Creating a backup vault - AWS Backup

Creating a backup vault

You must create at least one vault before creating a backup plan or starting a backup job.

When you first use the AWS Backup console in an AWS Region, the console automatically creates a default vault.

However, if you use AWS Backup through the AWS CLI, AWS SDK, or AWS CloudFormation, a default vault is not created. You must create your own vault.

An AWS account can create up to 100 backup vaults per AWS Region.

For step-by-step instructions for creating a backup vault, see Step 3: Create a backup vault in the Getting Started guide.

When creating a backup vault, you can define the following elements.

Backup vault name

Backup vault names are case sensitive. They must contain from 2 to 50 alphanumeric characters, hyphens, or underscores.

KMS encryption key

The AWS KMS encryption key protects your backups in this backup vault. By default, AWS Backup creates a KMS key with the alias aws/backup for you. You can choose that key or choose any other key in your account.

You can create a new master encryption key by following the Creating Keys procedure in the AWS Key Management Service Developer Guide.

After you create a backup vault and set the AWS KMS encryption key, you can no longer edit the key for that backup vault.

The encryption key that is specified in an AWS Backup vault applies to the backups of certain resource types. For more information about backup encryption, see Encryption for backups in AWS in the Security section. Backups of all other resource types are backed up using the key that is used to encrypt the source resource.

Backup vault tags

These tags are associated with the backup vault to help you organize and track your backup vaults.