AWS::Backup::BackupVault

Creates a logical container where backups are stored. A CreateBackupVault request includes a name, optionally one or more resource tags, an encryption key, and a request ID.

Do not include sensitive data, such as passport numbers, in the name of a backup vault.

For a sample AWS CloudFormation template, see the AWS Backup Developer Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::Backup::BackupVault",
  "Properties" : {
      "AccessPolicy" : Json,
      "BackupVaultName" : String,
      "BackupVaultTags" : {Key: Value, ...},
      "EncryptionKeyArn" : String,
      "LockConfiguration" : LockConfigurationType,
      "Notifications" : NotificationObjectType
    }
}

YAML


Type: AWS::Backup::BackupVault
Properties:
  AccessPolicy: Json
  BackupVaultName: String
  BackupVaultTags: 
    Key: Value
  EncryptionKeyArn: String
  LockConfiguration: 
    LockConfigurationType
  Notifications: 
    NotificationObjectType

Properties

AccessPolicy

A resource-based policy that is used to manage access permissions on the target backup vault.

Required: No

Type: Json

Update requires: No interruption

BackupVaultName

The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the AWS Region where they are created.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9\-\_]{2,50}$

Update requires: Replacement

BackupVaultTags

The tags to assign to the backup vault.

Required: No

Type: Object of String

Pattern: ^.{1,128}$

Update requires: No interruption

EncryptionKeyArn

A server-side encryption key you can specify to encrypt your backups from services that support full AWS Backup management; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab. If you specify a key, you must specify its ARN, not its alias. If you do not specify a key, AWS Backup creates a KMS key for you by default.

To learn which AWS Backup services support full AWS Backup management and how AWS Backup handles encryption for backups from services that do not yet support full AWS Backup, see Encryption for backups in AWS Backup

Required: No

Type: String

Update requires: Replacement

LockConfiguration

Configuration for AWS Backup Vault Lock.

Required: No

Type: LockConfigurationType

Update requires: No interruption

Notifications

The SNS event notifications for the specified backup vault.

Required: No

Type: NotificationObjectType

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns BackupVaultName.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

BackupVaultArn: An Amazon Resource Name (ARN) that uniquely identifies a backup vault; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault.
BackupVaultName: The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Region where they are created. They consist of lowercase and uppercase letters, numbers, and hyphens.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Conditions

LockConfigurationType