Why are my scheduled backup plans in AWS Backup not running?

Last updated: 2021-03-12

I have configured backup plans and rules in AWS Backup, but my backup doesn't run as scheduled. How do I troubleshoot this issue?

Short description

To troubleshoot a scheduled backup plan that doesn't get initiated automatically, check if:

  • the resource is opted-in for backup
  • the backup window for the backup rule is configured according to your needs
  • the AWS Identity and Access Management (IAM) role used to assign resources to the backup plan has sufficient permissions for resource assignments
  • the tags on the resources match the tag keys and values configured in the resource assignments
  • the backup policy is configured correctly for the cross-account management backup (if you are using cross-account management)

Resolution

Resource type enabled for backup

Be sure that the resource type is enabled for protection by the backup plans in your account. The service opt-in feature allows you to choose which resource types are protected by your backup plans.

To enable a resource type for backup protection, do the following:

  1. Open the AWS Backup console.
  2. In the navigation pane, expand My account.
  3. Choose Settings.
  4. In the Service opt-in section, choose Configure resources.
  5. Turn on the services that you want to enable.
    Note: Services, such as Amazon Aurora and Amazon FSx, are not enabled by default.
  6. Choose Confirm.

Note: Service opt-in settings are Region-specific. Be sure to check this setting in all AWS Regions where you've configured backups.

For more information, see Configuring services to work with AWS Backup.

Configuration of the backup window

When you configure a backup rule, you can customize your backup window. Backup windows consist of the time that the backup window begins (that is, the Backup window start time) and the duration of the window (i.e. Start within) in hours. By default, the Backup window start time and Start within fields are set to UTC 05:00 AM and 8 hours, respectively. Backup jobs are started within this window. Your backup jobs might be initiated any time during this backup window. Your backup jobs might not be initiated depending on when you check the status of these jobs.

You can customize the backup window by modifying the default values for Backup window start time and Start within fields to your preferred values. To modify the Backup window start time and Start within fields, do the following:

  1. Open the AWS Backup console.
  2. In the navigation pane, choose Backup plans.
  3. Choose the backup plan that you want to update.
  4. Select the Backup rule that you want to update, and then choose Edit.
  5. In the Backup rule configuration section, select Customize backup window.
  6. For Backup window start time, select the start time of your preference.
  7. For Start within, select the duration of your preference.
  8. Choose Save.

Configuration of the IAM role for resource assignments

When you assign resources to a backup plan, you must choose an IAM role. If you are assigning resources through a deployment service, such as AWS CloudFormation, be sure of the following:

  • The IAM role that's associated with the AWS::Backup::BackupSelection resource exists in the AWS account where the CloudFormation template is deployed. For more information, see Using AWS CloudFormation Templates with AWS Backup.
  • The IAM role has sufficient permissions to initiate the backup job on resources that are assigned to the backup plan.

For more information, see Assign resources to a backup plan.

Tags on assigned resources

You can assign resources to backup plans using tags. During these assignments, be sure that the tags on the resources match the tag keys and values configured in the resource assignments in terms of the following:

  • Case-sensitivity: The tag keys and values are both case sensitive. Therefore, a tag value of true is not equal to TRUE or True. For example, if the resource to be backed up is tagged with the key-value pair of backup:true, it's backed up only if the tag-based policy is configured with a key-value pair that completely matches the letters and the case.
  • No white space: When you create tags for some AWS resources, the trailing white space might be accepted as allowed characters in tag names and values. For example, the tag name AWSBackup with a trailing space ("AWSBackup ") is not the same as AWSBackup. The trailing space on tags might not be easy to view from the console. You can run a command similar to the following using the AWS Command Line Interface (AWS CLI):
aws backup get-backup-selection --backup-plan-id abcd-efgh-ijkl-mnop --selection-id 11111111-2222-3333-4444-55555example

          Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

          Replace abcd-efgh-ijkl-mnop and 11111111-2222-3333-4444-55555example with the backup-plan-id and selection-id of your backup plan.

          The output of the AWS CLI command is similar to the following:

{
......
        "ListOfTags": [
            {
                "ConditionType": "STRINGEQUALS",
                "ConditionKey": "examplekey ",
                "ConditionValue": "examplevalue "
            }
        ]
    },
......
}

          You can view the trailing spaces after both the tag name and the tag value in the output. For more information, see get-backup-selection.

Backup policy for cross-account backup

As part of a scheduled backup plan, you can back up to multiple AWS accounts on demand. If you are configuring the backup policy for a cross-account management, check all the previous troubleshooting steps. Then, be sure of the following:

  • The backup vault configured in the backup policy exists in the member accounts where the backup policy is attached.
  • The backup policy is attached in the correct member account.
  • The backup vault name configured in the backup policy matches the name of an existing backup vault in the target account. Note: Backup vault names are case-sensitive.

For more information, see Managing AWS Backup resources across multiple AWS accounts.

Amazon Relational Database Service (Amazon RDS) backup failure

When your Amazon RDS instance misses a backup cycle, you get one of the following error messages:

  • Can't start a backup now. RDS DB instance is closer to enter RDS automated maintenance window.
  • Backup job could not start because it is either inside or too close to the automated backup window configured in RDS instance.

This can happen when the RDS maintenance window or the RDS automated backup window is approaching. In AWS Backup, RDS backups are not allowed a few hours before the RDS maintenance window or the RDS automated backup window. Be sure that your backup plan for RDS databases are scheduled at least 4 hours apart from the RDS maintenance window and the RDS automated backup window.


Did this article help?


Do you need billing or technical support?