Why are my scheduled backup plans in AWS Backup not running?
I want to troubleshoot why my backup plan isn’t running during my scheduled time in AWS Backup.
Short description
To troubleshoot a scheduled backup plan that doesn't automatically initiate, check the following configurations:
- You turned on the resource type for backup protection.
- You configured your backup rule's backup window for the appropriate amount of time.
- The AWS Identity and Access Management (IAM) role that you use to assign resources to the backup plan has sufficient permissions for resource assignments.
- The tags on the resources match the tag keys and values that are configured in the resource assignments.
- For cross-account management: You correctly configured the backup policy for the cross-account management backup.
Resolution
Turn on the resource type for backup protection
Be sure to turn on the resource type for backup protection. The service opt-in feature lets you choose the resource types that are protected by your backup plans.
To turn on a resource type for backup protection, complete the following steps:
- Open the AWS Backup console.
- In the navigation pane, expand My account.
- Choose Settings.
- In the Service opt-in section, choose Configure resources.
- Turn on the resources that you want to protect.
Note: Services, such as Amazon Aurora and Amazon FSx, aren't activated by default. - Choose Confirm.
Note: Service opt-in settings are AWS Region specific. Be sure to opt in to all AWS Regions where you configured backups. For more information, see Service opt-in.
Configure the backup window
When you configure a backup rule, you can customize your backup window. Backup windows consist of the backup job start time and the period of time in hours that the backup job starts within. By default, Backup window start time is set to UTC 05:00 AM and Start within is set to 8 hours. Backup jobs can start at any time within this window. Backup windows might not start at exactly UTC 05:00 AM.
To customize the backup window, modify the default values for the Backup window start time and Start within fields:
- Open the AWS Backup console.
- In the navigation pane, choose Backup plans.
- Choose the backup plan that you want to update.
- Select the Backup rule that you want to update, and then choose Edit.
- In the Backup rule configuration section, choose Customize backup window.
- For Backup window start time, choose your preferred start time.
- For Start within, choose your preferred duration.
- Choose Save.
Configure the IAM role for resource assignments
When you assign resources to a backup plan, you must choose an IAM role. If you're assigning resources through a deployment service, such as AWS CloudFormation, then check the following configurations:
- The IAM role that's associated with the AWS::Backup::BackupSelection resource exists in the AWS account where the CloudFormation template is deployed. For more information, see AWS Backup and AWS CloudFormation.
- The IAM role has sufficient permissions to initiate the backup job on resources that are assigned to the backup plan. For more information, see Assign resources to a backup plan.
Confirm that the resource tags match the tag keys
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent version of the AWS CLI.
Make sure that the resource tags match the tag keys and values that are configured in the resource assignments:
- Case sensitive: Tag keys and values are case sensitive. A tag value of true isn't equal to TRUE or True. For example, you have a resource with the key-value pair of backup:true. This resource is backed up only if the key-value pair in the tag-based policy exactly matches the resource's key-value pair.
- No white space: When you create tags for some AWS resources, the trailing white space might be accepted as allowed characters in tag names and values. For example, the tag name AWSBackup with a trailing space ("AWSBackup ") isn't the same as AWSBackup. On the AWS Backup console, you might not see the trailing space on tags. To check for trailing spaces, run the get-backup-selection AWS CLI command:
aws backup get-backup-selection --backup-plan-id abcd-efgh-ijkl-mnop --selection-id 11111111-2222-3333-4444-55555example
Note: Replace abcd-efgh-ijkl-mnop and 11111111-2222-3333-4444-55555example with your backup plan ID and selection ID.
The output is similar to the following one:
{ ...... "ListOfTags": [ { "ConditionType": "STRINGEQUALS", "ConditionKey": "examplekey ", "ConditionValue": "examplevalue " } ] }, ...... }
In the preceding output, you can see the trailing spaces after examplekey and examplevalue.
Configure a backup policy for cross-account backup
As part of a scheduled backup plan, you can back up multiple accounts on demand. To configure the backup policy for a cross-account management, first complete all the preceding steps. Then, check the following configurations:
- The backup vault that's configured in the backup policy exists in the accounts where the backup policy is attached.
- The backup policy is attached in the correct account.
- The backup vault name that's configured in the backup policy matches the name of an existing backup vault in the target account.
Note: Backup vault names are case sensitive. - For backup plans that you configure with AWS Organizations, the resource opt-in settings in the management account override the settings in the other accounts. In your Organization's management account, be sure that you opt in for each resource type that's in the backup plans.
For more information, see Managing AWS Backup resources across multiple AWS accounts.
Related information
Relevant content
- Accepted Answerasked 3 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 10 months ago
