Why is my recovery point in the expired status in AWS Backup?
I want to know why my recovery point is expired and how to delete expired recovery points in AWS Backup.
Resolution
AWS Backup saves recovery points in the backup vaults with the following statuses:
- Completed: This status indicates that the backup job created a recovery point in the vault successfully.
- Expired: This status indicates that the recovery point has exceeded its retention period but the AWS Backup lifecycle rule can't delete the recovery point.
Why recovery points expire
During the lifecycle run, the original AWS Identity and Access Management (IAM) role that created the recovery point was deleted. Or, the IAM role is missing permissions to delete the recovery point.
The lifecycle attempts to delete the recovery point. If this operation fails, there are no reattempts. This means that you must manually delete the expired recovery points.
Delete expired recovery points using the console
To manually delete expired recovery points using the console, complete the following steps:
- Open the AWS Backup console.
- In the navigation pane, choose Backup vaults.
- For Status, choose Expired.
- Select all the expired recovery points.
- Choose Actions, and then choose Delete.
Delete expired recovery points using the AWS CLI
Note: When running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.
To manually delete a single recovery point in your vault using AWS CLI, run the following example command:
aws backup delete-recovery-point --backup-vault-name <value> --recovery-point-arn <value>
To manually delete multiple recovery points in your vault using AWS CLI, first, run the list-recovery-points-by-backup-vault command to list the recovery points:
$ aws backup list-recovery-points-by-backup-vault --backup-vault-name VAULT_NAME --region REGION_ID --output json --query 'RecoveryPoints[?Status == `EXPIRED`].[RecoveryPointArn]' | jq -r '.[] | "--recovery-point-arn '\\\"'" + .[0] + "'\\\"'" + .[1]'
Then, run the following concatenated command (which includes delete-recovery-point) to delete the recovery points:
$ aws backup list-recovery-points-by-backup-vault --backup-vault-name VAULT_NAME --region REGION_ID --output json --query 'RecoveryPoints[?Status == `EXPIRED`].[RecoveryPointArn]' | jq -r '.[] | "--recovery-point-arn '\\\"'" + .[0] + "'\\\"'" + .[1]' | xargs --verbose -L1 aws backup delete-recovery-point --backup-vault-name VAULT_NAME --region REGION_ID
How to prevent expired status for new recovery points
To prevent new recovery points from expiring, you must first find the exact IAM role used to create the recovery point. Then, you must update the IAM role with the correct permissions to delete a recovery point.
If the IAM role no longer exists, you must first create a new IAM role with the same name. Then, you must add the permissions to the role to delete backups.
Attach the following managed policies to your IAM role to delete the recovery points:
If you're using an Amazon Simple Storage Service (Amazon S3) backup, then attach the following additional required policies to your IAM role:
Related information
Relevant content
- asked a year ago
- asked 6 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 9 months ago
