π AWS Backup Recovery Point is expired and failed to delete π’
- Contextual name: π Recovery Point is expired and failed to delete π’
- ID:
/ce/ca/aws/backup/recovery-point-expired
- Located in: π AWS Backup
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY
- Policy Category:
COST
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Ensure that AWS Backup Recovery Points marked EXPIRED are successfully deleted according to their lifecycle schedule. A deletion failure is detected when the
CalculatedLifecycleDeleteAt
timestamp is either missing or older than 2 days relative to the current date.Rationaleβ
Persisting expired recovery points beyond their defined retention window:
- Imposes unnecessary storage overhead and associated costs for data no longer required for recovery or compliance.
- Violates internal or external data-retention mandates that require disposal of data after a specified interval.
- Clutters the backup inventory, hindering rapid identification of valid recovery points and potentially extending recovery time objectives during critical incidents.
Auditβ
This policy flags an AWS Backup Recovery Point as
INCOMPLIANT
if itsStatus
field is set to EXPIRED andCalc Lifecycle Delete At
is more than 2 days in the past or empty, indicating that the Recovery Point has failed to delete.The Recovery Point is marked as
INAPPLICABLE
ifStatus
is not equal to EXPIRED.
Remediationβ
Remediationβ
From Command Lineβ
Execute the following AWS CLI command to remove an expired recovery point:
aws backup delete-recovery-point \
--backup-vault-name {{backup-vault-name}} \
--recovery-point-arn {{recovery-point-arn}} \Troubleshooting Lifecycle Failuresβ
Below are a few common scenarios to investigate when expired recovery points remain in the vault.
- If the IAM policy or execution role associated with your backup plan was modified or removed, AWS Backup may lack permission to call DeleteRecoveryPoint.
- An active βRetainβ lock on an underlying Amazon EBS snapshot can prevent lifecycle deletion.
- Updates to lifecycle rules or IAM roles apply only to new recovery points.
Verifying Status in the Consoleβ
The target recovery points display as Expired in the AWS Backup Console. Hover over the Expired status to see a tooltip explaining the failure reason.
policy.yamlβ
Linked Framework Sectionsβ
Section | Sub Sections | Internal Rules | Policies | Flags |
---|---|---|---|---|
πΌ Cloudaware Framework β πΌ Waste Reduction | 10 |