Subscribe to RSS feed  Follow @jackvamvas - Twitter

*Use the Comments section for questions Links



How do I restore my AWS RDS? aws backup start-restore-job example

07 November,2022 by Rambler

This is a step by step guide on how to use AWS CLI and restore an RDS instance backed up with the AWS Backup Service . The guide will take you through the IAM role set up , retrieve the recovery point  & metadata , create restore , check Restore has completed , clean up IAM role 

You will need :

1) AWS CLI ( AWS Command Line interface)

2) jq   - (JSON command line processor) 


I've broken down the guide to step-by-step.  One way to streamline the process is to place some of the outputs into variables 


--Place the following into a json file - allow_backup_assume_role.json

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": ""
      "Action": "sts:AssumeRole"

--Place the following into a .json file - allow_passrole_inline_policy.json


  "Version": "2012-10-17",
  "Statement": [
      "Action": "iam:PassRole",
      "Resource": "*",
      "Effect": "Allow"

--Create an IAM role to manage passthrough 

aws iam create-role --role-name dba_backup_iam_role --assume-role-policy-document file://allow_backup_assume_role.json

aws iam put-role-policy --role-name dba_backup_iam_role --policy-name dba_backup_passrole_policy --policy-document file://allow_passrole_inline_policy.json

aws iam attach-role-policy --role-name dba_backup_iam_role --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
aws iam attach-role-policy --role-name dba_backup_iam_role --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores


-Create the IAM Role ARN .concatenate  the account id and the IAM role to create a string such as the below . You'll need this for the Restore Job 

aws sts get-caller-identity | jq -r  --arg prefix "arn:aws:iam::" --arg suffix ":role/dba_backup_iam_role"   ". = $prefix + .Account + $suffix"

example output:arn:aws:iam::898778990:role/dba_backup_iam_role

--Get the RDS Resource ARN . You'll need this value to list the completed backup jobs 

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='MyRDSInstance'].DBInstanceArn"

--example: output "arn:aws:rds:us-west-1:8798456934:db:myrdsinstance"

--Get the Recovery Point ARN.Pick a recovery Point , make a note of the Recovery Point ARN 

aws backup list-backup-jobs --by-state COMPLETED --query "BackupJobs[?ResourceArn == '<replace_with_RDS_Resource_ARN>'].[ResourceType,CompletionDate,RecoveryPointArn]"

--Create a restore point metadata file used with the restore. Place the output into a file - e.g restore_metadata.json

-review the restoremetadat and adjust according to your environment . these are some common line items to review

a) DBInstanceIdentifier - pick a name for the new target RDS Instance

b)  AvailabilityZone  - Requesting a specific availability zone is not valid for Multi-AZ instances. Delete the line item if MultiAZ

c)Port - Create a valied Port

aws backup get-recovery-point-restore-metadata --backup-vault-name Default --recovery-point-arn  <replace_with_Recovery_Point_ARN> --query "RestoreMetadata"


--Start restore-restore-job

aws backup start-restore-job --recovery-point-arn <replace_with_Recovery_Point_ARN> --metadata file://restore_metadata.json --resource-type RDS --iam-role-arn <replace_with_iam_role_arn>

--Check the Status of the Restore Job 

aws backup list-restore-jobs --query "RestoreJobs[?RestoreJobId=='<replace_with_restorejobid>']

--Check the new RDS resource exists 

-list all AWS RDS instances & status 

aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,DBInstanceStatus] "


--Delete the IAM Role 

-step 1 - detach the AWS policies and delete the  inline policy from the IAM role 

aws iam detach-role-policy --role-name dba_backup_iam_role --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores

aws iam detach-role-policy --role-name dba_backup_role --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup

aws iam delete-role-policy --role-name dba_backup_iam_role --policy-name dba_backup_passrole_inline_policy

-step 2 - delete the role 

aws iam delete-role --role-name dba_backup_iam_role


Read More on AWS CLI commands

AWS CLI Cheatsheet

Author: Rambler (


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment on How do I restore my AWS RDS? aws backup start-restore-job example