How do I migrate an Amazon RDS continuous backup recovery point from a backup vault that's locked in Compliance mode?

Short description

When you use an AWS Backup vault lock that's in Compliance mode, you or AWS can't change or delete the vault lock after the grace period ends. If you modify the rule to send backups to a different vault, then the backups continue to expire based on the current retention period. When the modified rule tries to back up to the new location, the status shows Completed with issues and the following error:

"Enabling continuous backup failed, because of the following error: PITR already configured in backup plan: arn:aws:backup:eu-west-1:123456789012:backup-plan:70a27d6a-7633-4088-940c-51a5bc76ca33 with backup vault: arn:aws:backup:eu-west-1:123456789012:backup-vault:database-10-vault-compliance-mode for DB Instance: arn:aws:rds:eu-west-1:123456789012:db:database-10"

Resolution

To migrate an Amazon RDS recovery point from a backup vault that's locked in Compliance mode, complete the following steps:

1. Create a new backup vault without the vault lock. (Optional) You can lock the vault in Governance mode to allow users with sufficient IAM permissions to remove the lock.
2. Modify the AWS RDS continuous backup rule to back up to the new vault. The continuous backup job status shows Completed with issues and an error message. The updated backup rule creates a snapshot in the new vault.

The continuous backup recovery point keeps the original expiration, and snapshots are added to the new vault. After the continuous backup recovery point in the vault that's locked in Compliance mode expires, a continuous backup recovery point is created in the new vault. The new recovery point contains PITR and a recoverable time from within the last 35 days.

Note: The recoverable time depends on the retention window that's set in the backup rule. For more information, see Backup plan options and configurations.

Related Information

AWS Backup Vault Lock

Vault lock modes