Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Alert Notifications for Failed Backup Jobs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Configure your Amazon Backup vaults to send notifications via Amazon Simple Notification Service (SNS) for each failed backup job.

Security

Amazon Backup works with other AWS cloud services to empower you to monitor its jobs. Amazon Backup provides an automated way to send notifications based on the status of their backup, restore, and recovery point jobs. The feature allows you to directly filter for certain job status types, such as failed backup jobs. Enabling alert notifications for failed backup jobs will allow you to monitor and quickly mitigate any issues with your backup jobs in order to avoid loss of backup data.


Audit

To determine if email notifications are enabled for unsuccessful Amazon Backup jobs, perform the following operations:

Checking for Amazon Backup vault event notifications using AWS Management Console is not currently supported.

Using AWS CLI

01 Run list-backup-vaults command (OSX/Linux/UNIX) to list the names of all the Amazon Backup vaults available in the selected AWS cloud region:

aws backup list-backup-vaults
  --region us-east-1
  --output table
  --query 'BackupVaultList[*].BackupVaultName'

02 The command output should return a table with the requested Backup vault names:

------------------------------
|      ListBackupVaults      |
+----------------------------+
|  cc-prod-backup-vault      |
|  cc-project5-backup-vault  |
|  cc-manager-backup-vault   |
+----------------------------+

03 Run get-backup-vault-notifications command (OSX/Linux/UNIX) using the name of the Amazon Backup vault that you want to examine as the identifier parameter and custom query filters to describe the event notification type(s) configured for the selected vault:

aws backup get-backup-vault-notifications
  --region us-east-1
  --backup-vault-name cc-prod-backup-vault
  --query 'BackupVaultEvents'

04 Based on the event notifications configuration, the command should return one of the following outputs:

  1. If the command output returns the "ResourceNotFoundException" error message, as shown in the example below, event notifications are not enabled for the selected Amazon Backup vault:
    An error occurred (ResourceNotFoundException) when calling the GetBackupVaultNotifications operation: Failed reading
    notifications from database for Backup vault cc-prod-backup-vault
    
  2. If the get-backup-vault-notifications output returns a notification event type different than "BACKUP_JOB_FAILED", as shown in the example below, the selected Amazon Backup vault is not configured to send alert notifications for failed Amazon Backup jobs:
    [
      "BACKUP_JOB_COMPLETED"
    ]
    

05 Repeat step no. 3 and 4 to verify the event notifications configuration for other Backup vaults created within the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable failed backup job email notifications for your Amazon Backup vaults using AWS Simple Notification Service (SNS), perform the following operations:

Enabling Amazon Backup vault event notifications using AWS Management Console is not currently supported.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create an Amazon SNS topic for sending email notifications when AWS Backup jobs fail:

aws sns create-topic
  --region us-east-1
  --name cc-prod-backup-vault-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created SNS topic:

{
  "TopicArn": "arn:aws:sns:us-east-1:123456789012:cc-prod-backup-vault-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the Amazon SNS topic created at the previous step using one or more email addresses as subscription endpoints:

aws sns subscribe
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-prod-backup-vault-topic
  --protocol email
  --notification-endpoint alert@cloudconformity
  --return-subscription-arn

04 The command output should return the ARN of the new Amazon SNS subscription:

{
  "SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:cc-prod-backup-vault-topic:abcdabcd-1234-abcd-1234-abcd1234abcd"
}

05 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the new SNS subscription by validating the token sent to the subscription endpoint (in this case, your email address) specified at the previous step (the command should not produce an output):

aws sns confirm-subscription
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-prod-backup-vault-topic
  --token 4500392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bca58d3c217426bcafa9c501a2cac5646456gf1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da739477

06 Run put-backup-vault-notifications command (OSX/Linux/UNIX) using the name of the Amazon backup vault that you want to reconfigure as the identifier parameter, to enable alert notifications via Simple Notification Service (SNS) for failed backup jobs within the selected vault (the command does not produce an output):

aws backup put-backup-vault-notifications
  --region us-east-1
  --backup-vault-name cc-prod-backup-vault
  --sns-topic-arn arn:aws:sns:us-east-1:123456789012:cc-prod-backup-vault-topic --backup-vault-events BACKUP_JOB_FAILED

07 Repeat step no. 6 to enable alert notifications for other Amazon Backup vaults available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the remediation process for other regions.

References

Publication date Feb 6, 2021