Why don't I see objects restored into my bucket after my Amazon S3 restore job completes in AWS Backup?

Short description

The following are the most common reasons why an Amazon S3 restore job has empty or partial object restores:

• The latest version of the object exists in the destination bucket.
• The object restores as a delete marker.
• The object isn't in the backup.
• You have Block Public Access settings turned on for the bucket that the backups restore to.

Resolution

The latest version of the object exists in the destination bucket

AWS Backup creates a backup of all your Amazon S3 object versions, but restores only the latest version from the version stack. If you restore specific objects, then AWS Backup restores the current version of an object. If you restore a bucket where an object contains the latest version, then AWS Backup doesn't restore the object. Instead, restore the backup to a new bucket or another existing bucket so that the latest version isn't in the destination bucket.

The object restores as a delete marker

When you back up an Amazon S3 bucket, the latest version of the object might be a delete marker. The object is a delete marker when one of the following situations is true:

• You delete an object without specifying the version ID.
• You configure a lifecycle in a versioning-activated bucket.

If the latest version of the object is a delete marker, then AWS Backup restores the delete marker of the object. To check if the objects are restored as delete markers, you can list the objects in a versioning-activated bucket. For more information on backing up Amazon S3 resources, see Considerations for AWS Backup for Amazon S3.

The object isn't in the backup

The following are the most common reasons why an object isn't in the backup:

The object isn't in the bucket when the backup initiates

To verify whether the object is in the source bucket, check the creation date of the object's latest version with the backup job creation date. To see if a previous version of the object is present when the backup job initiates, list the objects in a versioning-activated bucket. You can see previous versions of the object and their corresponding creation date on the list. If the version to restore creation timestamp is after the backup job's creation timestamp, then the object isn't in the backup. To resolve this issue, use a recovery point or point-in-time recovery (PITR) of a later date. Also, make sure that the object version in the backup is the latest version.

Note: AWS Backup restores the object version that's present as the latest version in the S3 bucket at the time when you create the backup.

AWS Backup can't access the object or restore the object because of missing or incorrect permissions

When objects can't copy because of permission issues, AWS Backup for Amazon S3 doesn't fail a backup. Make sure that your Amazon S3 restore policy for AWS Backup has the required permissions to complete a restore. For a complete list of permissions, see Customer managed policies.

Note: If you configured backup notifications, then you can choose to receive an event notification for any object that isn't backed up or restored.

Also, make sure that there isn't an explicit or implicit deny for the required permissions to back up S3 objects in the following policies:

• Amazon S3 bucket policy
• AWS Identity and Access Management (IAM) policy
• AWS Organizations policies
• AWS KMS key policy: To allow IAM policies in your key policy, add the default key policy statement. For more information, see Allows access to the AWS account and enables IAM policies.
• Policies with permissions boundaries

The object is in an archival storage class of Amazon S3

AWS Backup doesn't support the archival storage class of Amazon S3. If your object is in one of the following storage classes, then objects don't back up:

• Amazon S3 Glacier
• Amazon S3 Glacier Flexible Retrieval
• Amazon S3 Glacier Deep Archive
• Any archival tier of Amazon S3 Intelligent-Tiering storage class

S3 backups allow you to back up the objects that are stored in only the following storage classes:

• Amazon S3 Standard
• Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
• Amazon S3 Intelligent-Tiering
• Amazon S3 One Zone-IA
• Amazon S3 Glacier Instant Retrieval

The object was uploaded by a different AWS account

To resolve this issue, complete one of the following:

• Ask the uploader account to change the object access control list (ACL) for the uploaded object and provide the bucket owner with full control ACL. For more information, see put-object-acl.
• Ask the uploader account to upload the object again and specify the canned ACL for bucket owner full control. To upload the object again, use an uploader account to run a cp or put-object command. The uploader account must also specify the --acl flag as "bucket-owner-full-control."

You have block public access settings turned on

If ACLs are attached to the objects that are backed up from the source bucket, then the bucket you restore must allow the use of public ACLs.

If the Block Public Access feature is activated for the restored bucket, then you get an Access Denied error for the restore. AWS Backup doesn't restore these objects. You might see a difference in the number of restored objects or an empty restore. AWS Backup skips objects that it can't restore and continues with the job. AWS Backup marks the job as Complete and doesn't fail the job.

To prevent this from happening, create a new bucket from the Amazon S3 console. Modify the block public access settings to allow the use of public ACLs, and then restore your objects.