Troubleshooting Amazon Backup - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting Amazon Backup

When you use Amazon Backup, you might encounter issues. The following sections can help you troubleshoot some common issues that might occur.

For general questions about Amazon Backup, see the Amazon Backup FAQ. You can also search for answers and post questions in the Amazon Backup forum.

Troubleshooting general issues

When you back up and restore resources, you not only need permission to use Amazon Backup, you must also have permission to access the resources that you want to protect. The easiest way to have the proper permissions is to choose the Default role when you assign resources to a backup plan. For more information about access control using Amazon Identity and Access Management (IAM) with Amazon Backup, see Access control.

If you run into issues with backing up and restoring a particular resource type, it can be helpful to review the backup and restore troubleshooting topic for that resource. For more information, see the links under How Amazon Backup works with supported Amazon services.

If Amazon Backup fails to create or delete a resource, you can learn more about the issue by using Amazon CloudTrail to view error messages or logs. For more information about using CloudTrail with Amazon Backup, see Logging Amazon Backup API calls with CloudTrail.

Troubleshoot creating resources

The following information can help you troubleshoot problems with creating backups.

  • In general, Amazon database services cannot start backups 1 hour before or during their maintenance window or automatic backup window. Amazon FSx cannot start backups 4 hours before or during the maintenance window or automatic backup window (Amazon Aurora is exempt from this maintenance window restriction). Snapshot backups scheduled during those times will fail. One exception: when you opt in to using Amazon Backup for both snapshot and continuous backups for a supported service, you no longer need to worry about those windows because Amazon Backup will schedule them for you. See Point-in-Time Recovery for a list of supported services and instructions on how to use Amazon Backup to take continuous backups.

  • Creating backups for DynamoDB tables will fail while tables are being created. Creating a DynamoDB table typically takes a couple of minutes.

  • Backing up Amazon EFS file systems can take up to 7 days when the file systems are very large. Only one concurrent backup at a time can be queued for an Amazon EFS file system. If a subsequent backup is queued while a previous one is still in progress, the backup window can expire and no backup is created.

  • Amazon EBS has a soft quota of 100,000 backups per Amazon Web Services Region per account, and additional backups fail when this quota is reached. If you reach this quota, you can delete excess backups or request a quota increase. For more information about requesting a quota increase, see Amazon Service Quotas.

  • When creating Amazon Relational Database Service (RDS) backups, consider the following:

    • If you do not use Amazon Backup to manage both Amazon RDS snapshots and continuous backups with point-in-time recovery, your backups will fail if initiated if scheduled or made on-demand during the daily, user-configurable 30-minute backup window. For more information about automated Amazon RDS backups, see Working With Backups in the Amazon RDS User Guide. You can avoid this limitation by using Amazon Backup to manage both Amazon RDS snapshots and continuous backups with point-in-time recovery.

    • If you initiate a backup job from the Amazon RDS console, this can conflict with an Aurora clusters backup job, causing the error Backup job expired before completion. If this occurs, configure a longer backup window in Amazon Backup.

    • Amazon Backup does not currently pass on the TDE option group when a copy job is created. If you intend to use this option group for copy job creation, you must use the Amazon RDS console or Amazon RDS API instead of Amazon Backup tools. See Copying an option group in the Amazon Relational Database Service User Guide for more information.

    • ERROR: On-demand backups complete but scheduled backups fail with error "The source snapshot KMS key does not exist, is not enabled or you do not have permissions to access it." The on-demand job is completed because it uses the API call CopyDBSnapshot, which doesn't require KMS access.

      REMEDY: Add the IAM role to your KMS key. This can be done by allowing the role on your KMS key policy.

      To edit your policy,

      1. Open the KMS console.

      2. Select customer managed keys in the left navigation.

      3. Click the customer managed key you wish to edit.

      4. Under Key policy, click Switch to policy view.

      5. Click Edit.

      6. Add the role.

Troubleshooting deleting resources

Recovery points that are created by Amazon Backup cannot be deleted in the console window of the protected resource. You can delete them on the Amazon Backup console by selecting them in the vault where they are stored and then choosing Delete.

To delete a recovery point or a backup vault, you need the appropriate permissions. For more information about access control using IAM with Amazon Backup, see Access control.

Troubleshooting restoring resources

Restoring using API

To restore a backup programmatically, use the StartRestoreJob API operation.

To get the configuration metadata that your backup was created with, you can call GetRecoveryPointRestoreMetadata.

See Restoring a backup for more information.

Restoring using the Console