Questions tagged with AWS Backup

I am trying to extend the retention of already made backups in FSx for Windows. AWS Backup can have unlimited retention but in the console for FSx you can only do a maximum of 90 days. For existing backups can they be copied and then categorized as a user-initiated backup and then use the Custom Backup schedule [1] extend the retention based on whats defined? Importing the Automatic backups defined in the FSx console would be ideal but I have not found a way to do this. [1] - https://docs.aws.amazon.com/fsx/latest/WindowsGuide/additional-info.html

I am trying to make an S3 Backup using AWS Backup. The error message I'm getting is (I have deliberately changed the bucket name and account number) ``` Unable to perform s3:PutBucketNotification on my-bucket-name-123 The backup job failed to create a recovery point for your resource arn:aws:s3:::my-bucket-name-123 due to missing permissions on role arn:aws:iam::123456789000:role/service-role/AWSBackupDefaultServiceRole. ``` I have attached the inline policies described in the [documentation](https://docs.aws.amazon.com/aws-backup/latest/devguide/s3-backups.html) to AWSBackupDefaultServiceRole (note: the role also contains the AWS managed policy AWSBackupServiceRolePolicyForBackup as well as the following) ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"S3BucketBackupPermissions", "Action":[ "s3:GetInventoryConfiguration", "s3:PutInventoryConfiguration", "s3:ListBucketVersions", "s3:ListBucket", "s3:GetBucketVersioning", "s3:GetBucketNotification", "s3:PutBucketNotification", "s3:GetBucketLocation", "s3:GetBucketTagging" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*" ] }, { "Sid":"S3ObjectBackupPermissions", "Action":[ "s3:GetObjectAcl", "s3:GetObject", "s3:GetObjectVersionTagging", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*/*" ] }, { "Sid":"S3GlobalPermissions", "Action":[ "s3:ListAllMyBuckets" ], "Effect":"Allow", "Resource":[ "*" ] }, { "Sid":"KMSBackupPermissions", "Action":[ "kms:Decrypt", "kms:DescribeKey" ], "Effect":"Allow", "Resource":"*", "Condition":{ "StringLike":{ "kms:ViaService":"s3.*.amazonaws.com" } } }, { "Sid":"EventsPermissions", "Action":[ "events:DescribeRule", "events:EnableRule", "events:PutRule", "events:DeleteRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule", "events:DisableRule" ], "Effect":"Allow", "Resource":"arn:aws:events:*:*:rule/AwsBackupManagedRule*" }, { "Sid":"EventsMetricsGlobalPermissions", "Action":[ "cloudwatch:GetMetricData", "events:ListRules" ], "Effect":"Allow", "Resource":"*" } ] } ``` This to me, looks correct and it not should be giving that error. Is there a bug? Or is there a step which is not described in the documentation? I would really appreciate some help. Many thanks ``` ```

Hi everyone! I'd like to understand better the billing composition regardless of AWS Backup on DynamoDB resources since I got an unexpected increase in my billing. I'm aware of AWS Backup billing itself thanks to the [documentation](https://aws.amazon.com/backup/pricing/), anyway, when I access the Billing service I can notice an exponential billing pricing in DynamoDB service, on the section `Amazon DynamoDB USE1-TimedBackupStorage-ByteHrs` the description allows me to see that I'll be paying $0.10 per GB-month of storage used for on-demand backup, showing me that I've used 14,247.295 GB-Month (This makes sense with the billing I got) but where my doubt comes from is, **where does all those GB come from?** The last snapshot-size just shows 175.5 GB I've configured my backup plan with the following parameters: ``` { "ruleName": "hourly-basis", "scheduleExpression": "cron(0 * ? * * *)", "startWindowMinutes": 60, "completionWindowMinutes": 180, "lifecycle": { "toDeletedAfterDays": 30 } } ``` I'm also copying snapshots into a second region on `us-west-2` As you can see, I'm handling a schedule expression on an hourly basis backup because of compliance requirements. *Is this enough justification for the high billing?* I'm aware that backups with low RPO are commonly expensive but I just want to be sure that this billing is not higher than it should be because of any wrong Backup configuration. Thanks in advance!

I configured AWS Backup in CDK to enable continuous backups for s3 buckets with this configuration : - backup rule : with `enableContinuousBackup: true` and `deleteAfter 35 days` - backup selection : with `resources` array having the ARN of the bucket directly set and roles setup following the docs of aws : https://docs.aws.amazon.com/aws-backup/latest/devguide/s3-backups.html Later I deleted the stack in CDK and ,as expected, all the resources were deleted except for the vault that was orphaned. The problem happens when trying to delete the recovery points inside the vault, I get back the status as `Expired` with a message `Insufficient permission to delete recovery point`. - I am logged in as a user with AdministratorAccess - I changed the access policy of the vault to allow anyone to delete the vault / recovery point - even when logged as the root of the account, I still get the same message. --- - For reference, this is aws managed policy attached to my user : `AdministratorAccess` , it Allows (325 of 325 services) including AWS Backup obviously. - Here's the vault access policy that I set : ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "backup:DeleteBackupVault", "backup:DeleteBackupVaultAccessPolicy", "backup:DeleteRecoveryPoint", "backup:StartCopyJob", "backup:StartRestoreJob", "backup:UpdateRecoveryPointLifecycle" ], "Resource": "*" } ] } ``` Any ideas what I'm missing here ? **Update ** : - A full week after creating the backup recovery point, and still unable to delete it. - I tried deleting it from the AWS CLI but no luck. - I tried suspending the versioning for the bucket in question and tried, but no luck too.

Hi Everyone, Hope you're well and safe. I have question in regards the AWS Backup task shown as Completed but with Warning as "Windows VSS Backup attempt failed because either Instance or SSM Agent has invalid state or insufficient privileges." Can someone please advise on how to fix the warning? Thanks

Backup Job has a status of Completed, with the following warning. `Continuous Backup enable failed due to PITR already configured in backup plan: arn:aws:backup:us-west-1:xxxxxxxxxxxxxx:backup-plan:xxxxxx-xxxx-xxxx-xxxx-464cba39235e` This RDS resource backup was moved from another vault, onto a new backup plan. I thought the issue was the old backup plan still existed (it was unused), so I deleted it "xxxxxx-xxxx-xxxx-xxxx-464cba39235e". A week later, and I'm still getting the above. Via the cli, I see there are versions of that old backup plan, but they are all tagged with a DeletionDate. I see no way to do a permanent removal of the backup plan versions. Aside from maybe deleting the old vault, which I cannot do, since we need to retain those backups. This all started as we needed to move to a new unlocked vault to extend the retention period. Any idea?

Hi experts, We are designing to deploy a BI application in AWS. We have a default setting to repave the ec2 instance every 14 days which means it will rebuild the whole cluster instances with services and bring back it to last known good state. We want to have a solution with no/minimal downtime. The application has different services provisioned on different ec2 instances. First server will be like a main node and rest are additional nodes with different services running on them. We install all additional nodes same way but configure services later in the code deploy. 1. Can we use asg? If yes, how can we distribute the topology? Which mean out of 5 instances, if one server repaves, then that server should come up with the same services as the previous one. Is there a way to label in asg saying that this server should configure as certain service? 1. Each server should have its own ebs volume and stores some data in it. - what is the fastest way to copy or attach the ebs volume to new repaves server without downtime? 2. For shared data we want to use EFS 3. for metadata from embedded Postgres - we need to take a backup periodically and restore after repave(create new instance with install and same service) - how can we achieve this without downtime? We do not want to use customized AMI as we have a big process for ami creation and we often need to change it if we want to add install and config in it. Sorry if this is a lot to answers. Some guidance is helpful.

Hi Fellows, I have a question that is making me noise: where does AWS Backup store the EC2/RDS snapshoots it runs? that is, where the AWS Backup physically stores that data tnks a lot in advance for your anwser!

I am having issues setting up the required IAM access for cross account backups. As I understand the requirements there are four places to configure IAM access: Source Account (management account) Backup Vault Source Account (management account) Resource Assignment Target Account Backup Vault Target Account IAM access role From the AWS Backup Developer Guide p162 I understand that the IAM roles in the Source and Target accounts, Backup Vaults, and the Backup Vault permissions need to match. I have the following configured: Source Account Backup Vault Access – “Allow Access to Backup Vault from Organisation” Source Account Resource Assignment – Role with default policy called “AWSBackupOrganizationAdminAccess” Target Account Backup Vault Access - “Allow Access to Backup Vault from Organisation” Target Account IAM access role - Role with default policy called “AWSBackupOrganizationAdminAccess” I have followed the setup guide to enable cross account backups for my AWS organization. When I run a backup job for an EC2 server in the target account I get the following error: Your backup job failed as AWS Backup does not have permission to describe resource <aws ec2 arn> I assume that somewhere I do not have the IAM access configured correctly. As there are four places where I can configure IAM access how do I track down where the issue is?

I'm trying to start a backup job from a step function, but getting a Backup.BackupException, with this message: > Insufficient privileges to perform this action. (Service: Backup, Status Code: 403, Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) My state is very simple ($.table is the ARN of a dynamoDB table): "StartBackupJob": { "Type": "Task", "Parameters": { "BackupVaultName": "my-vault", "IamRoleArn": "arn:aws:iam::xxxxxxxxxxxx:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup", "ResourceArn": "$.table" }, "Resource": "arn:aws:states:::aws-sdk:backup:startBackupJob", "End": true } I even get this when the IAM role for the step function has full permissions. Also, if I assume this role, and use it to start a backup job from the AWS CLI with the same exact parameters, it succeeds. Any idea what I'm doing wrong?

Hi team, i have configured the AWSSQLSERVER-DBCC automation on EC2 instance for SQL server 2019 and in automation 3rd step completed i.e. DBCC command completed but last step keep running and looks that command(InstallPowerShellOnLinux) will run on linux machine only but my machine is Windows 2019 OS. can some one helps me for understanding about this step. Error: A positional parameter cannot be found that accepts argument \u0027$null\u0027

Hi, I have an existing AWS Backup setup for Aurora, which I created via the console UI. I have now put together a cloudformation template for that which I'd like to import - I'm following through the import with existing resources wizard, but hitting an error I'm unable to understand. After selecting the new template I am asked to enter on the UI AWS::Backup::BackupVault - BackupVaultName AWS::Backup::BackupPlan - BackupPlanId AWS::Backup::BackupSelection - Id On entering these value and then hitting next a few times to get to the final screen. It will load for a few moments calculating the change set and then say "Backup Plan ID and Selection ID must be provided" Although I do enter those values during the wizard. Any suggestions? Thanks Template below - This work all as expected if the Backup Plan does not currently exist ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Create RDS Backup Parameters: OnlyCreateVault: Description: This is for the DR region. Only other required parameters are Environment and CostAllocation Type: String Default: false AllowedValues: [true, false] DestinationBackupVaultArn: Type: String ResourceSelectionIamRoleArn: Type: String ResourceSelectionArn: Description: Comma separated list of resource ARNs Type: String CostAllocation: Type: String AllowedValues: - 'Dev' - 'Demo' - 'Test' - 'Live' Environment: Type: String AllowedValues: - 'develop' - 'testing' - 'testenv' - 'demo' - 'live' - 'dr' Conditions: CreateAllResources: !Equals [!Ref OnlyCreateVault, false] Resources: Vault: Type: AWS::Backup::BackupVault DeletionPolicy: Delete Properties: BackupVaultName: !Sub backup-vault-${Environment}-rds-1 BackupVaultTags: CostAllocation: !Ref CostAllocation Plan: Condition: CreateAllResources Type: AWS::Backup::BackupPlan DeletionPolicy: Delete Properties: BackupPlan: BackupPlanName: !Sub backup-plan-${Environment}-rds-1 BackupPlanRule: - RuleName: !Sub backup-rule-${Environment}-daily-1 CompletionWindowMinutes: 720 CopyActions: - DestinationBackupVaultArn: !Ref DestinationBackupVaultArn Lifecycle: DeleteAfterDays: 7 EnableContinuousBackup: true Lifecycle: DeleteAfterDays: 35 StartWindowMinutes: 120 ScheduleExpression: cron(0 1 ? * * *) TargetBackupVault: !Sub backup-vault-${Environment}-rds-1 - RuleName: !Sub backup-rule-${Environment}-weekly-1 CompletionWindowMinutes: 720 CopyActions: - DestinationBackupVaultArn: !Ref DestinationBackupVaultArn Lifecycle: DeleteAfterDays: 35 EnableContinuousBackup: false Lifecycle: DeleteAfterDays: 42 StartWindowMinutes: 120 ScheduleExpression: cron(0 1 ? * * *) TargetBackupVault: !Sub backup-vault-${Environment}-rds-1 - RuleName: !Sub backup-rule-${Environment}-monthly-1 CompletionWindowMinutes: 720 CopyActions: - DestinationBackupVaultArn: !Ref DestinationBackupVaultArn Lifecycle: MoveToColdStorageAfterDays: 365 EnableContinuousBackup: false Lifecycle: DeleteAfterDays: 365 StartWindowMinutes: 120 ScheduleExpression: cron(0 1 ? * * *) TargetBackupVault: !Sub backup-vault-${Environment}-rds-1 BackupPlanTags: CostAllocation: Ref: CostAllocation ResourceSelection: Condition: CreateAllResources Type: AWS::Backup::BackupSelection DeletionPolicy: Delete Properties: BackupPlanId: !Ref Plan BackupSelection: IamRoleArn: !Ref ResourceSelectionIamRoleArn Resources: !Split [",", !Ref ResourceSelectionArn] SelectionName: !Sub backup-resource-${Environment}-rds-1 ```

I would like to park my personal Quicksight account (enterprise billing) so that I am not billed while it is inactive. Is there a way to backup Quicksight dashboards/assets, import formulas, visualizations, other metadata, etc? Or is the only way to reduce the billing is to discard and lose all experiments?

I am creating backup vaults in AWS Backups for our various resources (RDS, S3, and others). It's going well. However, I was curious - if I create two backup vaults for a single resources (e.g. Snapshots Vault, Continuous Vault) is that inefficient? Is there reasons I should/should not do it that way - additional costs, inefficiency in backup, something else? (Note: The above is just an example. I have more specific reasons why I might break it out that way, but I didn't want to spell all that out here.)

**Background** There is identified need to govern multiple data locking features that AWS Provides in a context of multi-account environment with independent teams. If there is no governance - data locking might be enabled in various AWS accounts (in various regions) causing potential compliance nightmare and related challenges to rollback if data is accidentally locked for multiple years. It seems the only way to exit from compliance mode data locking is to fully close the related AWS account ( data seems then to be deleted after 90 days, even when locked). Optimally the use of AWS locking features would be allowed only by exception (after human review of each use-case). Governance mode could be by default allowed for all accounts/resources, but it should be possible to prevent the use of compliance mode (in any AWS service that provide data locking) with SCPs in AWS Organization. It has been identified at least these three are related operations for data locking: * backup:PutBackupVaultLockConfiguration * glacier:CompleteVaultLock * s3:PutBucketObjectLockConfiguration **Questions** 1. To deny all AWS data locking features - what IAM actions need to be denied with SCP - in addition to to the ones above? 2. Is the only way to exit the Backup Vault lock is to close the related AWS account (with 90 days grace period)? 3. How can one confirm the deletion of data related to question above. The assumption is that data remains until grace period has passed (90 days). Does AWS emit some logs (when account is being closed) that prove that data has been actually wiped? 4. How one can list what various data locks are currently in use? Is Cloudtrail the only option? 5. Are there any other best practise to share - to centrally govern the various AWS data locking features?

We use Lifecycle Manager to do regular EBS Snapshots of our EC2 data volumes. Since as noted in the docs the snapshot data is stable once the snapshot enters the 'pending' state, I wondered if there was any way a process on the EC2 can know when a snapshot is started and when it has entered pending ? The reason being it may need to stop a process using that data volume for this short period to avoid possible inconsistency of the snapshot from the applications point of view. From : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html ```Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume.```

Does AWS Backup support the copy action for s3 buckets? I've configured in AWS Backup a backup plan rule with a copy action to another region within the same account and I don't see any copy jobs for my s3 bucket. I see that a backup job ran successfully for the s3 bucket, but I don't see a copy job afterwards. Note: I backup other resources (Aurora and RDS) in the same backup plan rule and I see a copy job for each of them. So the copy action is properly configured. So, does AWS Backup support the copy action for s3 buckets, or I misconfigured something else?

I am supporting a well established Microsoft Access application. I have previously written a separate VB.Net application to backup the database to an AWS S3 Bucket. But I would like to integrate this backup routine into the MS Access code (VBA). If I try to add the dll's (AWSSDK.Core.dll & AWSSDK.S3.dll) from the VB.NET code as References to the Access(VBA) it fails "Can't add reference to the specified file". In Access terms References as Type Libraries. So where can I find a Type Library which gives S3 functionality to some VBA code? Many thanks

Does the Organizations level functionality for AWS Backup have to be managed from the Organizations Master Account? I want to be able to delegate the AWS Backup management to a separate AWS account in my Organization.

I have recently enabled AWS Backup for S3 on several buckets to test how it works. I am using tags to select the appropriate buckets. Everything works great. From that point, I then added the tag to our largest bucket (~1.1TB and ~8MM objects) so that it could get its first backup. The first night the backup ran, but did not complete. The status of the backup is: Expired and the error message is `Backup job failed because there was a running job for the same resource`. The backup plan includes Daily, Weekly, Monthly for data retention purposes, and I have not had this issue with any of the smaller buckets. This is the only backup plan on this S3 bucket so I don't understand that error message. Is it possible that it's taking so long it clashes with the next Daily backup? Is there any other way that I can take that initial backup so that all subsequent backups are incremental? (Do a manual backup that expires in 5 weeks or something - would all automated backups after be incremental?)

I created a backup job for a bucket that is used as repository for a web page with a cloudfront only policy access. I added a role for the backup to run and performed a backup test run that was sucessfully. Then I deleted from files and tried to restore them for testing. The first attempt to restore to the same bucket failed because of permissions: This is the error "Status": "FAILED", "StatusMessage": "Cannot restore, as the BucketOwnershipControls of <bucketname> do not allow the use of object ACLs." I know I am not using ACL but policy to control the access to the bucket, so I think that's fine; so instead of restoring to the same bucket; I created a second job to restore to a new bucket That job is still running since Feb 24th This is how it looks on a CLI list-restore-jobs "CreationDate": "2022-02-24T11:15:33.120000-03:00", "Status": "RUNNING", "PercentDone": "0.00%", The thing is: There is not "stop-restore-job" command in the CLI to stop it. So the basic question is: 1 - How do I stop it? And 2; is the way to go in such scenario to restore to a new or existing bucket instead of the source one? Thanks.

Hi, I'm creating a backup plan [using CDK](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_backup-readme.html) and would like to also copy the resources to another region, pretty much as it's documented [here for the AWS Console](https://docs.aws.amazon.com/aws-backup/latest/devguide/cross-region-backup.html). I couldn't find a "copy to destination" option in CDK or Cfn resources though. Is that option not supported?

Prelude: We use AWS Backup, in addition to AWS Backup on RDS, there are also mandatory standard automatic backups. Situation: 1. at 8 am a standard automatic backup is made 2. AWS Backup starts at 12 o'clock and instead of taking another snapshot, it copies the snapshot that was made by a standard backup to another region Question: how to make AWS backup make a snapshot regardless of other conditions and the presence of other snapshots? Also in cloudwatch I see only action about copy: { "version": "0", "id": "d4f5efcb-f58b-bd58-c4b0-a6374b6c5cf7", "detail-type": "RDS DB Snapshot Event", "source": "aws.rds", "account": "", "time": "2022-02-22T11:08:07Z", "region": "us-east-1", "resources": [ "arn:aws:rds:us-east-1::snapshot:awsbackup:job-" ], "detail": { "EventCategories": [ "notification" ], "SourceType": "SNAPSHOT", "SourceArn": "arn:aws:rds:us-east-1::snapshot:awsbackup:job-", "Date": "2022-02-22T11:08:07.289Z", "Message": "Started copy of snapshot rds:{rds-name} in region us-east-1", "SourceIdentifier": "awsbackup:job-c", "EventID": "RDS-EVENT-0196" } }

I was part of the beta and still have the same problem. When I backup "all resources" it does not backup my s3 buckets. When I specifically select s3 in my backup plan it still does not work. However, on demand backup of s3 works fine. How do I backup my s3 buckets with everything else on the same schedule?

I have created a topic and subscribed with an email endpoint, targeting to be mailed for any anomalies such as aborted backups and failed backups through an email. Have created a rule in Event bridge to collect backup job state change event and pointed to the SNS topic. Have tried a subscription filtering policy on the topic as below: { "state": [ { "anything-but": [ "CREATED", "PENDING", "RUNNING", "COMPLETED" ] } ] } yet the result is not as expected.

Is there any possibility to create a backup plan which stores Aurora cluster backup in vault which is in different region and on different account to mitigate multiple risks at once?

Hello Checking out the Security Hub findings, we have multiple reports of a CRITICAL issue with the description Security Hub *RDS.1 RDS snapshot should be private * but the snapshots that are targeted are deleted and are no longer available in the AWS Console RDS snapshots tab. The Record state of the finding is ARCHIVED, but we don't get why the findings were triggered at all on those snapshots ( and also no trigger was found on the current existing ones ). All the snapshots that we have are encrypted and according with the documentation: *If the source is encrypted, DB snapshot visibility is set as Private because encrypted snapshots can't be shared as public.* so our snapshots should not have gotten in a public state at any point. So what can be the cause of us seeing those Security Hub findings and how can we make sure we no longer have them?

Hello, here is the situation, we have AWS Backup configured to backup Aurora Clusters, the Aurora Cluster is encrypted with a CMK of KMS. Now, that we want to restore a backup using the AWS Backup Console, the process says it finished successfully but the restored Aurora Cluster has 0 instances. So I think there is an issue of permissions to use the KMS key, but I have tried different permissions to no avail. Is there a document that specifies the correct permissions for this to work ? Thanks in advanced. Kind Regards,

What is the difference between the `*-in-backup-plan` and `*-resources-protected-by-backup-plan` managed config rules * [rds-in-backup-plan](https://docs.aws.amazon.com/config/latest/developerguide/rds-in-backup-plan.html) * [rds-resources-protected-by-backup-plan](https://docs.aws.amazon.com/config/latest/developerguide/rds-resources-protected-by-backup-plan.html) There are variants like this for several resource types.

How we can set alert if any backup job get fails?

Using AWS Backup to backup and restore Windows 2016 and above EC2 instances which are domain joined to AWS Managed AD. When the instances are restored (as a copy) they appear to retain the same NetBIOS. There will then be two EC2 instances of the same name (different instance IDs) in the same VPC. This has been a problem in the past outside of the cloud. Any best practices in the community for using AWS Backup and Restore with Windows you can point to?

I'm trying to generate conformance reports for our backup plans but the reports generated appear to be empty. I have a backup plan for RDS to make snapshots, I have a framework deployed, this framework appears in the state "Partially active" If I check the documentation says that I have to activate the tracking of all backup resources and the tracking of AWS Config resources in AWS config and these are active, in fact, the "Resource Tracking status" shows every item with green tick and "OK". I have Control compliance and Resource compliance reports. According to the framework there are four compliant controls. According to AWS Cnfig the rules associated to these controls have several resources. The report finishes as "Completed" But the report stored in S3 appears empty. There's a Pop-up warning about the "Partially Active" state of the framework. The reports are empty only with this content: ``` { "reportItems": [] } ``` Why this can be happening? I do not see any error or possible cause. How I can know what resources should I track in AWS Config for the framework in AWS Backups to become "Active"? (In case this is the problem)

Most of my other post was answered but stuck on one concept. I have a few Dynmo tables that will always be appended so have PITR and will have a daily tag to backup with. However, if have tables that change with the month. So after the month, that data will not change. So if I have a tag call backup_monthly, I can make a rule to say backup daily, transition to cold storage after a few days. But, if I keep that tag of backup_monthly, no data changes, will just that process trying to sync cause that to be a new backup since the old is in cold storage? I don't want to have to change tags monthly, etc. but rather just set it and forget it, knowing daily backups are warm and always updating, january is warm and backing up, come Feb, Jan will transition to cold and Feb will be warm until March. Thanks all

We run a system that collects data monthly, so we have several central tables, then more of a YYYY_MM structure. So days before the new month we are creating a table, setting capacity, PITR, etc. Then around the 6th, we will lower the capacity from the previous month, lower capacity, etc. and I want to automate this. The only thought I had was using an admin server with AWS keys, and writing a script using CLI tools. Naturally that user would need credentials, etc. but is there any other way that would be easier? Also regarding the backup, if I am using AWS Backup, once the previous month is done, I am trying to find out how I am charged, if the data doesn't change and I leave the daily flag on, do I pay for more storage (the same data over and over) or is it just the one time as the data is the same as that will affect that part. Thank you in advance.

I have a Launch Template with multiple volumes. I'd like to tag one of the volumes in a specific way so that I can make snapshots solely of this volume via DLM or AWS Backup, is there any way to do that ?

I ran a test whereby I restored a RHEL 7 EC2 instance. After it started, I was able to ssh into the instance using the same private key that I use for the instance that was backed up. However I noticed that the /etc/ssh/ssh_ key files had all changed, and an application, Oracle's secure global desktop, could not longer connect, due to the changed host keys. What would have caused the host keys to change? Is it something that AWS restore does? Is it something that sshd does on startup? E.g. it detects that the hostname changed (AWS assigns a new hostname to the instance) and recreates the host keys as a result? Is it something that RHEL 7 does? I suppose I could just backup the /etc/ssh directory and restore the files after a restore, but I would like to think that I can use AWS backup / restore out of the box to preserve the configuration of an instance during the restore operation. There is a very old AWS forums post: https://forums.aws.amazon.com/thread.jspa?threadID=40450 that refers to this problem, but the post says that the issue was resolved in the AWS linux AMI. Thanks for the help.

I have simple backup job defined with two ec2 instances configured as the protected resources. But in the vault I see the two EC2 instances plus an EBS volume. If the backup service creates a snapshot of the attached EBS volumes while backing up the EC2 instances, then shouldn't I see two sets of EBS resources in the backup vault? One of the EC2 instances' volumes is a GP3 that has a minimum IOPS set, does the type of storage affect how AWS backups the EC2 instance?

I have an EC2 instance with two EBS volumes attached. The EC2 instance and EBS volumes share a common tag, and I have an AWS Backup resource assignment for that tag. When I look at the details of the backup jobs associated with the backup plan, I see that the size of the backup job for the EC2 instance is the sum of the backup sizes of the EBS volumes. Am I effectively backing up the same data twice? Is it advisable to _not_ backup the EBS volumes if I'm already backing up the EC2 instance?

Good afternoon all. I have a DynamoDB that stores data in monthly tables and some central ones. Once the month is over, that data doesn’t change. Those monthly tables and other critical tables have PITR on and after the 35 days, I don’t need that on as the data doesn’t change but also don’t want/need to back them up daily. So the question is From the reading (https://aws.amazon.com/backup/features/) it appears that its a full, then incremental, so after the 35 days and the table stops being written, can I leave the backup flag on (since nothing changes, I shouldn’t pay any additional) right and only the new tables/data will be written? Bonus: (this may have to goto the dynamo forum), but after the 35 days, if that table doesn’t change does PITR continue to charge, and if so, can something in the AWS backup job say turn it off after x days? Thanks all

I am trying to use aws backup to backup efs. In case that the client restore a backup I need to re-send the restoration files. I tried backing up in a new efs and then send to S3 using datasync with no success because the restored efs backup have no mount targets. If I restore in the same efs, how can I access only the backup files to send to S3 and then delete them from the efs?. Is there a better way to achieve this?

I am backing up about 45 Windows Server EC2 instances with AWS Backup. One of the AWS Backup jobs, for about 35 of those instances does a VSS snapshot as part of the backup. I get a lot of VSS failure messages. Some of them are VSS timeouts, which I understand is a Windows issue that occurs because of an unconfigurable 10 second max time for the snapshot to complete. Some are related to the AWS VSS provider. In AWS Backup the error is "Windows VSS Backup Job Error encountered, trying for regular backup". The job then completes, but without a VSS snapshot. In SSM, the Run Command error for this task is: Encountered unexpected error. Please see error details below Message : The process cannot access the file 'C:\ProgramFiles\Amazon\AwsVssComponents\vsserr.log' because it is being used by another process. I tried to rename this file (just as a test, to see if it was in use) and says it is in use by the ec2-vss-agent.exe. So I stopped the EC2 VSS Windows service but that did not stop the ec2-vss-agent.exe process and the error remained. I did an 'end task' on the ec2-vss-agent.exe process and I then manually ran the VSS Run Command from SSM. It re-started the process, and it ran for awhile before timing out, which is the other (unrelated?) issue we see too. I can not find anything online about this issue or error and I'm at a loss as far as where to look from here. I need VSS snapshots of these servers. If anyone has any ideas about how to troubleshoot this or what else to look for, please let me know!

A customer is using QLDB. I have seen that you can export journal data from QLDB directly to S3 by submitting the journal export request: https://docs.aws.amazon.com/qldb/latest/developerguide/export-journal.html Can this be seen as a traditional DB backup? Secondly, is there an option of 'importing' that QLDB backup into an existing ledger or into a new ledger? Thirdly, are there any plans to incorporate automatic QLDB backups into the AWS Backup service? I know QLDB is relatively new, but knowing this would calm customers already using QLDB that backups are also thing with QLDB. Thank you in advance.

Hi, I would like to know why on the aws backup panel there is no option to back up documentdb? Thanks!

Hi AWS, I would like to use AWS Backup Service to backup my EC2 instances. However, does AWS Backup Service reboot my EC2 instances? I hope it does not. Previously, I am using lambda function to automatically create AMI images. I had this "NoReboot=True" flag in my create_image function. Hence, does AWS Backup guarantees No Reboot to EC2 instances? My EC2 instance cannot afford to have a downtime.

Hi all, I've been trying to setup an AWS Backup plan, and when assigning a resource to the plan I've created, I get the spinning action wheel and nothing further happens. I've tried: * Waiting to see if it's just taking a long time. * Using a different brand of browser. * Using a custom plan instead of the regular plan. * Sending to the default vault, or a custom vault. * Using a different computer to access the dashboard. * Assigning both the EBS instance or the EC2 instance. In all cases, the result is the same. I hit the final button to assign resources, and it just spins and spins. Am I missing something fundamental here, or is there a known issue? Cheers, Coulls

Hi There, We currently backup multiple Linux and Windows EC2 instances to the default vault using the Daily-35day-Retention template So far all backups have been successful. Our problem is with restores. When attempting to restore an instance we receive the error "_You are not authorized to perform this operation. Please consult the permissions associated with your AWS Backup role(s), and refer to the AWS Backup documentation for more details._" On the restore job we are using the **Default** role and leaving all IAM roles, security groups, subnets and VPC identical to the original Instance. I can see from the IAM dashboard that the **AWSBackupDefaultServiceRole** role has both the **AWSBackupServiceRolePolicyForBackup** and **AWSBackupServiceRolePolicyForRestores** permission policies assigned and sporting the same permissions as stated in the documentation. All the permissions seem to be correct, and we are not using any custom role for this so I am confused on where this is failing.

Hi there, Apologies if this question has been answered earlier, unfortunately I am not able to locate it easily :( When I try to restore an EC2 instance that has been backed up by AWS Backup, it fails with error "Client.InternalError: Client error on launch" Looks like it is an encryption issue... The following are the details: 1. The EC2 instance being backed up has been setup with Volume(s) that are encrypted with Customer Managed Keys (CMK) 2. We provided full KMS permissions for the role (not my preferred option, but just to test the restores) 3. The restores attempts terminates the target EC2 instance almost immediately on launch of the restore operation with the error "Client.InternalError: Client error on launch" Note: I tested the backup and restore of the EC2 instance with unencrypted volume(s) and it completed successfully Please provide guidance to complete restores for EC2 instances setup with CMK Thank you, Shyam

Hi everyone, I would like to know how the continuous backup functionality of DynamoDB works. Are there events that are triggering a backup or is there anything else that is causing a backup? Best, jackv

We have an EC2 installed running Ubuntu 18-04 LTS - Bionic-Ubuntu for a Python application that is using PostgressSQL database. Due to the criticality of the application that we are running on this instance, we need to keep a near real time backup of the data, and I would to know your suggestions please. I have taken few images, but this process needs reboot of the instance which is not practical for us.

I initiated a manual delete of my Redis cache cluster with ID inf-ex-ygonyr7hlpjz and ticked the box asking whether to take one last backup. It has now been stuck in the `deleting` state for more than two hours, and the back up is stuck in the `creating` state. I would definitely like a backup before deleting. I searched the forum and found people waiting for days. Any advice? I have deleted cache clusters before without a problem. Thanks for your help in advance Edited by: EmilOJ on Jun 20, 2019 6:11 AM

Hello, In my organization there is some uncertainty about the backup window of AWS backup. In the documentation I couldn't find an absolutely clear answer, so now I'm here! Some teams want to be more in control of when a backup of their system is made, so they want to create a smaller backup window. But they are afraid that when this window is too small, no backup is made. Is there information about how small a backup window can be and is there a risk of no backups taken if the window is too small? Thanks for your answer!

Hi there; I am working with AWS Backup in order to protect a few resources I have: This is my EC2 inventory: 2 VMs with 2 volumes each 1 VM with 1 Volume 1 Volume connected to an AWS File Gateway for a remote volume. I need to have an specific tag for each volume for internal billing needs; so I created 4 different jobs one for each server. Job #1 for the Volume connected to the AWS Gateway Job #2 for the server with a single volume Job #3 for Server A and its 2 volumes Job #4 for Server B and its 2 volumes. I put all settings in the same way, the backup ran perfectly BUT, the snapshots created for Server A and Server B do not have the Tag that the job is supposed to write on them. Tag is simply empty. The single-volume server and the gateway are OK; they have the Tag that was set up in the backup job.. So, I created a 2 new jobs; deleting job #3, I created job #5 for one of server A's volumes and job #6 for the other; ran again overnight and the snapshots do not have the tags again. What I am doing wrong? It is quite simple to set up and it works for 2 resources, but not for all of them. Thanks!

I previously researched using Storage Gateway in VTL (Tape Library) mode to hook it up to Veeam, but now am curious if "AWS Backup" is a completely on-prem solution (not that I would dump Veeam). If so, I think I understand Storage Gateways, but how exactly do I set AWS Backup for a Storage Gateway? Do I create a "Volume" storage gateway, then associate it with AWS Backup? If so, does AWS Backup work on top of what Storage Gateway already does (stores data in S3)? Is it basically a management layer on moving the data around (lifespan)? Or does "AWS Backup" work different from standard S3 storage via a Storage Gateway? How do I get data into the volume on the Storage Gateway? Mount iSCSI, use volume however I like, and "AWS Backup" will manage everything else? I guess I'm hoping that it's that simple... use Storage Gateway as you normally would (in volume mode), which provides a mirrored copy of all data up in S3. If a file is deleted locally, it's deleted in S3, etc... My further hope is that "AWS Backup" sits on top of this, and once enabled, manages versions and archiving and lifecycle for that data... i.e. If a file is deleted locally, it still exists in AWS until the lifetime ages it out. Thank you! Edited by: Novox on Jan 21, 2019 7:05 AM Edited by: Novox on Jan 21, 2019 7:25 AM Corrected: "Volume" gateways support iSCSI, not SMB.

Hi there, i see that we are allowed to user custom roles in AWS Backup, could you please let us know how to create the proper roles? it is not describe in the service documentation. BR, Alvaro

We are writing a BCP for this service and are not finding any documentation for backing up user accounts. Is it possible to export user accounts and import to a new/replacement server?

Hi, For compliance reasons, my client requires two types of backup - a daily backup with 35 day retention (although I assume they read the docs and decided on 35 days as it's the limit...) but also monthly full backup which is kept for 2 years (24 months). I'm a little confused by the documentation - Firstly, the snapshots are incremental but each one can be used to do a full restore to a new cluster - how is this possible? Is it incremental since the last snapshot and if so, what happens if the previous snapshots are deleted? Secondly, I can see there's a limit of 20 snapshots (which you can request to change). Before I even consider manual monthly snapshots, if my automated snapshot is daily and is retained for 35 days I am going to have >35 automated snapshots at any point in time - will this be an issue? Thirdly, if my DWH size is 24TB and I am somehow (?) able create a full database backup via snapshots, I'm going to be paying for the storage of 576 TB (24 months x 24TB) in S3 which will be at a very high cost. Ideally, we'd be able to store this in Glacier but I understand we don't have access to the S3 bucket containing snapshots. So my questions are: - How is a full cluster restore performed from an incremental snapshot? - Is this still possible if there's only one incremental snapshot (all the others are deleted?) - Will I exceed the 20 snapshot limit by having a 35 day retention period? - Is it possible to create a "full" backup in a snapshot? - Is it possible to access snapshot locations on S3 so that we can move them to Glacier and still make them available to Redshift for restore? Thanks in advance, J