How do I troubleshoot Amazon EC2 VSS failures in AWS Backup?
My Amazon Elastic Compute Cloud (Amazon EC2) Volume Shadow Copy Service (VSS) backup jobs fail. I want to know how to troubleshoot VSS failures in AWS Backup.
Short description
The following are the most common reasons why a VSS backup job might fail:
- You didn't complete the prerequisites for Amazon EC2 VSS backups.
- The Amazon EC2 instance size isn't supported for VSS backups.
- The Amazon EC2 instance isn't associated with AWS Systems Manager.
- AWS Systems Manager Agent (SSM Agent) isn't running on the Amazon EC2 instance.
- You didn't use Systems Manager to install the VSS components on the Amazon EC2 instance.
- The instance profile role has missing or incorrect permissions.
- The backup role for your backup plan or on-demand backup has missing or incorrect permissions.
- The Amazon EC2 instance is stopped.
Resolution
You didn't complete the prerequisites for Amazon EC2 VSS backups
To take VSS-activated snapshots for EC2 instances, first complete the prerequisites.
If you don't complete certain prerequisites, then errors might occur when you use AWS Backup for VSS backups.
Note: If VSS fails, then AWS Backup still tries to take a regular backup of the EC2 instance.
The Amazon EC2 instance size isn't supported for VSS backups
You must use a supported instance size for VSS backups. If you use an unsupported Amazon EC2 instance, then your backups might fail. In this case, you might not receive an error.
The Amazon EC2 instance isn't associated with Systems Manager
To verify that your Amazon EC2 instance is associated with Systems Manager, run the following AWS Command Line Interface (AWS CLI) command:
Note: If you receive errors when running AWS CLI commands, then confirm that you're running a recent version of the AWS CLI. Replace <instance id> with your instance's ID.
aws ssm describe-instance-associations-status --instance-id <instance-id>
The following is an example output for the preceding command:
{ "AssociationId": "f15c5183-b2f6-4c34-8b4a-460b054dee41", "Name": "AWSSupportPatchwork-1.0.200850.0-CreateAndAttachIAMToInstances", "DocumentVersion": "1", "AssociationVersion": "1", "InstanceId": "i-08d16a1648bba38ff", "ExecutionDate": "2023-04-25T03:01:44-05:00", "Status": "Success", "DetailedStatus": "Success", "AssociationName": "AWSSupportPatchwork-1.0.200850.0-OnboardInstanceToSSM" }
SSM Agent isn't running on the Amazon EC2 instance
To verify that your SSM Agent is running, run the following PowerShell command:
Get-Service AmazonSSMAgent
The following is an example output for the preceding command:
Status Name DisplayName ------ ---- ----------- Running AmazonSSMAgent Amazon SSM Agent
If SSM Agent isn't running, then run the following PowerShell command to start SSM Agent:
Start-Service AmazonSSMAgent
If there's no output from the Start-Service AmazonSSMAgent command, then SSM Agent is started. After running the Start-Service AmazonSSMAgent command, you can rerun the Get-Service AmazonSSMAgent command to verify that it's running.
You didn't use Systems Manager to install VSS components on the Amazon EC2 instance
To install VSS components, see Download and install VSS components to the Windows on EC2 instance.
The instance profile role has missing or incorrect permissions
To verify that you have the correct permissions on the instance profile role, see Create an IAM role for VSS-activated snapshots. You must also attach the AWS managed policy AmazonSSMManagedInstanceCore to the role.
The backup role for your backup plan has missing or incorrect permissions
Verify that your backup role has the correct permissions to take VSS-activated backups for EC2 instances. You can attach the following customer managed policy to take VSS backups:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ec2:CreateTags", "ec2:DeleteSnapshot"], "Resource": "arn:aws:ec2:*::snapshot/*" }, { "Effect": "Allow", "Action": ["ec2:CreateImage", "ec2:DeregisterImage"], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:CopyImage", "ec2:CopySnapshot"], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:CreateTags"], "Resource": "arn:aws:ec2:*:*:image/*" }, { "Effect": "Allow", "Action": ["ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeNetworkInterfaces", "ec2:DescribeElasticGpus", "ec2:DescribeSpotInstanceRequests"], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeVolumes", "ec2:DescribeSnapshots"], "Resource": ["arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:volume/*"] }, { "Action": ["tag:GetResources"], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": ["backup:DescribeBackupVault", "backup:CopyIntoBackupVault"], "Resource": "arn:aws:backup:*:*:backup-vault:*" }, { "Effect": "Allow", "Action": ["ssm:CancelCommand", "ssm:GetCommandInvocation"], "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": ["arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot", "arn:aws:ec2:*:*:instance/*"] }] }
Amazon EC2 instance is stopped
If your Amazon EC2 instance is stopped, then you can't take a VSS backup. For more information, see Stop and start your instance.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 10 months ago
