How can I get notifications for AWS Backup jobs that fail?

4 minute read
2

I want to set up email notifications to notify me when my AWS Backup job fails.

Short description

Note: The following resolution uses Amazon Simple Notification Service (Amazon SNS) to deliver vault-based notifications for supported events in AWS Backup. This solution notifies you when AWS Backup jobs in a single vault fail. For AWS Backup event notifications at an AWS account or AWS Region level, see How can I configure Amazon EventBridge notifications for failed AWS Backup Jobs?

To configure Amazon SNS and your backup vault to send notifications, complete the following steps:

  1. Create an SNS topic.
  2. Configure your backup vault to send notifications to the SNS topic.
  3. Create an SNS subscription that filters notifications to backup jobs that are unsuccessful.
  4. Monitor emails for notifications.

To receive notifications for other events, such as restore jobs and recovery points, see Amazon SNS and AWS Backup events.

Resolution

Create an SNS topic to send AWS Backup notifications

Complete the following steps:

  1. Open the Amazon SNS console.
  2. From the navigation pane, choose Topics.
  3. Under Details, for Type, choose Standard.
  4. Choose Create topic.
  5. For Name, enter a name for the topic.
  6. Choose Create topic.
  7. Under Details, copy the value for ARN.
  8. Choose Edit, and then expand Access policy.
  9. In the JSON editor, attach the following permissions into the policy. Replace the value for Resource with the ARN:
    {
          "Sid": "My-statement-id",
          "Effect": "Allow",
          "Principal": {
            "Service": "backup.amazonaws.com"
          },
          "Action": "SNS:Publish",
          "Resource": "arn:aws:sns:eu-west-1:111111111111:exampletopic"
    }
    Note: You can configure your Amazon SNS topic as unencrypted, or use encryption at rest. If you use the default AWS Key Management Service (AWS KMS) for the encryption, then AWS Backup can't publish messages to the SNS topic. Because Amazon manages the default AWS KMS key, you can't edit the policy and must use a customer managed key. The customer managed key must grant decrypt and generateDataKey permissions to backup.amazonaws.com.
  10. Choose Save changes.

Configure your backup vault to send notifications to the SNS topic

Complete the following steps:

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

  1. Use the AWS CLI to run the put-backup-vault-notifications command. Set --backup-vault-events to BACKUP_JOB_COMPLETED:
    aws backup put-backup-vault-notifications --endpoint-url https://backup.eu-west-1.amazonaws.com --backup-vault-name examplevault --sns-topic-arn arn:aws:sns:eu-west-1:111111111111:exampletopic --backup-vault-events BACKUP_JOB_COMPLETED
    Note: In the preceding example, replace --endpoint-url with the endpoint for where the Region backup vault is and --sns-topic-arn with your SNS topic's ARN.
  2. To confirm that notifications are configured, run the get-backup-vault-notifications command:
    aws backup get-backup-vault-notifications --backup-vault-name examplevault
    The command returns an output similar to the following one:
    {
        "BackupVaultName": "examplevault",
        "BackupVaultArn": "arn:aws:backup:eu-west-1:111111111111:backup-vault:examplevault",
        "SNSTopicArn": "arn:aws:sns:eu-west-1:111111111111:exampletopic",
        "BackupVaultEvents": [
            "BACKUP_JOB_COMPLETED"
        ]
    }

Create an SNS subscription that filters notifications to backup jobs that are unsuccessful

Complete the following steps:

  1. Open the Amazon SNS console.

  2. From the navigation pane, choose Subscriptions.

  3. Choose Create subscription.

  4. For Topic ARN, select your SNS topic's ARN.

  5. For Protocol, choose Email-JSON.

  6. For Endpoint, enter the email address where you want to get notifications.

  7. Expand Subscription filter policy.

  8. In the JSON editor, choose Message attributes, and then enter the following information:

    {
      "State": [
        {
          "anything-but": "COMPLETED"
        }
      ]
    }
  9. Choose Create subscription.

The email address that you entered for the endpoint receives a subscription confirmation email.

Monitor emails for notifications

When your vault has an unsuccessful backup job, you get an email notification similar to the following one:

"An AWS Backup job was stopped. Resource ARN : arn:aws:ec2:eu-west-1:111111111111:volume/vol-example56d7w92d4b. BackupJob ID : example4-3dd5-5678-b52d-90bd749355a5"

You can create two on-demand backups, and then stop one of the backups to test notifications. You get an email notification only for the stopped backup.

Related information

Troubleshooting AWS Backup

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
5 Comments

This article needs help. It assumes a level of understanding of the tool that shouldn't be expected and is unclear as a result.

For anyone looking for more clear cut documentation, look here: https://cloudsbaba.com/how-can-i-get-notifications-for-aws-backup-jobs-that-completed-and-failed/

More helpful AWS docs also here: https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

Hello, I followed the documentation, but there are several issues with this:

  1. SNS filter policy must be "Message body" which is not mentioned in the article, and it is not the default selection.
  2. The filter policy is referencing the "State" but when I checked the CloudTrail message that was sent to the topic the state is all lowercase "state", which cost me a lot of time to figure this out.

For others facing a similar issue, this is the message filter that worked for me:

{
  "state": [
    {
      "anything-but": [
        "COMPLETED"
      ]
    }
  ]
}

And this is a sample CloudTrail event with FAILED status for testing:

{
    "completionDate": {
        "seconds": 1700078469,
        "nanos": 519000000
    },
    "state": "FAILED",
    "percentDone": 100,
    "restoreJobId": "XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
    "backupVaultName": "daily",
    "backupVaultArn": "arn:aws:backup:eu-central-1:000000000000:backup-vault:daily",
    "recoveryPointArn": "arn:aws:backup:eu-central-1:000000000000:recovery-point:XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
    "resourceArn": "arn:aws:dynamodb:eu-central-1:000000000000:table/mytable",
    "creationDate": {
        "seconds": 1700078313,
        "nanos": 329000000
    },
    "backupSizeInBytes": 847,
    "iamRoleArn": "arn:aws:iam::000000000000:role/backup_role",
    "resourceType": "DynamoDB"
}

Reza
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago

The above doesn't work without a few modifications for the failed backup job.

With the below CLI command, you need to replace BACKUP_JOB_COMPLETED with BACKUP_JOB_FAILED if you are just looking for failed notification events and don't need any filter policy on subscription.

aws backup put-backup-vault-notifications  --backup-vault-name examplevault --sns-topic-arn arn:aws:sns:eu-west-1:111111111111:exampletopic --backup-vault-events 
BACKUP_JOB_COMPLETED
aws backup put-backup-vault-notifications  --backup-vault-name examplevault --sns-topic-arn arn:aws:sns:eu-west-1:111111111111:exampletopic --backup-vault-events BACKUP_JOB_FAILED BACKUP_JOB_EXPIRED

You can look for events for backup jobs in this doc. https://docs.aws.amazon.com/aws-backup/latest/devguide/API_GetBackupVaultNotifications.html

replied a month ago