AWS Backup
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Using Amazon SNS to Track AWS Backup Events

AWS Backup is designed to take advantage of the robust notifications delivered by Amazon Simple Notification Service (Amazon SNS). You configure Amazon SNS to send notifications for AWS Backup events from the Amazon SNS console. For more information, see Getting Started with Amazon SNS in the Amazon Simple Notification Service Developer Guide.

AWS Backup Notification APIs

After creating your topics using the Amazon SNS console or AWS Command Line Interface (AWS CLI), you can use the following AWS Backup API operations to manage your backup notifications.

The following events are supported:

Backup jobs

  • BACKUP_JOB_STARTED

  • BACKUP_JOB_COMPLETED

  • BACKUP_JOB_SUCCESSFUL

  • BACKUP_JOB_FAILED

  • BACKUP_JOB_EXPIRED

Restore jobs

  • RESTORE_JOB_STARTED

  • RESTORE_JOB_COMPLETED

  • RESTORE_JOB_SUCCESSFUL

  • RESTORE_JOB_FAILED

Recovery points

  • RECOVERY_POINT_MODIFIED

Completed Events

Subscribing to Completed events is equivalent to subscribing to Successful, Failed, or Expired events. Completed notifications include a STATE attribute indicating the specific type of completion.

Example Completed Events

{ "Type" : "Notification", "MessageId" : "12345678-abcd-123a-def0-abcd1a234567", "TopicArn" : "arn:aws:sns:us-west-1:123456789012:backup-2sqs-sns-topic", "Subject" : "Notification from AWS Backup", "Message" : "An AWS Backup job was completed successfully. Recovery point ARN: arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012d. Resource ARN : arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012e. BackupJob ID : 1b2345b2-f22c-4dab-5eb6-bbc7890ed123", "Timestamp" : "2019-08-02T18:46:02.788Z", "MessageAttributes" : { "EventType" : {"Type":"String","Value":"BACKUP_JOB"} "State" : {"Type":"String","Value":"SUCCESSFUL"}, "AccountId" : {"Type":"String","Value":"123456789012"}, "Id" : {"Type":"String","Value":"1b2345b2-f22c-4dab-5eb6-bbc7890ed123"}, "StartTime" : {"Type":"String","Value":"2019-09-02T13:48:52.226Z"} } }
{ "Type" : "Notification", "MessageId" : "12345678-abcd-123a-def0-abcd1a234567", "TopicArn" : "arn:aws:sns:us-west-1:123456789012:backup-2sqs-sns-topic", "Subject" : "Notification from AWS Backup", "Message" : "An AWS Backup job failed. Resource ARN : arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012e. BackupJob ID : 1b2345b2-f22c-4dab-5eb6-bbc7890ed123", "Timestamp" : "2019-08-02T18:46:02.788Z", "MessageAttributes" : { "EventType" : {"Type":"String","Value":"BACKUP_JOB"} "State" : {"Type":"String","Value":"FAILED"}, "AccountId" : {"Type":"String","Value":"123456789012"}, "Id" : {"Type":"String","Value":"1b2345b2-f22c-4dab-5eb6-bbc7890ed123"}, "StartTime" : {"Type":"String","Value":"2019-09-02T13:48:52.226Z"} } }
{ "Type" : "Notification", "MessageId" : "12345678-abcd-123a-def0-abcd1a234567", "TopicArn" : "arn:aws:sns:us-west-1:123456789012:backup-2sqs-sns-topic", "Subject" : "Notification from AWS Backup", "Message" : "An AWS Backup job failed to complete in time. Resource ARN : arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012e. BackupJob ID : 1b2345b2-f22c-4dab-5eb6-bbc7890ed123", "Timestamp" : "2019-08-02T18:46:02.788Z", "MessageAttributes" : { "EventType" : {"Type":"String","Value":"BACKUP_JOB"} "State" : {"Type":"String","Value":"EXPIRED"}, "AccountId" : {"Type":"String","Value":"123456789012"}, "Id" : {"Type":"String","Value":"1b2345b2-f22c-4dab-5eb6-bbc7890ed123"}, "StartTime" : {"Type":"String","Value":"2019-09-02T13:48:52.226Z"} } }

If you subscribe to specific events such as BACKUP_JOB_SUCCESSFUL, you will receive only that specific type of notification.

AWS Backup Notification Command Examples

You can use AWS CLI commands to subscribe to, list, and delete Amazon SNS notifications for your AWS Backup events.

Example Put Backup Vault Notification

The following command subscribes to an Amazon SNS topic for the specified backup vault that notifies you when a restore job is started or completed, or when a recovery point is modified.

aws backup --endpoint-url https://backup.region.amazonaws.com put-backup-vault-notifications --backup-vault-name --sns-topic-arn arn:aws:sns:region:account-id:myBackupTopic --backup-vault-events RESTORE_JOB_STARTED RESTORE_JOB_COMPLETED RECOVERY_POINT_MODIFIED

Example Get Backup Vault Notification

The following command lists all events currently subscribed to an Amazon SNS topic for the specified backup vault.

aws backup --endpoint-url https://backup.region.amazonaws.com get-backup-vault-notifications --backup-vault-name myVault

The sample output is as follows:

{ "SNSTopicArn": "arn:aws:sns:region:account-id:myBackupTopic", "BackupVaultEvents": [ "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", "RECOVERY_POINT_MODIFIED" ], "BackupVaultName": "myVault", "BackupVaultArn": "arn:aws:backup:region:account-id:backup-vault:myVault" }

Example Delete Backup Vault Notification

The following command unsubscribes from an Amazon SNS topic for the specified backup vault.

aws backup --endpoint-url https://backup.region.amazonaws.com delete-backup-vault-notifications --backup-vault-name myVault

Specifying AWS Backup as a Service Principal

Note

To allow AWS Backup to publish SNS topics on your behalf, you must specify AWS Backup as a service principal.

Include the following JSON in the access policy of the Amazon SNS topic that you use to track AWS Backup events. You must specify the resource Amazon Resource Name (ARN) of your topic.

{ "Sid": "My-statement-id", "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:region:account-id:myTopic" }

The following sample JSON is an example of a basic Amazon SNS access policy that includes AWS Backup as a service principal. You must specify your own AWS account ID and the resource ARN of your topic.

{ "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:Publish", "SNS:RemovePermission", "SNS:SetTopicAttributes", "SNS:DeleteTopic", "SNS:ListSubscriptionsByTopic", "SNS:GetTopicAttributes", "SNS:Receive", "SNS:AddPermission", "SNS:Subscribe" ], "Resource": "arn:aws:sns:region:account-id:myTopic", "Condition": { "STRINGEQUALS": { "AWS:SourceOwner": "account-id" } } }, { "Sid": "__console_pub_0", "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:region:account-id:myTopic" } ] }

For more information about specifying a service principal in an Amazon SNS access policy, see Allowing Any AWS Resource to Publish to a Topic in the Amazon Simple Notification Service Developer Guide.

Note

If your topic is encrypted, you must include additional permissions in your policy to allow AWS Backup to publish to it. For more information about enabling services to publish to encrypted topics, see Enable Compatibility between Event Sources from AWS Services and Encrypted Topics in the Amazon Simple Notification Service Developer Guide.