Troubleshooting general issues Troubleshoot creating resources Troubleshooting deleting resources Troubleshooting restoring resources Troubleshooting formatting errors Common troubleshooting questions Additional important links

Troubleshooting Amazon Backup

When you use Amazon Backup, you might encounter issues. The following sections can help you troubleshoot some common issues that might occur.

For general questions about Amazon Backup, see the Amazon Backup FAQ. You can also search for answers and post questions in Amazon Web Services re:Post.

Troubleshooting general issues

When you back up and restore resources, you must have permission to use Amazon Backup and permission to access the resources that you want to protect. The easiest way to have the proper permissions is to choose the Default role when you assign resources to a backup plan. For more information about access control using Amazon Identity and Access Management (IAM) with Amazon Backup, see Access control.

If you get an AccessDenied error when attempting to access a Amazon Backup resource, such as a backup vault, either the resource does not exist or you do not have permissions to access the resource.

If you run into issues with backing up and restoring a particular resource type, it can be helpful to review the backup and restore troubleshooting topic for that resource. For more information, see the links under How Amazon Backup works with supported Amazon services.

If Amazon Backup fails to create or delete a resource, you can learn more about the issue by using Amazon CloudTrail to view error messages or logs. For more information about using CloudTrail with Amazon Backup, see Logging Amazon Backup API calls with CloudTrail.

Troubleshoot creating resources

The following information can help you troubleshoot problems with creating backups.

In general, Amazon database services cannot start backups 1 hour before or during their maintenance window or automatic backup window. Amazon FSx cannot start backups 4 hours before or during the maintenance window or automatic backup window (Amazon Aurora is exempt from this maintenance window restriction). Snapshot backups scheduled during those times will fail. One exception: when you opt in to using Amazon Backup for both snapshot and continuous backups for a supported service, you no longer need to worry about those windows because Amazon Backup will schedule them for you. See Point-in-Time Recovery for a list of supported services and instructions on how to use Amazon Backup to take continuous backups.
Creating backups for DynamoDB tables will fail while tables are being created. Creating a DynamoDB table typically takes a couple of minutes.
Backing up Amazon EFS file systems can take up to 7 days when the file systems are very large. Only one concurrent backup at a time can be queued for an Amazon EFS file system. If a subsequent backup is queued while a previous one is still in progress, the backup window can expire and no backup is created.
Amazon EBS has a soft quota of 100,000 backups per Amazon Web Services Region per account, and additional backups fail when this quota is reached. If you reach this quota, you can delete excess backups or request a quota increase. For more information about requesting a quota increase, see Amazon Service Quotas.
When creating Amazon Relational Database Service (RDS) backups, consider the following:
- If you do not use Amazon Backup to manage both Amazon RDS snapshots and continuous backups with point-in-time recovery, your backups will fail if initiated if scheduled or made on-demand during the daily, user-configurable 30-minute backup window. For more information about automated Amazon RDS backups, see Working With Backups in the Amazon RDS User Guide. You can avoid this limitation by using Amazon Backup to manage both Amazon RDS snapshots and continuous backups with point-in-time recovery.
- If you initiate a backup job from the Amazon RDS console, this can conflict with an Aurora clusters backup job, causing the error Backup job expired before completion. If this occurs, configure a longer backup window in Amazon Backup.
- Amazon Backup does not currently pass on the TDE option group when a copy job is created. If you intend to use this option group for copy job creation, you must use the Amazon RDS console or Amazon RDS API instead of Amazon Backup tools. See Copying an option group in the Amazon Relational Database Service User Guide for more information.
- ERROR: On-demand backups complete but scheduled backups fail with error "The source snapshot KMS key does not exist, is not enabled or you do not have permissions to access it." The on-demand job is completed because it uses the API call CopyDBSnapshot, which doesn't require KMS access.
  
  REMEDY: Add your IAM role to your KMS key.
For resources that support full Amazon Backup management with recovery points in the format arn:aws:backup:region:account-id:recovery-point:* and all continuous backups, ensure your IAM role has permission to perform backup:TagResource if your source resources contain tags or you want to add additional tags to your recovery points. Apply the backup:TagResource permission to "Resource": "arn:aws:backup:*:*:recovery-point:*".

Troubleshooting deleting resources

Recovery points that are created by Amazon Backup cannot be deleted in the console window of the protected resource. You can delete them on the Amazon Backup console by selecting them in the vault where they are stored and then choosing Delete.

To delete a recovery point or a backup vault, you need the appropriate permissions. For more information about access control using IAM with Amazon Backup, see Access control.

Troubleshooting restoring resources

Restoring using API

To restore a backup programmatically, use the StartRestoreJob API operation.

To get the configuration metadata that your backup was created with, you can call GetRecoveryPointRestoreMetadata.

See Restoring a backup for more information.

Restoring using the Console

Troubleshooting formatting errors

When a wildcard (*) is included for the value in a parameter, the wildcard is processed to include values other than whitespaces. Values in a key-value pair that contain white spaces will not included as part of the wildcard.

Common troubleshooting questions

The following resources can help you troubleshoot common issues with Amazon Backup.

Additional important links

The following resources provide additional guidance for working with Amazon Backup.

Troubleshoot a logically air-gapped vault issue
Delegated administrator accounts — Delegated administrator accounts are member accounts with enhanced features but cannot override service opt-in settings of other member accounts like a management account can.
Managing multiple accounts — For backup plans that are managed by Organizations, the resource opt-in settings in the management account override the settings in a member account, even if one or more delegated administrator accounts are configured.
Backup plan options and configuration — If you have a backup plan with multiple rules and the time frames of the two rules overlap, Amazon Backup optimizes the backup and takes a backup for the rule with the longer retention time.
Metering and billing — To avoid additional charges, we recommend that you configure your backup plan retention policy with a warm storage duration of at least one week.
Amazon Backup pricing
Amazon Backup SLA
Amazon Backup quotas
Continuous and point-in-time recovery considerations — A resource can only have one continuous backup.
Prerequisites for Amazon S3 backups and considerations for Amazon S3 backups
Best practices and cost considerations for Amazon S3 backups
Feature availability, supported resources, and Amazon Regions

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Notification options with Amazon Backup

Amazon Backup API