Lab 5: Automating with AWS Backup for Archiving and Recovery

© 2026 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Note: Do not include any personal, identifying, or confidential information into the lab environment. Information entered may be visible to others.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Lab overview

As a CloudOps engineer a key responsibility of your job is the backing up and restoring of data from block storage. Archives and backups are critical for business continuity as well as for disaster recovery (DR). Your company has tasked you with using AWS services to automate backups of selected EBS volumes, validating the backups, and notifying other members of the CloudOps team when the individual backup jobs complete. To accomplish this you choose to leverage the AWS Backup service to create a backup plan, create a backup vault, automate snapshots of an Amazon EBS volume, restore the Amazon EBS volume from a snapshot in the vault, and push AWS Backup job notifications through Amazon Simple Notification Service (Amazon SNS).

It is not sufficient to only create backups of data sources; you must also test the backups to ensure they are valid and can be used in data recovery situations. Testing the restore process after each backup is created ensures you are aware of any issues with the data before it is actually needed in a restore job. Therefore, you additionally plan to use AWS Lambda to validate that your snapshot can be used to recreate an Amazon EBS volume.

You are guided through the process of creating backups of business data using the AWS Backup service. Students also learn how to create a backup plan, a backup vault for data storage, create notifications of backup/restore events, and test the backup.

Objectives

By the end of this lab, you should be able to do the following:

• Subscribe to an existing Amazon Simple Notification Service (Amazon SNS) topic.
• Explain how to create a backup plan in AWS Backup.
• Explain what a backup vault is, and how to create a backup vault in AWS Backup.
• Create an on-demand backup job of an Amazon Elastic Block Store (Amazon EBS) volume.
• Test a backup in the vault by using a Lambda function to automatically start a restore job after the backup is created.
• Examine AWS CloudWatch logs.

Prerequisites

This lab requires the following prerequisites:

• Access to a computer with internet and Microsoft Windows, macOS X, or Linux.
• An internet browser, such as Google Chrome, Mozilla Firefox, or Microsoft Edge
• Basic knowledge of AWS Lambda, Amazon EBS volumes, AWS Key Management Service (AWS KMS), and Amazon Simple Notification Service (SNS) topics.

Icon key

Various icons are used throughout this lab to call attention to different types of instructions and notes. The following list explains the purpose for each icon:

• Caution: Information of special interest or importance (not so important to cause problems with the equipment or data if you miss it, but it could result in the need to repeat certain steps).
• Command: A command that you must run.
• Consider: A moment to pause to consider how you might apply a concept in your own environment or to initiate a conversation about the topic at hand.
• Expected output: A sample output that you can use to verify the output of a command or edited file.
• Learn more: Where to find more information.
• Note: A hint, tip, or important guidance.
• Task complete: A conclusion or summary point in the lab.
• Warning: An action that is irreversible and could potentially impact the failure of a command or process (including warnings about configurations that cannot be changed after they are made).

Lab environment

The following diagram represents the major components used in this lab. The numbers represent the logical workflow of the architecture in this lab.

Image description: The preceding diagram depicts the use of AWS Backup service to create scheduled backups of a specific Amazon EBS volume. The backup itself is achieved by way of a snapshot. The snapshot is placed in a vault. The vault is a place to store and organize the created backups. AWS Backup vaults have the ability to generate events. Certain events from AWS Backup are subscribed to an SNS topic that initiates notifications to subscribers of the topic. In the case of this lab, when a backup is placed in the vault, a notification is sent to both your subscribed email address, and to an AWS Lambda function. The Lambda function and its subscription to the SNS topic, are already provided to you in this lab. Based on the details contained in the notification received from the SNS topic, the Lambda function launches subsequent actions with AWS Backup. The AWS Backup actions initiated by the Lambda function include starting both restore and delete jobs for a backup located in the vault.

AWS services not used in this lab

AWS service capabilities used in this lab are limited to what the lab requires. Expect errors when accessing other services or performing actions beyond those provided in this lab guide.

---

Task 1: Subscribe to an AWS SNS topic

In this task, you subscribe to an existing Amazon Simple Notification Service (Amazon SNS) topic. The topic is used to alert all subscribed CloudOps engineers about backup and restore jobs.

1. At the top of the AWS Management Console, in the search bar, search for and choose

   Simple Notification Service
   .

2. Locate the Amazon SNS navigation menu on the left of the console. If necessary, expand the service navigation menu by choosing the menu.

3. In the left navigation pane, choose Topics.

4. Choose the link for BackupNotificationTopic.

5. Choose Create subscription.

6. Select Email from the Protocol drop-down menu.

7. Enter a valid email address you can access in the Endpoint field.

   Note: In your personal AWS environment, this might be an email alias for all the CloudOps engineers. Individuals receive an email and have to confirm their subscription prior to receiving future notifications from the topic. It is best practice to setup a dead-letter queue (DLQ) for subscriptions, also known as a redrive policy.

   Learn more: Refer to the additional resources on how to setup a DLQ for SNS.

8. Choose Create subscription.

   A banner message similar to “ Subscription to BackupNotificationTopic created successfully.” is displayed.

9. Open the inbox of the email address you entered for the subscription.

10. Locate a recent message from

    AWS Notifications <no-reply@sns.amazonaws.com>
    .

    Note: It may take up to 5 minutes to receive the email, depending on your email server.

11. Choose the Confirm subscription link contained in the email.

    A page is opened confirming the subscription.

    

12. Close the Amazon SNS topic subscription confirmation page.

Task complete: You have successfully subscribed to an Amazon SNS topic. With a subscription, Amazon SNS pushes new messages from this topic to your email address.

---

Task 2: Create a backup plan

In this task, you create an AWS Backup plan.

You can specify the frequency at which backups are taken. You can enter frequency as Hourly, Every 12 hours, Daily, Weekly, or Monthly. Alternatively, you can specify a custom Cron expression for your backup frequency.

For this lab, you set the frequency of snapshot creation to be daily. However, in the interest of time, you also perform the backup manually in a later task named Backup the Amazon EBS volume.

13. At the top of the AWS Management Console, in the search bar, search for and choose

    AWS Backup
    .

14. If necessary, expand the service navigation menu by choosing the menu.

15. In the left navigation pane, choose Dashboard.

16. Choose Create backup plan in the Dashboard section.

    The Create Backup plan page is displayed.

17. In the Start options section configure the following.

    • Choose Build a new plan.
    • For Backup plan name, enter
      myBackupPlan
      .

18. Expand the Tags added to Backup plan section and configure the following.

    • Choose Add new tag .
    • For Key, enter
      Name
      .
    • For Value - optional, enter
      myApp Backup
      .

19. In the Backup rule configuration section configure the following.

    • For Backup rule name, enter
      myDailyBackupRule
      .
    • Leave all other settings at their default values.

    Note: Backup windows consist of the time that the backup window begins and the duration of the window in hours. Backup jobs are started within this window. If you are unsure what backup window to use you can choose to use the default backup window.

    Consider: You can set lifecycle policies for your backups to transition them to cold storage or to expire them after a period of time to reduce costs and operational overhead.

20. For Backup vault, choose Create new vault.

    A new browser tab titled Create vault is displayed.

    Note: Backup vaults are a place where your encrypted backups are stored and can be organized.

21. Configure the following in the Create Backup vault window.

    • For Vault name, enter
      myDailyBackupVault
      .
    • For Vault type, choose Backup vault.
    • For KMS encryption master key, select (default) aws/backup from the drop-down menu.
    • Choose Create vault .

22. Return to the Create backup plan browser tab to continue next steps.

23. Choose the Refresh beside the Backup vault drop-down.

24. From the Backup vault drop-down menu, choose myDailyBackupVault.

25. In the Tags added to recovery points - optional section, choose Add new tag.

    • Enter
      Name
      for Key.
    • Enter
      myApp Recovery
      for Value - optional.

26. Choose Create plan .

    The page is redirected to the Assign resources page which will be used in the next task. A banner message similar ‘ “Success Backup plan “myBackupPlan” creation successful. You can now add additional schedule rules and assign resources to the Backup plan by selecting the Backup plan” is displayed.’

    You can alter the resources and schedules of backup plans after they are created.

Task complete: You created a daily backup plan with the AWS Backup console.

---

Task 3: Assign resources to backup

In this task, you specify which resources to back up. You can select individual resources to be backed up or specify a tag (key-value pair) associated with the resources. AWS Backup carries out backup jobs on all resources that match the tags specified. For this lab a small EBS volume named webAppVolume has been created for you to use.

Task 3.1: Assign resources to backup

The Assign resources page is displayed.

27. In the General section configure the following:

    • For Resource assignment name, enter
      myEBSVolumes
      .
    • Select Choose an IAM role.
    • Select the role that has a name like BackupRole from the drop-down menu. You can type
      BackupRole
      in this field to search.

28. In the Resource selection section:

    • For 1. Define resources election, select Include specific resource types.

    • For 2. Select specific resource types:

      • From the Select resource type drop-down menu, select EBS.

      • From the Volume IDs drop-down menu, clear the checkbox next to All volumes(*) and select the volume named webAppVolume.

    • For 4. Refine selection using tags - optional:

      • Choose Add tags.

      • For Key, enter

        Name
        .

      • From the Condition for value dropdown menu, select Equals.

      • For Value, enter

        webAppVolume
        .

29. Choose Assign resources .

    The page is redirected back to the AWS Backup page. A banner message similar to Success Resource assignment myEBSVolumes has been created successfully is displayed.

Task complete: You have assigned specific resources to the backup plan.

Task 3.2: Subscribe AWS Backup to the Amazon SNS topic

Use the AWS Command Line Interface (AWS CLI) to authorize specific events from the AWS Backup service to be communicated to an Amazon SNS topic.

In the Create a backup plan task you created a backup plan, a backup vault, and subscribed yourself to an existing Amazon SNS topic. Now it is time to publish actions from the AWS Backup vault to the Amazon SNS topic. To accomplish this you make API calls to AWS Backup. A Code Editor integrated development environment (IDE) with the AWS CLI installed is provided to you to make the necessary API calls.

Connect to the Code Editor environment following the steps below.

30. From the panel to the left of these lab instructions, copy the LabInstanceURL URL value and paste it into a new browser tab.

    The Code Editor IDE displays.

    Note: Prior experience with this IDE is not required.

31. Select the Notifications icon in the very bottom right corner of the IDE (the bell icon) to clear any notifications that appeared when you opened it.

    The lower pane includes the following five tabs:

    • PROBLEMS
    • OUTPUT
    • DEBUG CONSOLE
    • TERMINAL
    • PORTS

    Use the bash (TERMINAL) for this lab.

    The lower pane includes several tabs: one is a bash terminal labeled Terminal. You work in the bash terminal for the next step.

    Note: The Terminal should currently show a simple prompt that is similar to the following output.

    Expected output:

    ******************************
    **** This is OUTPUT ONLY. ****
    ******************************
    
    [ec2-user@ip-10-0-1-184 environment]$

    Note: When you attempt to paste into Code Editor for the first time, it will prompt you about this action. Choose Allow.

    To the left of these lab instructions are values needed for completing arguments in the

    put-backup-vault-notifications
    command. Full details on this CLI command are found in the AWS documentation.

    Note: It is recommended to use a notepad or editor to complete the values for the AWS CLI commands before pasting them in the terminal pane.

32. Find the LabRegion value listed in the panel to left of these instructions and use it to replace the LabRegion in the endpoint URL of the following command.

33. Find the SNSTopicARN value listed in the panel to the left of these instructions and use it to replace the SNSTopicARN in the SNS topic ARN of the following command.

    Command: In the terminal pane of the Code Editor IDE, run the following command with the two updated argument values:

    aws backup put-backup-vault-notifications \
    --endpoint-url https://backup.LabRegion.amazonaws.com \
    --sns-topic-arn SNSTopicARN \
    --backup-vault-name myDailyBackupVault \
    --backup-vault-events RESTORE_JOB_COMPLETED BACKUP_JOB_COMPLETED

    A new command prompt is rendered after the command is completed. There is no success message displayed.

    Note: The backup notifications are currently only configurable from API calls to the AWS Backup service and are not found in the AWS Console. You need to use either the AWS CLI or SDK to configure these notifications in your personal AWS environment.

    Backup Vault notifications can be verified by running the

    get-backup-vault-notifications
    command.

    Learn more: Refer to the additional resources on this CLI command.

34. Command: In the terminal pane of the Code Editor IDE, run the following command:

    aws backup get-backup-vault-notifications \
    --backup-vault-name myDailyBackupVault

    Expected output:

    ************************
    **** EXAMPLE OUTPUT ****
    ************************
    {
        "BackupVaultName": "myDailyBackupVault",
        "BackupVaultArn":   "arn:aws:backup:us-west-2:123456789:backup-vault:myDailyBacku pVault",
        "SNSTopicArn":  "arn:aws:sns:us-west-2:123456789:BackupNotificationTopic",
        "BackupVaultEvents": [
            "RESTORE_JOB_COMPLETED",
            "BACKUP_JOB_COMPLETED"
        ]
    }

35. Close the browser tab with the Code Editor IDE and return to the AWS console.

Task complete: You have configured the AWS Backup service to send events from the backup vault named myDailyBackupVault to the Amazon SNS topic named BackupNotificationTopic.

---

Task 4: On-demand backup of the Amazon EBS volume

In this task, you create an on-demand backup of the Amazon EBS volume using AWS Backup. Although you have created a backup plan for scheduled daily backups, rather than waiting for the scheduled plan to trigger, you create the backup on-demand and target the backup vault as the destination.

36. At the top of the AWS Management Console, in the search bar, search for and choose

    AWS Backup
    .

37. In the left navigation pane, under My account, choose Protected resources.

38. Choose Create on-demand backup .

    The Create on-demand backup page is displayed.

39. In the Settings section configure the following:

    • From the Resource type dropdown menu, select EBS.
    • From the Volume ID dropdown menu, select the volume named webAppVolume.
    • For Total retention period:
      • For Number, enter
        1
        .
      • For Unit, ensure that Days is selected.
    • From the Backup vault drop-down menu, select myDailyBackupVault. This is the backup vault you created earlier.
    • For IAM role, select Choose an IAM role.
    • For Role name, select the role that has a name like BackupRole from the drop-down menu. You can type
      BackupRole
      in this field to search.

40. Choose Create on-demand backup .

    The Jobs page is displayed.

    A banner message similar to the following is displayed “Backup in progress for volume/vol-0c846c8a5ff815641. Depending on the size of the resource, this might take several hours. For status updates, refresh this page.”

    Warning: The on-demand backup job for this EBS volume is creating an initial EBS volume snapshot and can take as long as 10 minutes to complete. You can continue to the next task while the job runs.

Task complete: You have created an on-demand backup of the EBS volumes named webAppVolume in the backup vault named myDailyBackupVault.

---

Task 5: Examine the Lambda function

In this task, you examine the lab provided Lambda function that is invoked in the background whenever backup or restore jobs are completed. This is not a built-in feature of AWS Backup or AWS Lambda, but the architecture presented is an example of something that can be reproduced in your personal AWS environment. Examine the code of the Lambda function provided for this lab to understand how it works. Below is a picture of the architecture used for this lab. It illustrates how the AWS Lambda function fits in-between the AWS Backup and the Amazon SNS services used in this lab.

41. At the top of the AWS Management Console, in the search bar, search for and choose

    Lambda
    .

42. Choose the RestoreTestFunction link from the list of functions.

43. Choose the LambdaCode.py file in the Code Source section.

44. Review the code that makes up the function.

    First, the Lambda function triggers from incoming events and determines if the event is a backup or a restore job. If the event is a backup job the Lambda function retrieves details from the job specific to the type of resource being backed up. Next, a restore job is begun after the backup is created. If the restore job is created successfully, then a delete request is sent to perform the cleanup. The Lambda function sends notification events to the Amazon SNS topic when the logic is carried out.

45. Examine the same function code and determine what happens in the case that the incoming event is a restore job.

    The request API syntax for a restore job can be found in the AWS documentation.

Task complete: You examined the code in the Lambda function and have gained an understanding of what it does based on the incoming events from your AWS Backup jobs.

---

Task 6: Test that the backups can be restored

In this task, the existing Lambda function and Amazon SNS topic are leveraged to test that restored objects can be created from the recent backup objects in the vault.

The Amazon SNS topic you are subscribed to notifies both you and the Lambda service when the backup job completes. Once the backup job has completed the Lambda function creates a Restore job via the AWS Backup service. This is to validate the backup object. Amazon SNS notifies you when the AWS Backup Restore job completes successfully. The restore job completes and the Lambda function cleans up the restored object. The Amazon SNS topic notifies you when the restored object is cleaned up.

Warning: You may have to wait up to 10 minutes for both the backup job to complete and the notification to arrive in your email. If the backup job is still Running, you must wait for it to finish. The backup job status is Completed when the backup is made. You do need to wait for an email notification regarding the completion of the backup job before the Lambda function will proceed with a restore job.

Backup jobs are typically scheduled during low usage times. Data integrity, automation, reliability and notification are of a higher priority than fast completion time when Architecting an automate backup solution. Due to the asynchronous notification process between the three AWS services this task takes several minutes to complete. The AWS Backup service can provide automated, scheduled backups. In your personal AWS environment, the more data there is to backup, the longer jobs take to complete.

46. At the top of the AWS Management Console, in the search bar, search for and choose

    AWS Backup
    .

47. In the left navigation pane, choose Jobs.

48. Choose the Backup jobs tab.

49. Verify that the backup job started earlier in the lab has completed.

50. Choose the Restore Jobs tab.

    The Lambda function you examined has triggered a restore job once it is notified that a backup was placed in the vault. The AWS Backup restore job is using the EBS snapshot created from the previously run on-demand backup job to create a new EBS Volume.

51. Periodically choose the refresh until the status of the currently running job changes from Running to Completed. The restore job can take as long as 10 minutes to complete.

    When the restore job is completed, an Amazon EBS Volume ID beginning with vol- is populated under the Resource ID column.

    Warning: You do not need to wait for any email notifications to proceed on to other tasks.

52. Monitor the email that you subscribed to the Amazon SNS topic for a notification regarding ‘An AWS Backup Restore job completed successfully’. This email from the Amazon SNS topic contains the ARN for the created EBS volume.

    After the restore job has completed, the EBS volume created from the restore job is deleted by the Lambda function.

53. Monitor the email you subscribed to the Amazon SNS topic for a notification regarding ‘Restore from ARN was successful’. This email from the Amazon SNS topic contains the ARN for the restored EBS volume. Note that the notification message later states that the restored volume has been cleaned up.

Task complete: By creating an on-demand backup of the EBS volume, a Lambda function was invoked which triggered a restore job to test the backup, cleaned up the resources, and sent notifications to the Amazon SNS topic.

---

Task 7: Review CloudWatch logs

In this task, you locate and review the CloudWatch logs from the Lambda function invocation. The CloudWatch logs are created by the Lambda function when the AWS Backup jobs are run.

54. At the top of the AWS Management Console, in the search bar, search for and choose

    CloudWatch
    .

55. In the left navigation pane, under Logs, choose Log Management.

56. Choose the Log group named

    /aws/lambda/RestoreTestFunction
    .

57. Choose one of the Log Streams to review the Lambda function that ran.

    The CloudWatch log generated for the Lambda function is listed in chronological order from oldest to newest. If only one log is present it means that the Lambda function has not yet started the delete job.

58. Locate the entries that begin with ‘Incoming Event: {“Records”}’ and review the entries.

    The next entry after each Incoming Event that tells you which action is triggered by the Lambda function.

    One of these log streams was generated when the backup job ran and the other log stream was generated when the restore job ran.

Task complete: You have located logs generated by the Lambda function.

---

Conclusion

You have successfully done the following:

• Subscribed your email to an existing Amazon SNS topic.
• Created a backup plan using AWS Backup.
• Created a backup vault using AWS Backup.
• Assigned specific resources to the backup plan.
• Published specific AWS Backup events to an existing Amazon SNS topic.
• Reviewed a Lambda function that tests to see if restore jobs can be completed from recently created backup jobs.
• Reviewed a log stream in CloudWatch generated for a Lambda function.

End lab

Follow these steps to close the console and end your lab.

59. Return to the AWS Management Console.

60. At the upper-right corner of the page, choose AWSLabsUser, and then choose Sign out.

61. Choose End Lab and then confirm that you want to end your lab.

For more information about AWS Training and Certification, see https://aws.amazon.com/training/.

Your feedback is welcome and appreciated.
If you would like to share any feedback, suggestions, or corrections, please provide the details in our AWS Training and Certification Contact Form.

Additional resources

• Amazon Simple Queue Service (Amazon SQS)
• CLI commands