Backup vault creation and deletion
You must create at least one vault before creating a backup plan or starting a backup job.
When you first use the Backup Vaults page of the Amazon Backup console in an Amazon Web Services Region, the console automatically creates a default vault for the Region.
However, if you use Amazon Backup through the Amazon CLI, Amazon SDK, or Amazon CloudFormation, a default vault is not created. You must create your own vault.
Required permissions
You must have the following permissions to create a backup vault using Amazon Backup.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:DescribeKey", "kms:RetireGrant", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws-cn:kms:
region
:444455556666
:key/1234abcd-12ab-34cd-56ef-1234567890ab
" }, { "Effect": "Allow", "Action": [ "backup:CreateBackupVault" ], "Resource": "arn:aws-cn:backup:region
:444455556666
:backup-vault:*" }, { "Effect": "Allow", "Action": [ "backup-storage:MountCapsule" ], "Resource": "*" } ] }
Creating a backup vault (console)
Instead of using the default backup vault that is automatically created for you on the Amazon Backup console, you can create specific backup vaults to save and organize groups of backups in the same vault.
To create a backup vault
-
On the Amazon Backup console, in the navigation pane, choose Backup vaults.
Note
If the navigation pane is not visible on the left side, you can open it by choosing the menu icon in the upper-left corner of the Amazon Backup console.
-
Choose Create backup vault.
-
Enter a name for your backup vault. You can name your vault to reflect what you will store in it, or to make it easier to search for the backups you need. For example, you could name it
FinancialBackups
. -
Select an Amazon Key Management Service (Amazon KMS) key. You can use either a key that you already created, or select the default Amazon Backup KMS key.
Note
The Amazon KMS key that is specified here applies only to backups of services that support Amazon Backup independent encryption. To see the list of resources types that support Amazon Backup independent encryption, see the "Full Amazon Backup management" section of the Feature availability by resource table.
-
Optionally, add tags that will help you search for and identify your backup vault. For example, you could add a
BackupType:Financial
tag. -
Choose Create Backup vault.
-
In the navigation pane, choose Backup vaults, and verify that your backup vault has been added.
Note
You can now edit a backup rule in one of your backup plans to store backups created by that rule in the backup vault you just created.
Creating a backup vault (programmatically)
The following Amazon Command Line Interface command creates a backup vault:
aws backup create-backup-vault --backup-vault-name
test-vault
You can also specify the following configurations for a backup vault.
Backup vault name
Backup vault names are case sensitive. They must contain from 2 to 50 alphanumeric characters, hyphens, or underscores.
Amazon KMS encryption key
The Amazon KMS encryption key protects your backups in this backup vault. By default, Amazon Backup
creates a KMS key with the alias aws/backup
for you. You can choose that key or
choose any other key in your account (cross-account KMS keys can be used via CLI).
You can create a new encryption key by following the Creating Keys procedure in the Amazon Key Management Service Developer Guide.
After you create a backup vault and set the Amazon KMS encryption key, you can no longer edit the key for that backup vault.
The encryption key that is specified in an Amazon Backup vault applies to the backups of certain resource types. For more information about backup encryption, see Encryption for backups in Amazon Backup in the Security section. Backups of all other resource types are backed up using the key that is used to encrypt the source resource.
Backup vault tags
These tags are associated with the backup vault to help you organize and track your backup vaults.
Delete a vault
To guard against accidental or malicious mass deletion, you can delete a backup vault in Amazon Backup only after you delete (or your backup plan lifecycles) all the recovery points in your backup vault. To delete your recovery points manually, see Clean up resources.
When you delete a backup vault, update your backup plans to point to new backup vaults. A backup plan that points to a deleted backup vault will cause the backup creation to fail.
You can't delete the default backup vault or the Amazon EFS automatic backup vault using the Amazon Web Services Management Console. You can delete a default backup vault using the Amazon CLI if there is another vault in the same Region. You can delete unused snapshots in the Amazon EFS automatic backup vault.
To delete a backup vault using the Amazon Backup console
Sign in to the Amazon Web Services Management Console, and open the Amazon Backup console at https://console.amazonaws.cn/backup
. -
In the navigation pane, choose Backup vaults.
-
Choose the name of the backup vault to open its details page.
-
Choose and delete any backups that are associated with the backup vault.
-
Choose Delete vault. When prompted for confirmation, enter the vault name and then choose Delete Backup vault.