AWS::Backup::BackupVault - AWS CloudFormation

AWS::Backup::BackupVault

Creates a logical container where backups are stored. A CreateBackupVault request includes a name, optionally one or more resource tags, an encryption key, and a request ID.

Do not include sensitive data, such as passport numbers, in the name of a backup vault.

For a sample AWS CloudFormation template, see the AWS Backup Developer Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Backup::BackupVault", "Properties" : { "AccessPolicy" : Json, "BackupVaultName" : String, "BackupVaultTags" : {Key: Value, ...}, "EncryptionKeyArn" : String, "LockConfiguration" : LockConfigurationType, "Notifications" : NotificationObjectType } }

YAML

Type: AWS::Backup::BackupVault Properties: AccessPolicy: Json BackupVaultName: String BackupVaultTags: Key: Value EncryptionKeyArn: String LockConfiguration: LockConfigurationType Notifications: NotificationObjectType

Properties

AccessPolicy

A resource-based policy that is used to manage access permissions on the target backup vault.

Required: No

Type: Json

Update requires: No interruption

BackupVaultName

The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the AWS Region where they are created. They consist of lowercase letters, numbers, and hyphens.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9\-\_]{2,50}$

Update requires: Replacement

BackupVaultTags

Metadata that you can assign to help organize your backup vaults. Each tag is a key-value pair.

Required: No

Type: Object of String

Pattern: ^.{1,128}$

Update requires: No interruption

EncryptionKeyArn

A server-side encryption key you can specify to encrypt your backups from services that support full AWS Backup management; for example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab. If you specify a key, you must specify its ARN, not its alias. If you do not specify a key, AWS Backup creates a KMS key for you by default.

To learn which AWS Backup services support full AWS Backup management and how AWS Backup handles encryption for backups from services that do not yet support full AWS Backup, see Encryption for backups in AWS Backup

Required: No

Type: String

Update requires: Replacement

LockConfiguration

Configuration for AWS Backup Vault Lock.

Required: No

Type: LockConfigurationType

Update requires: No interruption

Notifications

The SNS event notifications for the specified backup vault.

Required: No

Type: NotificationObjectType

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns BackupVaultName.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

BackupVaultArn

An Amazon Resource Name (ARN) that uniquely identifies a backup vault; for example, arn:aws:backup:us-east-1:123456789012:backup-vault:aBackupVault.

BackupVaultName

The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the Region where they are created. They consist of lowercase and uppercase letters, numbers, and hyphens.