How do I resolve the error "This image is managed by AWS Backup and cannot be deleted via EC2 APIs. To delete this image, please use the AWS Backup APIs, CLI, or console." when I try to delete an Amazon EC2 backup?

Short description

When deregistering an AWS Backup created AMI directly from Amazon Elastic Compute Cloud (Amazon EC2) console you receive an error similar to the following message:

"Failed to deregister the AMI ami-01234sample. API error: "This image is managed by AWS Backup and cannot be deleted via EC2 APIs. To delete this image, please use the AWS Backup APIs, CLI, or console."

AWS Backup created AMIs have the tag key aws:backup:source-resource. You can view this tag on the AMI using the Amazon EC2 console. Any AMIs with the tag key aws:backup:source-resource can't be deleted using the Amazon EC2 console or Amazon EC2 APIs. You must delete AWS Backup created AMIs using the AWS Backup console or AWS Backup APIs.

Resolution

To delete an AMI created by AWS Backup, you must delete the recovery point in the vault.

You can delete the recovery point using the AWS Backup console or AWS Command Line Interface (AWS CLI). Deleting the recovery point deregisters the AMI and automatically deletes the Amazon Elastic Block Store (Amazon EBS) snapshots associated with the AMI.

Deleting an Amazon EC2 recovery point using the AWS Backup console

To manually delete a recovery point using the console, complete the following steps:

1. Open the AWS Backup console.
2. In the navigation pane, choose Backup vaults.
3. Select the backup vault that contains the Amazon EC2 backups. Then, choose the AMI you want to delete.
4. Choose Actions, and then choose Delete.

Delete expired recovery points using the AWS CLI

Note: When running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

To manually delete a single recovery point in your vault using AWS CLI, run the following example command:

aws backup delete-recovery-point --backup-vault-name <value> --recovery-point-arn <value>

To manually delete multiple recovery points in your vault using AWS CLI, first, run the list-recovery-points-by-backup-vault command to list the recovery points:

$ aws backup list-recovery-points-by-backup-vault  --backup-vault-name VAULT_NAME --region REGION_ID --output json --query 'RecoveryPoints[?Status == `EXPIRED`].[RecoveryPointArn]' | jq -r '.[] | "--recovery-point-arn '\\\"'" + .[0] + "'\\\"'" + .[1]'

Then, run the following concatenated command (which includes delete-recovery-point) to delete the recovery points:

$ aws backup list-recovery-points-by-backup-vault  --backup-vault-name VAULT_NAME --region REGION_ID --output json --query 'RecoveryPoints[?Status == `EXPIRED`].[RecoveryPointArn]' | jq -r '.[] | "--recovery-point-arn '\\\"'" + .[0] + "'\\\"'" + .[1]' |  xargs --verbose -L1 aws backup delete-recovery-point --backup-vault-name VAULT_NAME --region REGION_ID