Using Amazon SNS to track AWS Backup events - AWS Backup

Using Amazon SNS to track AWS Backup events

AWS Backup takes advantage of the robust notifications delivered by Amazon Simple Notification Service (Amazon SNS). You can configure Amazon SNS to notify you of AWS Backup events from the Amazon SNS console.

Common use cases

For more information about Amazon SNS generally, see Getting Started with Amazon SNS in the Amazon Simple Notification Service Developer Guide.

AWS Backup notification APIs

After creating your topics using the Amazon SNS console or AWS Command Line Interface (AWS CLI), you can use the following AWS Backup API operations to manage your backup notifications.

AWS Backup supports the following events:

Job type Event
Backup job BACKUP_JOB_STARTED | BACKUP_JOB_COMPLETED
Copy job COPY_JOB_STARTED | COPY_JOB_SUCCESSFUL | COPY_JOB_FAILED
Restore job RESTORE_JOB_STARTED | RESTORE_JOB_COMPLETED
Recovery point RECOVERY_POINT_MODIFIED

Examples of events

Event Amazon SNS Notification
Backup job completed
{ "Records": [{ "EventSource": "aws: sns", "EventVersion": "1.0", "EventSubscriptionArn": "arn:aws:sns:...-a3802aa1ed45", "Sns": { "Type": "Notification", "MessageId": "12345678-abcd-123a-def0-abcd1a234567", "TopicArn": "arn:aws:sns:us-west-1:123456789012:backup-2sqs-sns-topic", "Subject": "Notification from AWS Backup", "Message": "An AWS Backup job was completed successfully. Recovery point ARN: arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012d. Resource ARN : arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012e. BackupJob ID : 1b2345b2-f22c-4dab-5eb6-bbc7890ed123", "Timestamp": "2019-08-02T18:46:02.788Z", ... "MessageAttributes": { "EventType": {"Type":"String","Value":"BACKUP_JOB"}, "State": {"Type":"String","Value":"COMPLETED"}, "AccountId": {"Type":"String","Value":"123456789012"}, "Id": {"Type":"String","Value":"1b2345b2-f22c-4dab-5eb6-bbc7890ed123"}, "StartTime": {"Type":"String","Value":"2019-09-02T13:48:52.226Z"} } } }] }
Backup job failed
{ "Records": [{ "EventSource": "aws: sns", "EventVersion": "1.0", "EventSubscriptionArn": "arn:aws:sns:...-a3802aa1ed45", "Sns": { "Type": "Notification", "MessageId": "12345678-abcd-123a-def0-abcd1a234567", "TopicArn": "arn:aws:sns:us-west-1:123456789012:backup-2sqs-sns-topic", "Subject": "Notification from AWS Backup", "Message": "An AWS Backup job failed. Resource ARN : arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012e. BackupJob ID : 1b2345b2-f22c-4dab-5eb6-bbc7890ed123", "Timestamp": "2019-08-02T18:46:02.788Z", ... "MessageAttributes": { "EventType": {"Type":"String","Value":"BACKUP_JOB"}, "State": {"Type":"String","Value":"FAILED"}, "AccountId": {"Type":"String","Value":"123456789012"}, "Id": {"Type":"String","Value":"1b2345b2-f22c-4dab-5eb6-bbc7890ed123"}, "StartTime": {"Type":"String","Value":"2019-09-02T13:48:52.226Z"} } } }] }
Backup job could not complete during the backup window
{ "Records": [{ "EventSource": "aws: sns", "EventVersion": "1.0", "EventSubscriptionArn": "arn:aws:sns:...-a3802aa1ed45", "Sns": { "Type": "Notification", "MessageId": "12345678-abcd-123a-def0-abcd1a234567", "TopicArn": "arn:aws:sns:us-west-1:123456789012:backup-2sqs-sns-topic", "Subject": "Notification from AWS Backup", "Message": "An AWS Backup job failed to complete in time. Resource ARN : arn:aws:ec2:us-west-1:123456789012:volume/vol-012f345df6789012e. BackupJob ID : 1b2345b2-f22c-4dab-5eb6-bbc7890ed123", "Timestamp": "2019-08-02T18:46:02.788Z", ... "MessageAttributes" : { "EventType" : {"Type":"String","Value":"BACKUP_JOB"}, "State" : {"Type":"String","Value":"EXPIRED"}, "AccountId" : {"Type":"String","Value":"123456789012"}, "Id" : {"Type":"String","Value":"1b2345b2-f22c-4dab-5eb6-bbc7890ed123"}, "StartTime" : {"Type":"String","Value":"2019-09-02T13:48:52.226Z"} } } }] }

AWS Backup notification command examples

You can use AWS CLI commands to subscribe to, list, and delete Amazon SNS notifications for your AWS Backup events.

Example put backup vault notification

The following command subscribes to an Amazon SNS topic for the specified backup vault that notifies you when a restore job is started or completed, or when a recovery point is modified.

aws backup put-backup-vault-notifications --backup-vault-name myBackupVault --sns-topic-arn arn:aws:sns:region:account-id:myBackupTopic --backup-vault-events RESTORE_JOB_STARTED RESTORE_JOB_COMPLETED RECOVERY_POINT_MODIFIED

Example get backup vault notification

The following command lists all events currently subscribed to an Amazon SNS topic for the specified backup vault.

aws backup get-backup-vault-notifications --backup-vault-name myVault

The sample output is as follows:

{ "SNSTopicArn": "arn:aws:sns:region:account-id:myBackupTopic", "BackupVaultEvents": [ "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", "RECOVERY_POINT_MODIFIED" ], "BackupVaultName": "myVault", "BackupVaultArn": "arn:aws:backup:region:account-id:backup-vault:myVault" }

Example delete backup vault notification

The following command unsubscribes from an Amazon SNS topic for the specified backup vault.

aws backup delete-backup-vault-notifications --backup-vault-name myVault

Specifying AWS Backup as a service principal

Note

To allow AWS Backup to publish SNS topics on your behalf, you must specify AWS Backup as a service principal.

Include the following JSON in the access policy of the Amazon SNS topic that you use to track AWS Backup events. You must specify the resource Amazon Resource Name (ARN) of your topic.

{ "Sid": "My-statement-id", "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:region:account-id:myTopic" }

The following sample JSON is an example of a basic Amazon SNS access policy that includes AWS Backup as a service principal. This example allows for cross-account access.

{ "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:Publish", "SNS:RemovePermission", "SNS:SetTopicAttributes", "SNS:DeleteTopic", "SNS:ListSubscriptionsByTopic", "SNS:GetTopicAttributes", "SNS:Receive", "SNS:AddPermission", "SNS:Subscribe" ], "Resource": "arn:aws:sns:region:account-id:myTopic", "Condition": { "StringEquals": { "AWS:SourceOwner": "account-id" } } }, { "Sid": "__console_pub_0", "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:region:account-id:myTopic" } ] }

For more information about specifying a service principal in an Amazon SNS access policy, see Allowing Any AWS Resource to Publish to a Topic in the Amazon Simple Notification Service Developer Guide.

Note

If your topic is encrypted, you must include additional permissions in your policy to allow AWS Backup to publish to it. For more information about enabling services to publish to encrypted topics, see Enable Compatibility between Event Sources from AWS Services and Encrypted Topics in the Amazon Simple Notification Service Developer Guide.