How do I delete recovery points that are under a legal hold or stored in a locked backup vault for AWS Backup?
I want to delete recovery points that are under a legal hold or stored in a locked backup vault for AWS Backup.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Delete recovery points under a legal hold
If the recovery point is under a legal hold and you try to delete the recovery point, then you receive the following error message:
"The recovery point cannot be deleted because it has active legal hold(s)"
When the recovery point is in a legal hold, you can't delete it. AWS Backup continues to protect backups under a legal hold beyond their original lifecycle and retention policies. To resolve this issue, you must explicitly release the hold.
Important: To release a legal hold, your AWS Identity and Access Management (IAM) policy must have the CancelLegalHold permission.
Use either the AWS Backup console or the AWS CLI to explicitly release the legal hold.
AWS Backup console
Complete the following steps:
- Open the AWS Backup console.
- In the navigation pane, choose Legal holds.
- In the Legal holds section, select the hold that you want to release.
- Choose Release hold.
- In the Release details section, for Description for release, enter the reason why you want to release the hold.
- Choose Release hold.
- In the Release hold dialogue box, enter confirm in the text box.
- Select I acknowledge the release of this legal hold, and then choose Confirm.
- Delete the recovery points from the backup vault.
AWS CLI
Complete the following steps:
-
To release the legal hold, run the following cancel-legal-hold command:
aws backup cancel-legal-hold --legal-hold-id your_legal_hold_id --cancel-description your_release_descriptionNote: Replace your_legal_hold_id with the legal hold ID and your_release_description with the reason why you're releasing the legal hold.
Delete recovery points in a locked backup vault
If you try to delete a recovery point that's stored in a locked backup vault, then you receive the following error message:
"RecoveryPoint cannot be deleted or updated (Backup vault configured with Lock)"
Important: If you have the DeleteBackupVaultLockConfiguration permission, then you can remove a vault lock that's in governance mode at any time. However, you can't modify or delete a vault lock that's in compliance mode after grace time is over. For more information, see Vault lock modes.
Use either the AWS Backup console or the AWS CLI to delete the vault lock.
AWS Backup console
Complete the following steps:
- Open the AWS Backup console.
- In the navigation pane, under My account, choose Backup vault locks.
- Select the vault that you want to remove, and then choose Manage vault lock.
- Choose Delete vault lock.
- In the Delete vault lock dialogue box, enter confirm in the text box, and then choose Confirm.
- Delete the recovery points from the backup vault.
AWS CLI
Complete the following steps:
-
To delete the vault lock, run the following delete-backup-vault-lock-configuration command:
aws backup delete-backup-vault-lock-configuration --backup-vault-name your_vault_nameNote: Replace your_vault_name with the name of your backup vault.
Important: AWS Backup can delete backups that are in the backup vault only after the backup reaches the retention period that you specified in your backup plan.
Related information
- Topics
- Storage
- Tags
- AWS Backup
- Language
- English
Relevant content
- asked 4 years ago
- asked 8 months ago
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 days ago
