2025/11/06 - AWS Backup - 6 updated api methods
Changes AWS Backup now supports customer-managed keys (CMK) for logically air-gapped vaults, enabling customers to maintain full control over their encryption key lifecycle. This feature helps organizations meet specific internal governance requirements or external regulatory compliance standards.
{'EncryptionKeyArn': 'string'}
Creates a logical container to where backups may be copied.
This request includes a name, the Region, the maximum number of retention days, the minimum number of retention days, and optionally can include tags and a creator request ID.
See also: AWS API Documentation
Request Syntax
client.create_logically_air_gapped_backup_vault(
BackupVaultName='string',
BackupVaultTags={
'string': 'string'
},
CreatorRequestId='string',
MinRetentionDays=123,
MaxRetentionDays=123,
EncryptionKeyArn='string'
)
string
[REQUIRED]
The name of a logical container where backups are stored. Logically air-gapped backup vaults are identified by names that are unique to the account used to create them and the Region where they are created.
dict
The tags to assign to the vault.
(string) --
(string) --
string
The ID of the creation request.
This parameter is optional. If used, this parameter must contain 1 to 50 alphanumeric or '-_.' characters.
This field is autopopulated if not provided.
integer
[REQUIRED]
This setting specifies the minimum retention period that the vault retains its recovery points.
The minimum value accepted is 7 days.
integer
[REQUIRED]
The maximum retention period that the vault retains its recovery points.
string
The ARN of the customer-managed KMS key to use for encrypting the logically air-gapped backup vault. If not specified, the vault will be encrypted with an Amazon Web Services-owned key managed by Amazon Web Services Backup.
dict
Response Syntax
{
'BackupVaultName': 'string',
'BackupVaultArn': 'string',
'CreationDate': datetime(2015, 1, 1),
'VaultState': 'CREATING'|'AVAILABLE'|'FAILED'
}
Response Structure
(dict) --
BackupVaultName (string) --
The name of a logical container where backups are stored. Logically air-gapped backup vaults are identified by names that are unique to the account used to create them and the Region where they are created.
BackupVaultArn (string) --
The ARN (Amazon Resource Name) of the vault.
CreationDate (datetime) --
The date and time when the vault was created.
This value is in Unix format, Coordinated Universal Time (UTC), and accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
VaultState (string) --
The current state of the vault.
{'EncryptionKeyType': 'AWS_OWNED_KMS_KEY | CUSTOMER_MANAGED_KMS_KEY'}
Returns metadata about a backup vault specified by its name.
See also: AWS API Documentation
Request Syntax
client.describe_backup_vault(
BackupVaultName='string',
BackupVaultAccountId='string'
)
string
[REQUIRED]
The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.
string
The account ID of the specified backup vault.
dict
Response Syntax
{
'BackupVaultName': 'string',
'BackupVaultArn': 'string',
'VaultType': 'BACKUP_VAULT'|'LOGICALLY_AIR_GAPPED_BACKUP_VAULT'|'RESTORE_ACCESS_BACKUP_VAULT',
'VaultState': 'CREATING'|'AVAILABLE'|'FAILED',
'EncryptionKeyArn': 'string',
'CreationDate': datetime(2015, 1, 1),
'CreatorRequestId': 'string',
'NumberOfRecoveryPoints': 123,
'Locked': True|False,
'MinRetentionDays': 123,
'MaxRetentionDays': 123,
'LockDate': datetime(2015, 1, 1),
'SourceBackupVaultArn': 'string',
'MpaApprovalTeamArn': 'string',
'MpaSessionArn': 'string',
'LatestMpaApprovalTeamUpdate': {
'MpaSessionArn': 'string',
'Status': 'PENDING'|'APPROVED'|'FAILED',
'StatusMessage': 'string',
'InitiationDate': datetime(2015, 1, 1),
'ExpiryDate': datetime(2015, 1, 1)
},
'EncryptionKeyType': 'AWS_OWNED_KMS_KEY'|'CUSTOMER_MANAGED_KMS_KEY'
}
Response Structure
(dict) --
BackupVaultName (string) --
The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Region where they are created.
BackupVaultArn (string) --
An Amazon Resource Name (ARN) that uniquely identifies a backup vault; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault.
VaultType (string) --
The type of vault described.
VaultState (string) --
The current state of the vault.->
EncryptionKeyArn (string) --
The server-side encryption key that is used to protect your backups; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
CreationDate (datetime) --
The date and time that a backup vault is created, in Unix format and Coordinated Universal Time (UTC). The value of CreationDate is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
CreatorRequestId (string) --
A unique string that identifies the request and allows failed requests to be retried without the risk of running the operation twice. This parameter is optional. If used, this parameter must contain 1 to 50 alphanumeric or '-_.' characters.
NumberOfRecoveryPoints (integer) --
The number of recovery points that are stored in a backup vault.
Recovery point count value displayed in the console can be an approximation. Use ListRecoveryPointsByBackupVault API to obtain the exact count.
Locked (boolean) --
A Boolean that indicates whether Backup Vault Lock is currently protecting the backup vault. True means that Vault Lock causes delete or update operations on the recovery points stored in the vault to fail.
MinRetentionDays (integer) --
The Backup Vault Lock setting that specifies the minimum retention period that the vault retains its recovery points. If this parameter is not specified, Vault Lock will not enforce a minimum retention period.
If specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or longer than the minimum retention period. If the job's retention period is shorter than that minimum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already stored in the vault prior to Vault Lock are not affected.
MaxRetentionDays (integer) --
The Backup Vault Lock setting that specifies the maximum retention period that the vault retains its recovery points. If this parameter is not specified, Vault Lock does not enforce a maximum retention period on the recovery points in the vault (allowing indefinite storage).
If specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or shorter than the maximum retention period. If the job's retention period is longer than that maximum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already stored in the vault prior to Vault Lock are not affected.
LockDate (datetime) --
The date and time when Backup Vault Lock configuration cannot be changed or deleted.
If you applied Vault Lock to your vault without specifying a lock date, you can change any of your Vault Lock settings, or delete Vault Lock from the vault entirely, at any time.
This value is in Unix format, Coordinated Universal Time (UTC), and accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
SourceBackupVaultArn (string) --
The ARN of the source backup vault from which this restore access backup vault was created.
MpaApprovalTeamArn (string) --
The ARN of the MPA approval team associated with this backup vault.
MpaSessionArn (string) --
The ARN of the MPA session associated with this backup vault.
LatestMpaApprovalTeamUpdate (dict) --
Information about the latest update to the MPA approval team association for this backup vault.
MpaSessionArn (string) --
The ARN of the MPA session associated with this update.
Status (string) --
The current status of the MPA approval team update.
StatusMessage (string) --
A message describing the current status of the MPA approval team update.
InitiationDate (datetime) --
The date and time when the MPA approval team update was initiated.
ExpiryDate (datetime) --
The date and time when the MPA approval team update will expire.
EncryptionKeyType (string) --
The type of encryption key used for the backup vault. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.
{'EncryptionKeyType': 'AWS_OWNED_KMS_KEY | CUSTOMER_MANAGED_KMS_KEY'}
Returns metadata associated with a recovery point, including ID, status, encryption, and lifecycle.
See also: AWS API Documentation
Request Syntax
client.describe_recovery_point(
BackupVaultName='string',
RecoveryPointArn='string',
BackupVaultAccountId='string'
)
string
[REQUIRED]
The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.
string
[REQUIRED]
An Amazon Resource Name (ARN) that uniquely identifies a recovery point; for example, arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45.
string
The account ID of the specified backup vault.
dict
Response Syntax
{
'RecoveryPointArn': 'string',
'BackupVaultName': 'string',
'BackupVaultArn': 'string',
'SourceBackupVaultArn': 'string',
'ResourceArn': 'string',
'ResourceType': 'string',
'CreatedBy': {
'BackupPlanId': 'string',
'BackupPlanArn': 'string',
'BackupPlanName': 'string',
'BackupPlanVersion': 'string',
'BackupRuleId': 'string',
'BackupRuleName': 'string',
'BackupRuleCron': 'string',
'BackupRuleTimezone': 'string'
},
'IamRoleArn': 'string',
'Status': 'COMPLETED'|'PARTIAL'|'DELETING'|'EXPIRED'|'AVAILABLE'|'STOPPED'|'CREATING',
'StatusMessage': 'string',
'CreationDate': datetime(2015, 1, 1),
'InitiationDate': datetime(2015, 1, 1),
'CompletionDate': datetime(2015, 1, 1),
'BackupSizeInBytes': 123,
'CalculatedLifecycle': {
'MoveToColdStorageAt': datetime(2015, 1, 1),
'DeleteAt': datetime(2015, 1, 1)
},
'Lifecycle': {
'MoveToColdStorageAfterDays': 123,
'DeleteAfterDays': 123,
'OptInToArchiveForSupportedResources': True|False
},
'EncryptionKeyArn': 'string',
'IsEncrypted': True|False,
'StorageClass': 'WARM'|'COLD'|'DELETED',
'LastRestoreTime': datetime(2015, 1, 1),
'ParentRecoveryPointArn': 'string',
'CompositeMemberIdentifier': 'string',
'IsParent': True|False,
'ResourceName': 'string',
'VaultType': 'BACKUP_VAULT'|'LOGICALLY_AIR_GAPPED_BACKUP_VAULT'|'RESTORE_ACCESS_BACKUP_VAULT',
'IndexStatus': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING',
'IndexStatusMessage': 'string',
'EncryptionKeyType': 'AWS_OWNED_KMS_KEY'|'CUSTOMER_MANAGED_KMS_KEY'
}
Response Structure
(dict) --
RecoveryPointArn (string) --
An ARN that uniquely identifies a recovery point; for example, arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45.
BackupVaultName (string) --
The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Region where they are created.
BackupVaultArn (string) --
An ARN that uniquely identifies a backup vault; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault.
SourceBackupVaultArn (string) --
An Amazon Resource Name (ARN) that uniquely identifies the source vault where the resource was originally backed up in; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault. If the recovery is restored to the same Amazon Web Services account or Region, this value will be null.
ResourceArn (string) --
An ARN that uniquely identifies a saved resource. The format of the ARN depends on the resource type.
ResourceType (string) --
The type of Amazon Web Services resource to save as a recovery point; for example, an Amazon Elastic Block Store (Amazon EBS) volume or an Amazon Relational Database Service (Amazon RDS) database.
CreatedBy (dict) --
Contains identifying information about the creation of a recovery point, including the BackupPlanArn, BackupPlanId, BackupPlanVersion, and BackupRuleId of the backup plan used to create it.
BackupPlanId (string) --
Uniquely identifies a backup plan.
BackupPlanArn (string) --
An Amazon Resource Name (ARN) that uniquely identifies a backup plan; for example, arn:aws:backup:us-east-1:123456789012:plan:8F81F553-3A74-4A3F-B93D-B3360DC80C50.
BackupPlanName (string) --
The name of the backup plan that created this recovery point. This provides human-readable context about which backup plan was responsible for the backup job.
BackupPlanVersion (string) --
Version IDs are unique, randomly generated, Unicode, UTF-8 encoded strings that are at most 1,024 bytes long. They cannot be edited.
BackupRuleId (string) --
Uniquely identifies a rule used to schedule the backup of a selection of resources.
BackupRuleName (string) --
The name of the backup rule within the backup plan that created this recovery point. This helps identify which specific rule triggered the backup job.
BackupRuleCron (string) --
The cron expression that defines the schedule for the backup rule. This shows the frequency and timing of when backups are automatically triggered.
BackupRuleTimezone (string) --
The timezone used for the backup rule schedule. This provides context for when backups are scheduled to run in the specified timezone.
IamRoleArn (string) --
Specifies the IAM role ARN used to create the target recovery point; for example, arn:aws:iam::123456789012:role/S3Access.
Status (string) --
A status code specifying the state of the recovery point. For more information, see Recovery point status in the Backup Developer Guide.
CREATING status indicates that an Backup job has been initiated for a resource. The backup process has started and is actively processing a backup job for the associated recovery point.
AVAILABLE status indicates that the backup was successfully created for the recovery point. The backup process has completed without any issues, and the recovery point is now ready for use.
PARTIAL status indicates a composite recovery point has one or more nested recovery points that were not in the backup.
EXPIRED status indicates that the recovery point has exceeded its retention period, but Backup lacks permission or is otherwise unable to delete it. To manually delete these recovery points, see Step 3: Delete the recovery points in the Clean up resources section of Getting started.
STOPPED status occurs on a continuous backup where a user has taken some action that causes the continuous backup to be disabled. This can be caused by the removal of permissions, turning off versioning, turning off events being sent to EventBridge, or disabling the EventBridge rules that are put in place by Backup. For recovery points of Amazon S3, Amazon RDS, and Amazon Aurora resources, this status occurs when the retention period of a continuous backup rule is changed. To resolve STOPPED status, ensure that all requested permissions are in place and that versioning is enabled on the S3 bucket. Once these conditions are met, the next instance of a backup rule running will result in a new continuous recovery point being created. The recovery points with STOPPED status do not need to be deleted. For SAP HANA on Amazon EC2 STOPPED status occurs due to user action, application misconfiguration, or backup failure. To ensure that future continuous backups succeed, refer to the recovery point status and check SAP HANA for details.
StatusMessage (string) --
A status message explaining the status of the recovery point.
CreationDate (datetime) --
The date and time that a recovery point is created, in Unix format and Coordinated Universal Time (UTC). The value of CreationDate is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
InitiationDate (datetime) --
The date and time when the backup job that created this recovery point was initiated, in Unix format and Coordinated Universal Time (UTC).
CompletionDate (datetime) --
The date and time that a job to create a recovery point is completed, in Unix format and Coordinated Universal Time (UTC). The value of CompletionDate is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
BackupSizeInBytes (integer) --
The size, in bytes, of a backup.
CalculatedLifecycle (dict) --
A CalculatedLifecycle object containing DeleteAt and MoveToColdStorageAt timestamps.
MoveToColdStorageAt (datetime) --
A timestamp that specifies when to transition a recovery point to cold storage.
DeleteAt (datetime) --
A timestamp that specifies when to delete a recovery point.
Lifecycle (dict) --
The lifecycle defines when a protected resource is transitioned to cold storage and when it expires. Backup transitions and expires backups automatically according to the lifecycle that you define.
Backups that are transitioned to cold storage must be stored in cold storage for a minimum of 90 days. Therefore, the “retention” setting must be 90 days greater than the “transition to cold after days” setting. The “transition to cold after days” setting cannot be changed after a backup has been transitioned to cold.
Resource types that can transition to cold storage are listed in the Feature availability by resource table. Backup ignores this expression for other resource types.
MoveToColdStorageAfterDays (integer) --
The number of days after creation that a recovery point is moved to cold storage.
DeleteAfterDays (integer) --
The number of days after creation that a recovery point is deleted. This value must be at least 90 days after the number of days specified in MoveToColdStorageAfterDays.
OptInToArchiveForSupportedResources (boolean) --
If the value is true, your backup plan transitions supported resources to archive (cold) storage tier in accordance with your lifecycle settings.
EncryptionKeyArn (string) --
The server-side encryption key used to protect your backups; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
IsEncrypted (boolean) --
A Boolean value that is returned as TRUE if the specified recovery point is encrypted, or FALSE if the recovery point is not encrypted.
StorageClass (string) --
Specifies the storage class of the recovery point. Valid values are WARM or COLD.
LastRestoreTime (datetime) --
The date and time that a recovery point was last restored, in Unix format and Coordinated Universal Time (UTC). The value of LastRestoreTime is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
ParentRecoveryPointArn (string) --
This is an ARN that uniquely identifies a parent (composite) recovery point; for example, arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45.
CompositeMemberIdentifier (string) --
The identifier of a resource within a composite group, such as nested (child) recovery point belonging to a composite (parent) stack. The ID is transferred from the logical ID within a stack.
IsParent (boolean) --
This returns the boolean value that a recovery point is a parent (composite) job.
ResourceName (string) --
The name of the resource that belongs to the specified backup.
VaultType (string) --
The type of vault in which the described recovery point is stored.
IndexStatus (string) --
This is the current status for the backup index associated with the specified recovery point.
Statuses are: PENDING | ACTIVE | FAILED | DELETING
A recovery point with an index that has the status of ACTIVE can be included in a search.
IndexStatusMessage (string) --
A string in the form of a detailed message explaining the status of a backup index associated with the recovery point.
EncryptionKeyType (string) --
The type of encryption key used for the recovery point. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.
{'BackupVaultList': {'EncryptionKeyType': 'AWS_OWNED_KMS_KEY | '
'CUSTOMER_MANAGED_KMS_KEY'}}
Returns a list of recovery point storage containers along with information about them.
See also: AWS API Documentation
Request Syntax
client.list_backup_vaults(
ByVaultType='BACKUP_VAULT'|'LOGICALLY_AIR_GAPPED_BACKUP_VAULT'|'RESTORE_ACCESS_BACKUP_VAULT',
ByShared=True|False,
NextToken='string',
MaxResults=123
)
string
This parameter will sort the list of vaults by vault type.
boolean
This parameter will sort the list of vaults by shared vaults.
string
The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.
integer
The maximum number of items to be returned.
dict
Response Syntax
{
'BackupVaultList': [
{
'BackupVaultName': 'string',
'BackupVaultArn': 'string',
'VaultType': 'BACKUP_VAULT'|'LOGICALLY_AIR_GAPPED_BACKUP_VAULT'|'RESTORE_ACCESS_BACKUP_VAULT',
'VaultState': 'CREATING'|'AVAILABLE'|'FAILED',
'CreationDate': datetime(2015, 1, 1),
'EncryptionKeyArn': 'string',
'CreatorRequestId': 'string',
'NumberOfRecoveryPoints': 123,
'Locked': True|False,
'MinRetentionDays': 123,
'MaxRetentionDays': 123,
'LockDate': datetime(2015, 1, 1),
'EncryptionKeyType': 'AWS_OWNED_KMS_KEY'|'CUSTOMER_MANAGED_KMS_KEY'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
BackupVaultList (list) --
An array of backup vault list members containing vault metadata, including Amazon Resource Name (ARN), display name, creation date, number of saved recovery points, and encryption information if the resources saved in the backup vault are encrypted.
(dict) --
Contains metadata about a backup vault.
BackupVaultName (string) --
The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.
BackupVaultArn (string) --
An Amazon Resource Name (ARN) that uniquely identifies a backup vault; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault.
VaultType (string) --
The type of vault in which the described recovery point is stored.
VaultState (string) --
The current state of the vault.
CreationDate (datetime) --
The date and time a resource backup is created, in Unix format and Coordinated Universal Time (UTC). The value of CreationDate is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
EncryptionKeyArn (string) --
A server-side encryption key you can specify to encrypt your backups from services that support full Backup management; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab. If you specify a key, you must specify its ARN, not its alias. If you do not specify a key, Backup creates a KMS key for you by default.
To learn which Backup services support full Backup management and how Backup handles encryption for backups from services that do not yet support full Backup, see Encryption for backups in Backup
CreatorRequestId (string) --
A unique string that identifies the request and allows failed requests to be retried without the risk of running the operation twice. This parameter is optional.
If used, this parameter must contain 1 to 50 alphanumeric or '-_.' characters.
NumberOfRecoveryPoints (integer) --
The number of recovery points that are stored in a backup vault.
Locked (boolean) --
A Boolean value that indicates whether Backup Vault Lock applies to the selected backup vault. If true, Vault Lock prevents delete and update operations on the recovery points in the selected vault.
MinRetentionDays (integer) --
The Backup Vault Lock setting that specifies the minimum retention period that the vault retains its recovery points. If this parameter is not specified, Vault Lock does not enforce a minimum retention period.
If specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or longer than the minimum retention period. If the job's retention period is shorter than that minimum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already stored in the vault prior to Vault Lock are not affected.
MaxRetentionDays (integer) --
The Backup Vault Lock setting that specifies the maximum retention period that the vault retains its recovery points. If this parameter is not specified, Vault Lock does not enforce a maximum retention period on the recovery points in the vault (allowing indefinite storage).
If specified, any backup or copy job to the vault must have a lifecycle policy with a retention period equal to or shorter than the maximum retention period. If the job's retention period is longer than that maximum retention period, then the vault fails the backup or copy job, and you should either modify your lifecycle settings or use a different vault. Recovery points already stored in the vault prior to Vault Lock are not affected.
LockDate (datetime) --
The date and time when Backup Vault Lock configuration becomes immutable, meaning it cannot be changed or deleted.
If you applied Vault Lock to your vault without specifying a lock date, you can change your Vault Lock settings, or delete Vault Lock from the vault entirely, at any time.
This value is in Unix format, Coordinated Universal Time (UTC), and accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
EncryptionKeyType (string) --
The type of encryption key used for the backup vault. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.
NextToken (string) --
The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.
{'RecoveryPoints': {'EncryptionKeyType': 'AWS_OWNED_KMS_KEY | '
'CUSTOMER_MANAGED_KMS_KEY'}}
Returns detailed information about the recovery points stored in a backup vault.
See also: AWS API Documentation
Request Syntax
client.list_recovery_points_by_backup_vault(
BackupVaultName='string',
BackupVaultAccountId='string',
NextToken='string',
MaxResults=123,
ByResourceArn='string',
ByResourceType='string',
ByBackupPlanId='string',
ByCreatedBefore=datetime(2015, 1, 1),
ByCreatedAfter=datetime(2015, 1, 1),
ByParentRecoveryPointArn='string'
)
string
[REQUIRED]
The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.
string
This parameter will sort the list of recovery points by account ID.
string
The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.
integer
The maximum number of items to be returned.
string
Returns only recovery points that match the specified resource Amazon Resource Name (ARN).
string
Returns only recovery points that match the specified resource type(s):
Aurora for Amazon Aurora
CloudFormation for CloudFormation
DocumentDB for Amazon DocumentDB (with MongoDB compatibility)
DynamoDB for Amazon DynamoDB
EBS for Amazon Elastic Block Store
EC2 for Amazon Elastic Compute Cloud
EFS for Amazon Elastic File System
FSx for Amazon FSx
Neptune for Amazon Neptune
RDS for Amazon Relational Database Service
Redshift for Amazon Redshift
S3 for Amazon Simple Storage Service (Amazon S3)
SAP HANA on Amazon EC2 for SAP HANA databases on Amazon Elastic Compute Cloud instances
Storage Gateway for Storage Gateway
Timestream for Amazon Timestream
VirtualMachine for VMware virtual machines
string
Returns only recovery points that match the specified backup plan ID.
datetime
Returns only recovery points that were created before the specified timestamp.
datetime
Returns only recovery points that were created after the specified timestamp.
string
This returns only recovery points that match the specified parent (composite) recovery point Amazon Resource Name (ARN).
dict
Response Syntax
{
'NextToken': 'string',
'RecoveryPoints': [
{
'RecoveryPointArn': 'string',
'BackupVaultName': 'string',
'BackupVaultArn': 'string',
'SourceBackupVaultArn': 'string',
'ResourceArn': 'string',
'ResourceType': 'string',
'CreatedBy': {
'BackupPlanId': 'string',
'BackupPlanArn': 'string',
'BackupPlanName': 'string',
'BackupPlanVersion': 'string',
'BackupRuleId': 'string',
'BackupRuleName': 'string',
'BackupRuleCron': 'string',
'BackupRuleTimezone': 'string'
},
'IamRoleArn': 'string',
'Status': 'COMPLETED'|'PARTIAL'|'DELETING'|'EXPIRED'|'AVAILABLE'|'STOPPED'|'CREATING',
'StatusMessage': 'string',
'CreationDate': datetime(2015, 1, 1),
'InitiationDate': datetime(2015, 1, 1),
'CompletionDate': datetime(2015, 1, 1),
'BackupSizeInBytes': 123,
'CalculatedLifecycle': {
'MoveToColdStorageAt': datetime(2015, 1, 1),
'DeleteAt': datetime(2015, 1, 1)
},
'Lifecycle': {
'MoveToColdStorageAfterDays': 123,
'DeleteAfterDays': 123,
'OptInToArchiveForSupportedResources': True|False
},
'EncryptionKeyArn': 'string',
'IsEncrypted': True|False,
'LastRestoreTime': datetime(2015, 1, 1),
'ParentRecoveryPointArn': 'string',
'CompositeMemberIdentifier': 'string',
'IsParent': True|False,
'ResourceName': 'string',
'VaultType': 'BACKUP_VAULT'|'LOGICALLY_AIR_GAPPED_BACKUP_VAULT'|'RESTORE_ACCESS_BACKUP_VAULT',
'IndexStatus': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING',
'IndexStatusMessage': 'string',
'EncryptionKeyType': 'AWS_OWNED_KMS_KEY'|'CUSTOMER_MANAGED_KMS_KEY'
},
]
}
Response Structure
(dict) --
NextToken (string) --
The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.
RecoveryPoints (list) --
An array of objects that contain detailed information about recovery points saved in a backup vault.
(dict) --
Contains detailed information about the recovery points stored in a backup vault.
RecoveryPointArn (string) --
An Amazon Resource Name (ARN) that uniquely identifies a recovery point; for example, arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45.
BackupVaultName (string) --
The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.
BackupVaultArn (string) --
An ARN that uniquely identifies a backup vault; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault.
SourceBackupVaultArn (string) --
The backup vault where the recovery point was originally copied from. If the recovery point is restored to the same account this value will be null.
ResourceArn (string) --
An ARN that uniquely identifies a resource. The format of the ARN depends on the resource type.
ResourceType (string) --
The type of Amazon Web Services resource saved as a recovery point; for example, an Amazon Elastic Block Store (Amazon EBS) volume or an Amazon Relational Database Service (Amazon RDS) database. For Windows Volume Shadow Copy Service (VSS) backups, the only supported resource type is Amazon EC2.
CreatedBy (dict) --
Contains identifying information about the creation of a recovery point, including the BackupPlanArn, BackupPlanId, BackupPlanVersion, and BackupRuleId of the backup plan that is used to create it.
BackupPlanId (string) --
Uniquely identifies a backup plan.
BackupPlanArn (string) --
An Amazon Resource Name (ARN) that uniquely identifies a backup plan; for example, arn:aws:backup:us-east-1:123456789012:plan:8F81F553-3A74-4A3F-B93D-B3360DC80C50.
BackupPlanName (string) --
The name of the backup plan that created this recovery point. This provides human-readable context about which backup plan was responsible for the backup job.
BackupPlanVersion (string) --
Version IDs are unique, randomly generated, Unicode, UTF-8 encoded strings that are at most 1,024 bytes long. They cannot be edited.
BackupRuleId (string) --
Uniquely identifies a rule used to schedule the backup of a selection of resources.
BackupRuleName (string) --
The name of the backup rule within the backup plan that created this recovery point. This helps identify which specific rule triggered the backup job.
BackupRuleCron (string) --
The cron expression that defines the schedule for the backup rule. This shows the frequency and timing of when backups are automatically triggered.
BackupRuleTimezone (string) --
The timezone used for the backup rule schedule. This provides context for when backups are scheduled to run in the specified timezone.
IamRoleArn (string) --
Specifies the IAM role ARN used to create the target recovery point; for example, arn:aws:iam::123456789012:role/S3Access.
Status (string) --
A status code specifying the state of the recovery point.
StatusMessage (string) --
A message explaining the current status of the recovery point.
CreationDate (datetime) --
The date and time a recovery point is created, in Unix format and Coordinated Universal Time (UTC). The value of CreationDate is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
InitiationDate (datetime) --
The date and time when the backup job that created this recovery point was initiated, in Unix format and Coordinated Universal Time (UTC).
CompletionDate (datetime) --
The date and time a job to restore a recovery point is completed, in Unix format and Coordinated Universal Time (UTC). The value of CompletionDate is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
BackupSizeInBytes (integer) --
The size, in bytes, of a backup.
CalculatedLifecycle (dict) --
A CalculatedLifecycle object containing DeleteAt and MoveToColdStorageAt timestamps.
MoveToColdStorageAt (datetime) --
A timestamp that specifies when to transition a recovery point to cold storage.
DeleteAt (datetime) --
A timestamp that specifies when to delete a recovery point.
Lifecycle (dict) --
The lifecycle defines when a protected resource is transitioned to cold storage and when it expires. Backup transitions and expires backups automatically according to the lifecycle that you define.
Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days. Therefore, the “retention” setting must be 90 days greater than the “transition to cold after days” setting. The “transition to cold after days” setting cannot be changed after a backup has been transitioned to cold.
Resource types that can transition to cold storage are listed in the Feature availability by resource table. Backup ignores this expression for other resource types.
MoveToColdStorageAfterDays (integer) --
The number of days after creation that a recovery point is moved to cold storage.
DeleteAfterDays (integer) --
The number of days after creation that a recovery point is deleted. This value must be at least 90 days after the number of days specified in MoveToColdStorageAfterDays.
OptInToArchiveForSupportedResources (boolean) --
If the value is true, your backup plan transitions supported resources to archive (cold) storage tier in accordance with your lifecycle settings.
EncryptionKeyArn (string) --
The server-side encryption key that is used to protect your backups; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
IsEncrypted (boolean) --
A Boolean value that is returned as TRUE if the specified recovery point is encrypted, or FALSE if the recovery point is not encrypted.
LastRestoreTime (datetime) --
The date and time a recovery point was last restored, in Unix format and Coordinated Universal Time (UTC). The value of LastRestoreTime is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
ParentRecoveryPointArn (string) --
The Amazon Resource Name (ARN) of the parent (composite) recovery point.
CompositeMemberIdentifier (string) --
The identifier of a resource within a composite group, such as nested (child) recovery point belonging to a composite (parent) stack. The ID is transferred from the logical ID within a stack.
IsParent (boolean) --
This is a boolean value indicating this is a parent (composite) recovery point.
ResourceName (string) --
The non-unique name of the resource that belongs to the specified backup.
VaultType (string) --
The type of vault in which the described recovery point is stored.
IndexStatus (string) --
This is the current status for the backup index associated with the specified recovery point.
Statuses are: PENDING | ACTIVE | FAILED | DELETING
A recovery point with an index that has the status of ACTIVE can be included in a search.
IndexStatusMessage (string) --
A string in the form of a detailed message explaining the status of a backup index associated with the recovery point.
EncryptionKeyType (string) --
The type of encryption key used for the recovery point. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.
{'RecoveryPoints': {'EncryptionKeyType': 'AWS_OWNED_KMS_KEY | '
'CUSTOMER_MANAGED_KMS_KEY'}}
The information about the recovery points of the type specified by a resource Amazon Resource Name (ARN).
See also: AWS API Documentation
Request Syntax
client.list_recovery_points_by_resource(
ResourceArn='string',
NextToken='string',
MaxResults=123,
ManagedByAWSBackupOnly=True|False
)
string
[REQUIRED]
An ARN that uniquely identifies a resource. The format of the ARN depends on the resource type.
string
The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.
integer
The maximum number of items to be returned.
boolean
This attribute filters recovery points based on ownership.
If this is set to TRUE, the response will contain recovery points associated with the selected resources that are managed by Backup.
If this is set to FALSE, the response will contain all recovery points associated with the selected resource.
Type: Boolean
dict
Response Syntax
{
'NextToken': 'string',
'RecoveryPoints': [
{
'RecoveryPointArn': 'string',
'CreationDate': datetime(2015, 1, 1),
'Status': 'COMPLETED'|'PARTIAL'|'DELETING'|'EXPIRED'|'AVAILABLE'|'STOPPED'|'CREATING',
'StatusMessage': 'string',
'EncryptionKeyArn': 'string',
'BackupSizeBytes': 123,
'BackupVaultName': 'string',
'IsParent': True|False,
'ParentRecoveryPointArn': 'string',
'ResourceName': 'string',
'VaultType': 'BACKUP_VAULT'|'LOGICALLY_AIR_GAPPED_BACKUP_VAULT'|'RESTORE_ACCESS_BACKUP_VAULT',
'IndexStatus': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING',
'IndexStatusMessage': 'string',
'EncryptionKeyType': 'AWS_OWNED_KMS_KEY'|'CUSTOMER_MANAGED_KMS_KEY'
},
]
}
Response Structure
(dict) --
NextToken (string) --
The next item following a partial list of returned items. For example, if a request is made to return MaxResults number of items, NextToken allows you to return more items in your list starting at the location pointed to by the next token.
RecoveryPoints (list) --
An array of objects that contain detailed information about recovery points of the specified resource type.
(dict) --
Contains detailed information about a saved recovery point.
RecoveryPointArn (string) --
An Amazon Resource Name (ARN) that uniquely identifies a recovery point; for example, arn:aws:backup:us-east-1:123456789012:recovery-point:1EB3B5E7-9EB0-435A-A80B-108B488B0D45.
CreationDate (datetime) --
The date and time a recovery point is created, in Unix format and Coordinated Universal Time (UTC). The value of CreationDate is accurate to milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018 12:11:30.087 AM.
Status (string) --
A status code specifying the state of the recovery point.
StatusMessage (string) --
A message explaining the current status of the recovery point.
EncryptionKeyArn (string) --
The server-side encryption key that is used to protect your backups; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
BackupSizeBytes (integer) --
The size, in bytes, of a backup.
BackupVaultName (string) --
The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Web Services Region where they are created.
IsParent (boolean) --
This is a boolean value indicating this is a parent (composite) recovery point.
ParentRecoveryPointArn (string) --
The Amazon Resource Name (ARN) of the parent (composite) recovery point.
ResourceName (string) --
The non-unique name of the resource that belongs to the specified backup.
VaultType (string) --
The type of vault in which the described recovery point is stored.
IndexStatus (string) --
This is the current status for the backup index associated with the specified recovery point.
Statuses are: PENDING | ACTIVE | FAILED | DELETING
A recovery point with an index that has the status of ACTIVE can be included in a search.
IndexStatusMessage (string) --
A string in the form of a detailed message explaining the status of a backup index associated with the recovery point.
EncryptionKeyType (string) --
The type of encryption key used for the recovery point. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.