Why don't I see objects restored into my bucket after my Amazon S3 restore job completes in AWS Backup?

Short description

Your Amazon S3 restore job might have empty or partial object restores for the following reasons:

• The latest version of the object exists in the destination bucket.
• You didn't restore the required noncurrent version of an object.
• The object restores as a delete marker.
• The object isn't in the backup.
• You activated the Amazon S3 Block Public Access feature for the bucket that the backups restore to.

Resolution

The latest version of the object exists in the destination bucket

AWS Backup creates a backup of all your S3 object versions. However, if you don't restore additional versions during the restore initiation, then AWS Backup restores only the latest version from the version stack by default.

If you restore specific objects, then AWS Backup restores the current version of an object. If you restore to a destination S3 bucket where an object already contains the latest version, then AWS Backup doesn't restore the object. In this case, you can restore the backup to a new bucket or another existing bucket so that the latest version isn't in the destination bucket.

You didn't restore the required noncurrent version of an object

During the restore, you can restore up to the 10 latest versions or restore all versions of the objects. If you don't select to restore noncurrent versions of the objects, then the S3 restore job restores only the latest version by default.

After the restore, it's a best practice to check whether the missing version is the noncurrent version of the object. Then, check if you restored all the required noncurrent versions. You must have all the required noncurrent versions to complete the restore configuration.

The object restores as a delete marker

When you back up an S3 bucket, the latest version of the object might be a delete marker. AWS Backup restores the delete marker of the object.

The object is a delete marker when one of the following situations is true:

• You delete an object and didn't specify the version ID.
• You configure a lifecycle in a versioning-enabled bucket.

To manage delete markers, complete the following steps:

1. List the objects in a versioning-enabled bucket to determine whether AWS Backup restored the objects as delete markers.
   Note: For more information about S3 resource backups, see Considerations for Amazon S3 backups.
2. Remove the delete markers.

The object isn't in the backup

The following are reasons why an object isn't in the backup.

The object isn't in the bucket when the backup initiates

To verify whether the object is in the source bucket, check the creation date of the object's latest version with the backup job creation date. To check whether a previous version of the object exists when the backup job initiates, list the objects in a versioning-enabled bucket. If the version to restore creation timestamp is after the backup job's creation timestamp, then the object isn't in the backup.

To resolve this issue, use a recovery point or point-in-time recovery (PITR) of a later date. Also, make sure that the object version in the backup is the latest version.

Note: AWS Backup restores the object version as the latest version in the S3 bucket at the time when you create the backup.

AWS Backup can't access the object or restore the object because of missing or incorrect permissions

When objects can't copy because of permissions issues, AWS Backup for Amazon S3 doesn't fail a backup. To resolve this issue, use the AWSBackupServiceRolePolicyForS3Restore policy that has the required permissions to complete a restore.

Also, make sure that there isn't an explicit or implicit deny for the required permissions to back up objects in the following policies:

• S3 bucket policy
• AWS Identity and Access Management (IAM) policy
• AWS Organizations service control policy
• AWS Key Management Service (AWS KMS) key policy
  Note: To allow IAM policies in your key policy, add the default key policy statement.
• IAM permissions boundaries

The object is in an archival storage class of Amazon S3

AWS Backup doesn't support the archival storage class of Amazon S3.

If your object is in one of the following storage classes, then objects don't back up:

• Amazon S3 Glacier
• Amazon S3 Glacier Flexible Retrieval
• Amazon S3 Glacier Deep Archive
• Any archival tier of Amazon S3 Intelligent-Tiering storage class

S3 backups let you back up the objects that are stored in only the following storage classes:

• Amazon S3 Standard
• Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
• Amazon S3 Intelligent-Tiering
• Amazon S3 One Zone-IA
• Amazon S3 Glacier Instant Retrieval

A different account uploaded the object

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Take one of the following actions in the AWS account that uploaded the object:

• Change the object access control list (ACL) for the uploaded object. The uploader account must provide the bucket owner with full control of the ACL. For more information, see put-object-acl.
• Run the cp or put-object command to upload the object again, and then specify the canned ACL for bucket owner full control. The uploader account must also specify the --acl flag as bucket-owner-full-control.

You activated the Amazon S3 Block Public Access feature

If you attached ACLs to the objects that you back up from the source bucket, then you must allow public ACLs in the restore bucket.

If you activated the Amazon S3 Block Public Access feature for the restored bucket, then you get an "Access Denied" error for the restore. AWS Backup doesn't restore these objects. There might be a difference in the number of restored objects or an empty restore. AWS Backup skips objects that it can't restore and continues with the job. AWS Backup marks the job as Complete and doesn't fail the job.

To resolve this issue, complete the following steps:

1. Create a new bucket on the Amazon S3 console.
2. Modify the block public access settings to allow the use of public ACLs.
3. Restore your objects.

Note: You can use an event notification to notify you of an S3 object that AWS Backup failed to restore during a restore job. For example, you can use the S3_RESTORE_OBJECT_FAILED event notification.