Troubleshooting AWS Backup
When you use AWS Backup, you might encounter issues. The following sections can help you troubleshoot some common issues that might occur.
For general questions about AWS Backup, see the AWS Backup
FAQ
Topics
Troubleshooting general issues
When you back up and restore resources, you must have permission to use AWS Backup and permission to access the resources that you want to protect. The easiest way to have the proper permissions is to choose the Default role when you assign resources to a backup plan. For more information about access control using AWS Identity and Access Management (IAM) with AWS Backup, see Access control.
If you get an AccessDenied error when attempting to access a AWS Backup
resource, such as a backup vault, either the resource does not exist or you do not
have permissions to access the resource.
If you run into issues with backing up and restoring a particular resource type, it can be helpful to review the backup and restore troubleshooting topic for that resource. For more information, see the links under How AWS Backup works with supported AWS services.
If AWS Backup fails to create or delete a resource, you can learn more about the issue by using AWS CloudTrail to view error messages or logs. For more information about using CloudTrail with AWS Backup, see Logging AWS Backup API calls with CloudTrail.
Troubleshoot creating resources
The following information can help you troubleshoot problems with creating backups.
-
In general, AWS database services cannot start backups 1 hour before or during their maintenance window or automatic backup window. Amazon FSx cannot start backups 4 hours before or during the maintenance window or automatic backup window (Amazon Aurora is exempt from this maintenance window restriction). Snapshot backups scheduled during those times will fail. One exception: when you opt in to using AWS Backup for both snapshot and continuous backups for a supported service, you no longer need to worry about those windows because AWS Backup will schedule them for you. See Point-in-Time Recovery for a list of supported services and instructions on how to use AWS Backup to take continuous backups.
-
Creating backups for DynamoDB tables will fail while tables are being created. Creating a DynamoDB table typically takes a couple of minutes.
-
Backing up Amazon EFS file systems can take up to 7 days when the file systems are very large. Only one concurrent backup at a time can be queued for an Amazon EFS file system. If a subsequent backup is queued while a previous one is still in progress, the backup window can expire and no backup is created.
-
Amazon EBS has a soft quota of 100,000 backups per AWS Region per account, and additional backups fail when this quota is reached. If you reach this quota, you can delete excess backups or request a quota increase. For more information about requesting a quota increase, see AWS Service Quotas.
-
When creating Amazon Relational Database Service (RDS) backups, consider the following:
-
If you do not use AWS Backup to manage both Amazon RDS snapshots and continuous backups with point-in-time recovery, your backups will fail if initiated if scheduled or made on-demand during the daily, user-configurable 30-minute backup window. For more information about automated Amazon RDS backups, see Working With Backups in the Amazon RDS User Guide. You can avoid this limitation by using AWS Backup to manage both Amazon RDS snapshots and continuous backups with point-in-time recovery.
-
If you initiate a backup job from the Amazon RDS console, this can conflict with an Aurora clusters backup job, causing the error
Backup job expired before completion.If this occurs, configure a longer backup window in AWS Backup. -
AWS Backup does not currently pass on the TDE option group when a copy job is created. If you intend to use this option group for copy job creation, you must use the Amazon RDS console or Amazon RDS API instead of AWS Backup tools. See Copying an option group in the Amazon Relational Database Service User Guide for more information.
-
ERROR: On-demand backups complete but scheduled backups fail with error "The source snapshot KMS key does not exist, is not enabled or you do not have permissions to access it." The on-demand job is completed because it uses the API call
CopyDBSnapshot, which doesn't require KMS access.REMEDY: Add the IAM role to your KMS key. This can be done by allowing the role on your KMS key policy.
To edit your policy,
Open the KMS console
. Select customer managed keys in the left navigation.
Click the customer managed key you wish to edit.
Under Key policy, click Switch to policy view.
Click Edit.
Add the role.
-
Troubleshooting deleting resources
Recovery points that are created by AWS Backup cannot be deleted in the console window of the protected resource. You can delete them on the AWS Backup console by selecting them in the vault where they are stored and then choosing Delete.
To delete a recovery point or a backup vault, you need the appropriate permissions. For more information about access control using IAM with AWS Backup, see Access control.
Troubleshooting restoring resources
Restoring using API
To restore a backup programmatically, use the StartRestoreJob API operation.
To get the configuration metadata that your backup was created with, you can call GetRecoveryPointRestoreMetadata.
See Restoring a backup for more information.
Restoring using the Console
Troubleshooting formatting errors
When a wildcard (*) is included for the value in a parameter, the wildcard is processed to include values other than whitespaces. Values in a key-value pair that contain white spaces will not included as part of the wildcard.
