📝 AWS Backup Recovery Point is expired and failed to delete 🟢

• Contextual name: 📝 Recovery Point is expired and failed to delete 🟢
• ID: /ce/ca/aws/backup/recovery-point-expired
• Located in: 📁 AWS Backup

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • COST

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 AWS Backup Recovery Point
  • 🔌 AWS Backup Recovery Point - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that AWS Backup Recovery Points marked EXPIRED are successfully deleted according to their lifecycle schedule. A deletion failure is detected when the CalculatedLifecycleDeleteAt timestamp is either missing or older than 2 days relative to the current date.

Rationale

Persisting expired recovery points beyond their defined retention window:

• Imposes unnecessary storage overhead and associated costs for data no longer required for recovery or compliance.
• Violates internal or external data-retention mandates that require disposal of data after a specified interval.
• Clutters the backup inventory, hindering rapid identification of valid recovery points and potentially extending recovery time objectives during critical incidents.

Audit

This policy flags an AWS Backup Recovery Point as INCOMPLIANT if its Status field is set to EXPIRED and Calc Lifecycle Delete At is more than 2 days in the past or empty, indicating that the Recovery Point has failed to delete.

The Recovery Point is marked as INAPPLICABLE if Status is not equal to EXPIRED.

Remediation

Open File

Remediation

From Command Line

Execute the following AWS CLI command to remove an expired recovery point:

aws backup delete-recovery-point \
    --backup-vault-name {{backup-vault-name}} \
    --recovery-point-arn {{recovery-point-arn}} \

Troubleshooting Lifecycle Failures

Below are a few common scenarios to investigate when expired recovery points remain in the vault.

• If the IAM policy or execution role associated with your backup plan was modified or removed, AWS Backup may lack permission to call DeleteRecoveryPoint.
• An active “Retain” lock on an underlying Amazon EBS snapshot can prevent lifecycle deletion.
• Updates to lifecycle rules or IAM roles apply only to new recovery points.

Verifying Status in the Console

The target recovery points display as Expired in the AWS Backup Console. Hover over the Expired status to see a tooltip explaining the failure reason.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 Cloudaware Framework → 💼 Waste Reduction			10