AWS Storage Blog

Configuring notifications to monitor AWS Backup jobs

Your data and applications are some of the most valuable assets in your company. The ability to protect your data and IT infrastructure against cyber-attacks, accidental deletion, natural disasters, and several other threats is essential to secure your business.

An important aspect to protecting your assets is the ability to monitor backup, restore, and copy jobs. Awareness of backup and restore job status is critical to ensure that your protection plan is executed according to service-level agreements (SLAs) and meets your compliance requirements. Failed backups, restores, and copy jobs can negatively affect workflows and SLAs. The ability to get notifications on job status can enhance the efficiency and efficacy of compliance and operational procedures.

In this post, I discuss enabling AWS Backup notifications by using Amazon Simple Notification Service (Amazon SNS) and the AWS Command Line Interface (AWS CLI). Amazon SNS enables you to send messages or notifications directly to users with SMS text messages, mobile push, or email, and the AWS CLI is a unified tool to manage your AWS services. I also demonstrate configuring this solution so that you only receive notifications for failed jobs, which can help surface errors and reduce notifications in a busy environment. This solution enables you to choose the specific AWS Backup events for notifications, the users that will receive those notifications, and the methods by which they will be notified.

Setting up the notifications

Enabling notifications consists of four steps:

  1. Create an SNS topic.
  2. Modify the SNS topic access policy.
  3. Create SNS subscriptions.
  4. Subscribe AWS Backup events to Amazon SNS notifications.

Let’s look into details of each step. After reviewing these steps, I discuss validating the solution.

1. Create an SNS topic

An Amazon SNS topic is a logical access point that acts as a communication channel. In AWS Backup, a backup vault is a container that you organize your backups in. Use the Amazon SNS console to create a topic to broadcast the messages from the AWS Backup vault. Amazon SNS sends emails or text messages related to the notifications from AWS Backup.

In the Amazon SNS console, click on Create topic:

In the Amazon SNS console, click on Create topic

The Create topic window provides a choice to select FIFO or Standard. For this solution, select Standard as it also supports SMS as a subscription protocol. You can use FIFO (First-In-First-Out) queues to preserve the order in which messages are sent and received, and to avoid that a message is processed more than once. The only protocol supported on FIFO queues is Amazon Simple Queue Service (Amazon SQS).

Next, provide a Name and Display name for the topic (for example, AWS-Backup-Notifications).

Leave all remaining options as default and scroll down to the bottom of the page and choose Create topic.

The Create topic window in the Amazon SNS console provides a choice to select FIFO or Standard

A window providing the topic details will be displayed. Copy the Amazon Resource Name (ARN) from the topic created. The ARN will be needed in the following steps.

After creating your SNS topic - a window providing the topic details will be displayed.

2. Modify the Amazon SNS topic access policy

Modify the Amazon SNS topic access policy to allow the backup service to publish messages to the SNS topic we created.

In the topic details window, select the Access policy tab and select Edit.

Modify the Amazon SNS topic access policy to allow the backup service to publish messages to the SNS topic we created.

Replace the contents with the following JSON policy. Make sure to replace the resource ARN field with the topic ARN from the previous step and save your changes after editing.

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "backup.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-2:000000000000:AWS-Backup-Notifications"
    }
  ]
}

The Access policy tab shows the contents once you are done:

The Access policy tab shows the contents of the Access Policy once you are done replacing the resource Arn field with the topic ARN from your SNS topic

3. Create Amazon SNS subscriptions

Next, subscribe an endpoint to the topic you just created in order to receive published messages. In this case, the endpoint will be an email address and SMS or text. When you subscribe an endpoint to a topic, the endpoint receives messages published to the associated topic.

Select the Subscriptions tab in the topic details window. Next, select Create subscription.

Create Amazon SNS subscriptions - Select the Subscriptions tab in the topic details window. Next, select Create subscription

The Create subscription window will open.

First, create the Email subscription. Make sure to use the same Topic ARN as the ARN that you copied earlier. Select Email as the Protocol type. Type the desired email in the Endpoint section. Leave all other options as default. Select Create subscription when done.

Create Amazon SNS subscription - provide topic ARN, protocol, endpoint

Note that your email subscription will be pending at this point. You will receive an email from “AWS Notifications” requesting subscription confirmation.

An email from “AWS Notifications” requesting subscription confirmation.

After you select the Confirm subscription link, you are taken to a webpage confirming the subscription.

After you select the Confirm subscription link on the AWS Notifications email, you are taken to a webpage confirming the subscription

Next, create the SMS subscription for the topic.

Select Subscriptions in the Amazon SNS menu on the left rail and select Create subscription.

Select Subscriptions in the Amazon SNS menu on the left rail and select Create subscription

In the Create subscription window, make sure that the Topic ARN is the one copied earlier. Select SMS as the Protocol type. Type the desired phone number in the Endpoint section. Leave all other options as default. Select Create subscription once done.

Setting up SMS subscription messages in Amazon SNS

There is no need to confirm the SMS subscription.

When you select Topics in the Amazon SNS console and then your specific topic, the subscriptions you created will appear on the Details page under Subscriptions.

Topics in the Amazon SNS console and then your specific topic - subscriptions created appear on the Details page under Subscriptions

You can publish messages to each topic to test delivery. Navigate to the Publish message to topic window by selecting each subscription and then selecting Publish message.

Navigate to the Publish message to topic window by selecting each subscription and then selecting Publish message

Fill in the fields in the Publish message to topic window as desired, then select Publish message.

Fill in the fields in the Publish message to topic window as desired, then select Publish message.

Check your email and phone to ensure you received the test SMS messages.

4. Subscribe AWS Backup events to Amazon SNS notifications

Now that you have created your topic and subscriptions, subscribe the Amazon SNS topic for your backup vault. That will allow SNS to notify you of AWS Backup events.

The following AWS Backup events are supported:

Job type Event
Backup job BACKUP_JOB_STARTED | BACKUP_JOB_COMPLETED
Copy job COPY_JOB_STARTED | COPY_JOB_SUCCESSFUL | COPY_JOB_FAILED
Restore job RESTORE_JOB_STARTED | RESTORE_JOB_COMPLETED
Recovery point RECOVERY_POINT_MODIFIED

Use the AWS CLI to subscribe the Amazon SNS topic for your backup vault. Replace your backup vault name and ARN topic ID in the following command.

aws backup put-backup-vault-notifications 
--backup-vault-name myVault 
--sns-topic-arn arn:aws:sns:region:account-id:AWS-Backup-Notifications 
--backup-vault-events BACKUP_JOB_COMPLETED RESTORE_JOB_COMPLETED

Use the command aws backup get-backup-vault-notifications --backup-vault-name myVault to validate the vault notification created. Replace your backup vault name in this command.

Validation

You have completed all the steps to set up AWS Backup notifications. At this point, run a test job or just wait for the next scheduled job to run.

run a test job or just wait for the next scheduled job to run to validate your AWS Backup notifications solution

You will receive an email from “AWS Notifications” and an SMS message similar to the one shown in the following screenshot.

Example SMS message notification - AWS Backup notifications

Filtering failed jobs

Add a subscription filter policy in case you want to filter failed jobs. The filter is done on a subscription basis.

Log in to the Amazon SNS console and select the topic you created.

Add a subscription filter policy in case you want to filter failed jobs

On the Details page for your topic, select the subscription you intend to filter under Subscriptions. The Subscription details window will open.

Select the Subscription filter policy tab. Then, select Edit and paste the following JSON content. Save your changes when done.

{
  "State": [
    {
      "anything-but": "COMPLETED"
    }
  ]
}

Your Subscription filter policy should look like the following screenshot:

Subscription filter policy - Amazon SNS

Cleaning up

If you followed along and would like to delete resources used in this solution to avoid incurring any unintended future charges, use the following AWS CLI command. Replace the following ARN with the ARN you used in your setup.

aws sns delete-topic --topic-arn "arn:aws:sns:us-east-2:000000000000:AWS-Backup-Notifications"

Conclusion

In this blog, I discussed how to configure AWS Backup notifications to receive emails and SMS messages containing backup and restore job status. I also outlined a process integrating AWS Backup and Amazon SNS to configure a topic and discussed subscriptions to handle communication from AWS Backup and the endpoints you choose.

Failed backups, restores, and copy jobs are a potential risk to workflows and SLAs. Receiving notifications on job status increases compliance and improves operational procedures. The solution presented allows you to choose specific AWS Backup events for notifications, the users that will receive those notifications, and the methods by which they will be notified.

Additional resources to consider:

Thanks for reading this blog post! If you have any questions or suggestions, please leave your feedback in the comments section. If you need any further assistance, contact your AWS account team or a trusted AWS Partner.

Virgil Ennes

Virgil Ennes

Virgil Ennes is a Specialty Sr. Solutions Architect at AWS. Virgil enjoys helping customers take advantage of the agility, costs savings, innovation, and global reach that AWS provides. He is mostly focused on Storage, AI, Blockchain, Analytics, IoT, and Cloud Economics. In his spare time, Virgil enjoys spending time with his family and friends, and also watching his favorite football club (GALO).