Required permissions Creating a backup vault (console)Creating a backup vault (programmatically)Backup vault name AWS KMS encryption key Backup vault tags

Create a backup vault

You must create at least one vault before creating a backup plan or starting a backup job.

When you first use the Backup Vaults page of the AWS Backup console in an AWS Region, the console automatically creates a default vault for the Region.

However, if you use AWS Backup through the AWS CLI, AWS SDK, or AWS CloudFormation, a default vault is not created. You must create your own vault.

Required permissions

You must have the following permissions to create a backup vault using AWS Backup.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:CreateGrant",
        "kms:DescribeKey",
        "kms:RetireGrant",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:region:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab"
    },
    {
      "Effect": "Allow",
      "Action": [
        "backup:CreateBackupVault"
      ],
      "Resource": "arn:aws:backup:region:444455556666:backup-vault:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "backup-storage:MountCapsule"
      ],
      "Resource": "*"
    }
  ]
}

Creating a backup vault (console)

For step-by-step instructions for creating a backup vault using the AWS Backup console, see Step 3: Create a backup vault in the Getting Started guide.

Creating a backup vault (programmatically)

The following AWS Command Line Interface command creates a backup vault:


aws backup create-backup-vault --backup-vault-name test-vault

You can also specify the following configurations for a backup vault.

Backup vault name

Backup vault names are case sensitive. They must contain from 2 to 50 alphanumeric characters, hyphens, or underscores.

AWS KMS encryption key

The AWS KMS encryption key protects your backups in this backup vault. By default, AWS Backup creates a KMS key with the alias aws/backup for you. You can choose that key or choose any other key in your account (cross-account KMS keys can be used via CLI).

You can create a new encryption key by following the Creating Keys procedure in the AWS Key Management Service Developer Guide.

After you create a backup vault and set the AWS KMS encryption key, you can no longer edit the key for that backup vault.

The encryption key that is specified in an AWS Backup vault applies to the backups of certain resource types. For more information about backup encryption, see Encryption for backups in AWS Backup in the Security section. Backups of all other resource types are backed up using the key that is used to encrypt the source resource.

Backup vault tags

These tags are associated with the backup vault to help you organize and track your backup vaults.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Logically air-gapped vaults

Set access policies on backup vaults