AWS::Backup::BackupVault - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::Backup::BackupVault

Creates a logical container where backups are stored. A CreateBackupVault request includes a name, optionally one or more resource tags, an encryption key, and a request ID.

Do not include sensitive data, such as passport numbers, in the name of a backup vault.

For a sample Amazon CloudFormation template, see the Amazon Backup Developer Guide.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Backup::BackupVault", "Properties" : { "AccessPolicy" : Json, "BackupVaultName" : String, "BackupVaultTags" : {Key: Value, ...}, "EncryptionKeyArn" : String, "LockConfiguration" : LockConfigurationType, "Notifications" : NotificationObjectType } }

YAML

Type: AWS::Backup::BackupVault Properties: AccessPolicy: Json BackupVaultName: String BackupVaultTags: Key: Value EncryptionKeyArn: String LockConfiguration: LockConfigurationType Notifications: NotificationObjectType

Properties

AccessPolicy

A resource-based policy that is used to manage access permissions on the target backup vault.

Required: No

Type: Json

Update requires: No interruption

BackupVaultName

The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Amazon Region where they are created. They consist of lowercase letters, numbers, and hyphens.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9\-\_]{2,50}$

Update requires: Replacement

BackupVaultTags

Metadata that you can assign to help organize the resources that you create. Each tag is a key-value pair.

Required: No

Type: Object of String

Pattern: ^.{1,128}$

Update requires: No interruption

EncryptionKeyArn

A server-side encryption key you can specify to encrypt your backups from services that support full Amazon Backup management; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab. If you specify a key, you must specify its ARN, not its alias. If you do not specify a key, Amazon Backup creates a KMS key for you by default.

To learn which Amazon Backup services support full Amazon Backup management and how Amazon Backup handles encryption for backups from services that do not yet support full Amazon Backup, see Encryption for backups in Amazon Backup

Required: No

Type: String

Update requires: Replacement

LockConfiguration

Configuration for Amazon Backup Vault Lock.

Required: No

Type: LockConfigurationType

Update requires: No interruption

Notifications

The SNS event notifications for the specified backup vault.

Required: No

Type: NotificationObjectType

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns BackupVaultName.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

BackupVaultArn

An Amazon Resource Name (ARN) that uniquely identifies a backup vault; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault.

BackupVaultName

The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Region where they are created. They consist of lowercase and uppercase letters, numbers, and hyphens.