AWS Backup Vault Policy

This page shows how to write Terraform and CloudFormation for AWS Backup Vault Policy and write them securely.

aws_backup_vault_policy (Terraform)

The Vault Policy in AWS Backup can be configured in Terraform with the resource name aws_backup_vault_policy. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

backup_vault_policy.tf#L4
resource "aws_backup_vault_policy" "backup_vault_policy" {
  count = var.enable_backup_vault_policy ? 1 : 0

  backup_vault_name = var.backup_vault_policy_backup_vault_name != "" ? var.backup_vault_policy_backup_vault_name : (var.enable_backup_vault ? element(aws_backup_vault.backup_vault.*.name, 0) : null)

  policy = var.backup_vault_policy
main.tf#L20
resource "aws_backup_vault_policy" "destination" {
  backup_vault_name = aws_backup_vault.vault_destination.name

  policy = <<POLICY
{
    "Version": "2012-10-17",
backup_vault_policy.tf#L4
resource "aws_backup_vault_policy" "backup_vault_policy" {
  count = var.enable_backup_vault_policy ? 1 : 0

  backup_vault_name = var.backup_vault_policy_backup_vault_name != "" ? var.backup_vault_policy_backup_vault_name : (var.enable_backup_vault ? element(aws_backup_vault.backup_vault.*.name, 0) : null)

  policy = var.backup_vault_policy
main.tf#L29
resource "aws_backup_vault_policy" "allow-policy" {
  backup_vault_name = aws_backup_vault.vault-souce.name

  policy = <<POLICY
{
    "Version": "2012-10-17",

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an AWS Backup vault policy resource.

AWS::Backup::BackupVault (CloudFormation)

The BackupVault in Backup can be configured in CloudFormation with the resource name AWS::Backup::BackupVault. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

backup-tagoptions.yml#L23
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithDailyBackups"
      EncryptionKeyArn: !GetAtt KMSKey.Arn

  BackupVaultWithWeeklyBackups:
backup-tagoptions.yml#L23
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithDailyBackups"
      EncryptionKeyArn: !GetAtt KMSKey.Arn

  BackupVaultWithWeeklyBackups:
backup_daily_windows.yml#L21
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithDailyBackups"
      EncryptionKeyArn: !GetAtt KMSKey.Arn

  BackupPlanWithDailyBackups:
tag-based-backup-selection-no-parameters.yml#L20
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVault-01"
      AccessPolicy:
        Version: '2012-10-17'
        Statement:
fullbackup.yml#L19
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "AurorabackupVault"

  BackupPlan:
    Type: "AWS::Backup::BackupPlan"
vault.json#L3
        "Type": "AWS::Backup::BackupVault",
        "Properties": {
            "BackupVaultName": {
                "Ref": "UniqueIdentifierParam"
            },
            "BackupVaultTags": {
vault.json#L3
        "Type" : "AWS::Backup::BackupVault",
        "Properties" : {
            "BackupVaultName": "0x4447_SFTP"
        }
    }
vault.json#L3
        "Type": "AWS::Backup::BackupVault",
        "Properties": {
            "BackupVaultName": {
                "Ref": "UniqueIdentifierParam"
            },
            "BackupVaultTags": {
aws_backup.json#L13
      "ValueType": "AWS::Backup::BackupVault.BackupVaultName"
    }
  },
  {
    "op": "add",
    "path": "/PropertyTypes/AWS::Backup::BackupSelection.BackupSelectionResourceType/Properties/IamRoleArn/Value",
aws_backup.json#L13
      "ValueType": "AWS::Backup::BackupVault.BackupVaultName"
    }
  },
  {
    "op": "add",
    "path": "/PropertyTypes/AWS::Backup::BackupSelection.BackupSelectionResourceType/Properties/IamRoleArn/Value",

Parameters

Explanation in CloudFormation Registry

Creates a logical container where backups are stored. A CreateBackupVault request includes a name, optionally one or more resource tags, an encryption key, and a request ID.

Note Do not include sensitive data, such as passport numbers, in the name of a backup vault.

Frequently asked questions

What is AWS Backup Vault Policy?

AWS Backup Vault Policy is a resource for Backup of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Backup Vault Policy?

For Terraform, the SebastianUA/terraform, jipara/aws-backup-cross-account and asrkata/SebastianUA-terraform source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the mynameisakash/aws-service-catalog-reference-architectures, aws-samples/aws-service-catalog-reference-architectures and mobious999/Cloudformation source code examples are useful. See the CloudFormation Example section for further details.