Create a backup vault
You must create at least one vault before creating a backup plan or starting a backup job.
When you first use the Amazon Backup console in an Amazon Web Services Region, the console automatically creates a default vault.
However, if you use Amazon Backup through the Amazon CLI, Amazon SDK, or Amazon CloudFormation, a default vault is not created. You must create your own vault.
Creating a backup vault (console)
For step-by-step instructions for creating a backup vault using the Amazon Backup console, see Step 3: Create a backup vault in the Getting Started guide.
Creating a backup vault (programmatically)
The following Amazon Command Line Interface command creates a backup vault:
aws backup create-backup-vault --backup-vault-name
test-vault
You can also specify the following configurations for a backup vault.
Backup vault name
Backup vault names are case sensitive. They must contain from 2 to 50 alphanumeric characters, hyphens, or underscores.
Amazon KMS encryption key
The Amazon KMS encryption key protects your backups in this backup vault. By default, Amazon Backup
creates a KMS key with the alias aws/backup
for you. You can choose that key or
choose any other key in your account (cross-account KMS keys can be used via CLI).
You can create a new encryption key by following the Creating Keys procedure in the Amazon Key Management Service Developer Guide.
After you create a backup vault and set the Amazon KMS encryption key, you can no longer edit the key for that backup vault.
The encryption key that is specified in an Amazon Backup vault applies to the backups of certain resource types. For more information about backup encryption, see Encryption for backups in Amazon Backup in the Security section. Backups of all other resource types are backed up using the key that is used to encrypt the source resource.
Backup vault tags
These tags are associated with the backup vault to help you organize and track your backup vaults.