Skip to main content

πŸ“ AWS Backup Recovery Point is expired and failed to delete 🟒

  • Contextual name: πŸ“ Recovery Point is expired and failed to delete 🟒
  • ID: /ce/ca/aws/backup/recovery-point-expired
  • Located in: πŸ“ AWS Backup

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • COST

Logic​

Description​

Open File

Description​

Ensure that AWS Backup Recovery Points marked EXPIRED are successfully deleted according to their lifecycle schedule. A deletion failure is detected when the CalculatedLifecycleDeleteAt timestamp is either missing or older than 2 days relative to the current date.

Rationale​

Persisting expired recovery points beyond their defined retention window:

  • Imposes unnecessary storage overhead and associated costs for data no longer required for recovery or compliance.
  • Violates internal or external data-retention mandates that require disposal of data after a specified interval.
  • Clutters the backup inventory, hindering rapid identification of valid recovery points and potentially extending recovery time objectives during critical incidents.

Audit​

This policy flags an AWS Backup Recovery Point as INCOMPLIANT if its Status field is set to EXPIRED and Calc Lifecycle Delete At is more than 2 days in the past or empty, indicating that the Recovery Point has failed to delete.

The Recovery Point is marked as INAPPLICABLE if Status is not equal to EXPIRED.

Remediation​

Open File

Remediation​

From Command Line​

Execute the following AWS CLI command to remove an expired recovery point:

aws backup delete-recovery-point \
--backup-vault-name {{backup-vault-name}} \
--recovery-point-arn {{recovery-point-arn}} \

Troubleshooting Lifecycle Failures​

Below are a few common scenarios to investigate when expired recovery points remain in the vault.

  • If the IAM policy or execution role associated with your backup plan was modified or removed, AWS Backup may lack permission to call DeleteRecoveryPoint.
  • An active β€œRetain” lock on an underlying Amazon EBS snapshot can prevent lifecycle deletion.
  • Updates to lifecycle rules or IAM roles apply only to new recovery points.
Verifying Status in the Console​

The target recovery points display as Expired in the AWS Backup Console. Hover over the Expired status to see a tooltip explaining the failure reason.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Waste Reduction10