AWS Storage Blog
Configuring notifications to monitor AWS Backup jobs
Your data and applications are some of the most valuable assets in your company. The ability to protect your data and IT infrastructure against cyber-attacks, accidental deletion, natural disasters, and several other threats is essential to secure your business.
An important aspect to protecting your assets is the ability to monitor backup, restore, and copy jobs. Awareness of backup and restore job status is critical to ensure that your protection plan is executed according to service-level agreements (SLAs) and meets your compliance requirements. Failed backups, restores, and copy jobs can negatively affect workflows and SLAs. The ability to get notifications on job status can enhance the efficiency and efficacy of compliance and operational procedures.
In this post, I discuss enabling AWS Backup notifications by using Amazon Simple Notification Service (Amazon SNS) and the AWS Command Line Interface (AWS CLI). Amazon SNS enables you to send messages or notifications directly to users with SMS text messages, mobile push, or email, and the AWS CLI is a unified tool to manage your AWS services. I also demonstrate configuring this solution so that you only receive notifications for failed jobs, which can help surface errors and reduce notifications in a busy environment. This solution enables you to choose the specific AWS Backup events for notifications, the users that will receive those notifications, and the methods by which they will be notified.
Setting up the notifications
Enabling notifications consists of four steps:
- Create an SNS topic.
- Modify the SNS topic access policy.
- Create SNS subscriptions.
- Subscribe AWS Backup events to Amazon SNS notifications.
Let’s look into details of each step. After reviewing these steps, I discuss validating the solution.
1. Create an SNS topic
An Amazon SNS topic is a logical access point that acts as a communication channel. In AWS Backup, a backup vault is a container that you organize your backups in. Use the Amazon SNS console to create a topic to broadcast the messages from the AWS Backup vault. Amazon SNS sends emails or text messages related to the notifications from AWS Backup.
In the Amazon SNS console, click on Create topic:
The Create topic window provides a choice to select FIFO or Standard. For this solution, select Standard as it also supports SMS as a subscription protocol. You can use FIFO (First-In-First-Out) queues to preserve the order in which messages are sent and received, and to avoid that a message is processed more than once. The only protocol supported on FIFO queues is Amazon Simple Queue Service (Amazon SQS).
Next, provide a Name and Display name for the topic (for example, AWS-Backup-Notifications).
Leave all remaining options as default and scroll down to the bottom of the page and choose Create topic.
A window providing the topic details will be displayed. Copy the Amazon Resource Name (ARN) from the topic created. The ARN will be needed in the following steps.
2. Modify the Amazon SNS topic access policy
Modify the Amazon SNS topic access policy to allow the backup service to publish messages to the SNS topic we created.
In the topic details window, select the Access policy tab and select Edit.
Replace the contents with the following JSON policy. Make sure to replace the resource ARN field with the topic ARN from the previous step and save your changes after editing.
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-2:000000000000:AWS-Backup-Notifications"
}
]
}The Access policy tab shows the contents once you are done:
3. Create Amazon SNS subscriptions
Next, subscribe an endpoint to the topic you just created in order to receive published messages. In this case, the endpoint will be an email address and SMS or text. When you subscribe an endpoint to a topic, the endpoint receives messages published to the associated topic.
Select the Subscriptions tab in the topic details window. Next, select Create subscription.
The Create subscription window will open.
First, create the Email subscription. Make sure to use the same Topic ARN as the ARN that you copied earlier. Select Email as the Protocol type. Type the desired email in the Endpoint section. Leave all other options as default. Select Create subscription when done.
Note that your email subscription will be pending at this point. You will receive an email from “AWS Notifications” requesting subscription confirmation.
After you select the Confirm subscription link, you are taken to a webpage confirming the subscription.
Next, create the SMS subscription for the topic.
Select Subscriptions in the Amazon SNS menu on the left rail and select Create subscription.
In the Create subscription window, make sure that the Topic ARN is the one copied earlier. Select SMS as the Protocol type. Type the desired phone number in the Endpoint section. Leave all other options as default. Select Create subscription once done.
There is no need to confirm the SMS subscription.
When you select Topics in the Amazon SNS console and then your specific topic, the subscriptions you created will appear on the Details page under Subscriptions.
You can publish messages to each topic to test delivery. Navigate to the Publish message to topic window by selecting each subscription and then selecting Publish message.
Fill in the fields in the Publish message to topic window as desired, then select Publish message.
Check your email and phone to ensure you received the test SMS messages.
4. Subscribe AWS Backup events to Amazon SNS notifications
Now that you have created your topic and subscriptions, subscribe the Amazon SNS topic for your backup vault. That will allow SNS to notify you of AWS Backup events.
The following AWS Backup events are supported:
| Job type | Event |
| Backup job | BACKUP_JOB_STARTED | BACKUP_JOB_COMPLETED |
| Copy job | COPY_JOB_STARTED | COPY_JOB_SUCCESSFUL | COPY_JOB_FAILED |
| Restore job | RESTORE_JOB_STARTED | RESTORE_JOB_COMPLETED |
| Recovery point | RECOVERY_POINT_MODIFIED |
Use the AWS CLI to subscribe the Amazon SNS topic for your backup vault. Replace your backup vault name and ARN topic ID in the following command.
aws backup put-backup-vault-notifications --backup-vault-name myVault --sns-topic-arn arn:aws:sns:region:account-id:AWS-Backup-Notifications --backup-vault-events BACKUP_JOB_COMPLETED RESTORE_JOB_COMPLETED
Use the command aws backup get-backup-vault-notifications --backup-vault-name myVault to validate the vault notification created. Replace your backup vault name in this command.
Validation
You have completed all the steps to set up AWS Backup notifications. At this point, run a test job or just wait for the next scheduled job to run.
You will receive an email from “AWS Notifications” and an SMS message similar to the one shown in the following screenshot.
Filtering failed jobs
Add a subscription filter policy in case you want to filter failed jobs. The filter is done on a subscription basis.
Log in to the Amazon SNS console and select the topic you created.
On the Details page for your topic, select the subscription you intend to filter under Subscriptions. The Subscription details window will open.
Select the Subscription filter policy tab. Then, select Edit and paste the following JSON content. Save your changes when done.
{
"State": [
{
"anything-but": "COMPLETED"
}
]
}
Your Subscription filter policy should look like the following screenshot:
Cleaning up
If you followed along and would like to delete resources used in this solution to avoid incurring any unintended future charges, use the following AWS CLI command. Replace the following ARN with the ARN you used in your setup.
aws sns delete-topic --topic-arn "arn:aws:sns:us-east-2:000000000000:AWS-Backup-Notifications"
Conclusion
In this blog, I discussed how to configure AWS Backup notifications to receive emails and SMS messages containing backup and restore job status. I also outlined a process integrating AWS Backup and Amazon SNS to configure a topic and discussed subscriptions to handle communication from AWS Backup and the endpoints you choose.
Failed backups, restores, and copy jobs are a potential risk to workflows and SLAs. Receiving notifications on job status increases compliance and improves operational procedures. The solution presented allows you to choose specific AWS Backup events for notifications, the users that will receive those notifications, and the methods by which they will be notified.
Additional resources to consider:
- AWS Backup blogs
- AWS Backup documentation
- Blog: Managing backups at scale in your AWS Organizations using AWS Backup
- Blog: Amazon CloudWatch Events and metrics for AWS Backup
- Amazon SNS blogs
Thanks for reading this blog post! If you have any questions or suggestions, please leave your feedback in the comments section. If you need any further assistance, contact your AWS account team or a trusted AWS Partner.