The customer managed key must grant Decrypt and GenerateDataKey permissions to backup.amazonaws.com.

Example of an updated access policy:

{    "Version": "2008-10-17",
    "Id": "__default_policy_ID",
    "Statement": [{
        "Sid": "__default_statement_ID",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": ["SNS:Publish", "SNS:RemovePermission", "SNS:SetTopicAttributes", "SNS:DeleteTopic", "SNS:ListSubscriptionsByTopic", "SNS:GetTopicAttributes", "SNS:Receive", "SNS:AddPermission", "SNS:Subscribe"],
        "Resource": "arn:aws:sns:eu-west-1:111111111111:exampletopic",
        "Condition": {
            "StringEquals": {
                "AWS:SourceOwner": "111111111111"
            }
        }
    }, {
        "Sid": "My-statement-id",
        "Effect": "Allow",
        "Principal": {
            "Service": "backup.amazonaws.com"
        },
        "Action": "SNS:Publish",
        "Resource": "arn:aws:sns:eu-west-1:111111111111:exampletopic"
    }]
}

Create an SNS subscription to receive notifications for a failed backup job

Complete the following steps:

  1. Open the Amazon SNS console.

  2. In the navigation pane, choose Subscriptions.

  3. Choose Create subscription.

  4. For Topic ARN, select your SNS topic's ARN.

  5. For Protocol, choose Email-JSON.

  6. For Endpoint, enter the email address where you want to get notifications.

  7. Expand Subscription filter policy.

  8. In the JSON editor, choose Message attributes, and then enter the following information:

    {
  "State": [
    {
      "anything-but": "COMPLETED"
    }
  ]
}

  9. Choose Create subscription.

The email address that you entered for the endpoint receives a subscription confirmation email.

Configure your backup vault to send notifications to the SNS topic

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To turn on notifications for a backup vault, run the put-backup-vault-notifications AWS CLI command:

aws backup put-backup-vault-notifications --backup-vault-name examplevault  --sns-topic-arn arn:aws:sns:eu-west-1:111111111111:exampletopic --backup-vault-events "BACKUP_JOB_COMPLETED"

Note: Replace backup-vault-name with your backup vault's name and the example ARN with your topic's ARN.

To confirm that you turned on notifications, run the get-backup-vault-notifications command:

aws backup get-backup-vault-notifications --backup-vault-name examplevault

Note: Replace backup-vault-name with your backup vault's name.

Example output:

{    "BackupVaultName": "examplevault",
    "BackupVaultArn": "arn:aws:backup:eu-west-1:111111111111:backup-vault:examplevault",
    "SNSTopicArn": "arn:aws:sns:eu-west-1:111111111111:exampletopic",
    "BackupVaultEvents": ["BACKUP_JOB_COMPLETED"]
}

Monitor emails for notifications

When your vault has an unsuccessful backup job, you receive an email notification that's similar to the following one:

"An AWS Backup job was stopped. Resource ARN : arn:aws:ec2:eu-west-1:111111111111:volume/vol-example56d7w92d4b. BackupJob ID : example4-3dd5-5678-b52d-90bd749355a5"

To test notifications, create two on-demand backups. Then, stop one of the backups. You get an email notification only for the stopped backup.

Related information

How can I configure Amazon EventBridge notifications for failed AWS Backup Jobs?

Amazon SNS and AWS Backup events

Troubleshooting AWS Backup

Amazon SNS example filter policies

Topics
Storage
Tags
AWS Backup
Language
English

Related videos

Watch Ankush's video to learn more (2:57)
Watch Ankush's video to learn more (2:57)
AWS OFFICIALUpdated 2 months ago
5 Comments

This article needs help. It assumes a level of understanding of the tool that shouldn't be expected and is unclear as a result.

For anyone looking for more clear cut documentation, look here: https://cloudsbaba.com/how-can-i-get-notifications-for-aws-backup-jobs-that-completed-and-failed/

More helpful AWS docs also here: https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html

replied 3 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 3 years ago

Hello, I followed the documentation, but there are several issues with this:

  1. SNS filter policy must be "Message body" which is not mentioned in the article, and it is not the default selection.
  2. The filter policy is referencing the "State" but when I checked the CloudTrail message that was sent to the topic the state is all lowercase "state", which cost me a lot of time to figure this out.

For others facing a similar issue, this is the message filter that worked for me:

{
  "state": [
    {
      "anything-but": [
        "COMPLETED"
      ]
    }
  ]
}

And this is a sample CloudTrail event with FAILED status for testing:

{
    "completionDate": {
        "seconds": 1700078469,
        "nanos": 519000000
    },
    "state": "FAILED",
    "percentDone": 100,
    "restoreJobId": "XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
    "backupVaultName": "daily",
    "backupVaultArn": "arn:aws:backup:eu-central-1:000000000000:backup-vault:daily",
    "recoveryPointArn": "arn:aws:backup:eu-central-1:000000000000:recovery-point:XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
    "resourceArn": "arn:aws:dynamodb:eu-central-1:000000000000:table/mytable",
    "creationDate": {
        "seconds": 1700078313,
        "nanos": 329000000
    },
    "backupSizeInBytes": 847,
    "iamRoleArn": "arn:aws:iam::000000000000:role/backup_role",
    "resourceType": "DynamoDB"
}
replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 2 years ago

The above doesn't work without a few modifications for the failed backup job.

With the below CLI command, you need to replace BACKUP_JOB_COMPLETED with BACKUP_JOB_FAILED if you are just looking for failed notification events and don't need any filter policy on subscription.

aws backup put-backup-vault-notifications  --backup-vault-name examplevault --sns-topic-arn arn:aws:sns:eu-west-1:111111111111:exampletopic --backup-vault-events 
BACKUP_JOB_COMPLETED

aws backup put-backup-vault-notifications  --backup-vault-name examplevault --sns-topic-arn arn:aws:sns:eu-west-1:111111111111:exampletopic --backup-vault-events BACKUP_JOB_FAILED BACKUP_JOB_EXPIRED

You can look for events for backup jobs in this doc. https://docs.aws.amazon.com/aws-backup/latest/devguide/API_GetBackupVaultNotifications.html

replied 2 years ago

Relevant content