How can I disable automatic backups in Amazon EFS and remove the stored backup data?

Last updated: 2020-10-08

I want to disable the automatic backup feature on my Amazon Elastic File System (Amazon EFS) and remove previously backed-up data. How can I do this?

Short description

By default, Amazon EFS creates backups of your data automatically. The backed-up data is stored as a recovery point available through AWS Backup. If you try to remove the recovery point, you receive the following error message:

"Access Denied: Insufficient privileges to perform this action. Please consult with the account administrator for necessary permissions."

Warning: It's a best practice to keep Auto-Backup enabled. In the case of accidental data deletion, Auto-Back allows restoration of your file system content to the date of the last recovery point created.

Note: To perform the steps in the Resolution, you must have AWS Identity and Access Management (IAM) permissions to edit your EFS policies. To revise IAM policy settings, you must have Admin rights. For example, you can perform these actions using your AWS account root user, or by using an admin role. For more information, see Allow all IAM actions (admin access).

Resolution

Disable the automatic backup feature

For information on how to turn off automatic backups, see the Turning automatic backups on or off for existing file systems section in Automatic backups.

Delete the recovery point

1.    Open the AWS Backup Management console.

2.    Select aws/efs/automatic-backup-vault. The Backups section contains completed backups for your file system listed as Recovery Points.

3.    By default, the Access policy is set to deny deletions, as shown in the following example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "backup:DeleteBackupVault",
                "backup:DeleteBackupVaultAccessPolicy",
                "backup:DeleteRecoveryPoint", 
                "backup:StartCopyJob",
                "backup:StartRestoreJob",
                "backup:UpdateRecoveryPointLifecycle" 
            ],
            "Resource": "*"
        } 
    ]
}

In the Access Policy section, change "Effect": "Deny" to "Effect": "Allow":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "backup:DeleteBackupVault",
                "backup:DeleteBackupVaultAccessPolicy", 
                "backup:DeleteRecoveryPoint", 
                "backup:StartCopyJob",
                "backup:StartRestoreJob",
                "backup:UpdateRecoveryPointLifecycle" 
            ],
            "Resource": "*"
        } 
    ]
}

Note: Changing Effect to "Allow" means that the user can perform any listed delete actions. To allow more specific delete permissions, you can adjust the policy as needed.

4.    Choose Attach Policy.

5.    Select the Recovery Point that you want to delete, and then choose Delete.

Note: You can't delete the default backup plan or the backup vault automatic-backup-vault.


Did this article help?


Do you need billing or technical support?