Creating a backup vault - AWS Backup

Creating a backup vault

You must create at least one vault before creating a backup plan or starting a backup job.

When you first use the AWS Backup console in an AWS Region, the console automatically creates a default vault.

However, if you use AWS Backup through the AWS CLI, AWS SDK, or AWS CloudFormation, a default vault is not created. You must create your own vault.

An AWS account can create up to 100 backup vaults per AWS Region.

Creating a backup vault (console)

For step-by-step instructions for creating a backup vault using the AWS Backup console, see Step 3: Create a backup vault in the Getting Started guide.

Creating a backup vault (programmatically)

The following AWS Command Line Interface command creates a backup vault:

aws backup create-backup-vault --backup-vault-name test-vault

You can also specify the following configurations for a backup vault.

Backup vault name

Backup vault names are case sensitive. They must contain from 2 to 50 alphanumeric characters, hyphens, or underscores.

AWS KMS encryption key

The AWS KMS encryption key protects your backups in this backup vault. By default, AWS Backup creates a KMS key with the alias aws/backup for you. You can choose that key or choose any other key in your account (cross-account KMS keys can be used via CLI).

You can create a new encryption key by following the Creating Keys procedure in the AWS Key Management Service Developer Guide.

After you create a backup vault and set the AWS KMS encryption key, you can no longer edit the key for that backup vault.

The encryption key that is specified in an AWS Backup vault applies to the backups of certain resource types. For more information about backup encryption, see Encryption for backups in AWS Backup in the Security section. Backups of all other resource types are backed up using the key that is used to encrypt the source resource.

Backup vault tags

These tags are associated with the backup vault to help you organize and track your backup vaults.