Top / Amazon Web Service / AWS Backup / Vault Policy

AWS Backup Vault Policy

This page shows how to write Terraform and CloudFormation for AWS Backup Vault Policy and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_backup_vault_policy (Terraform)

The Vault Policy in AWS Backup can be configured in Terraform with the resource name aws_backup_vault_policy. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

backup_vault_policy.tf#L4
resource "aws_backup_vault_policy" "backup_vault_policy" {
  count = var.enable_backup_vault_policy ? 1 : 0

  backup_vault_name = var.backup_vault_policy_backup_vault_name != "" ? var.backup_vault_policy_backup_vault_name : (var.enable_backup_vault ? element(aws_backup_vault.backup_vault.*.name, 0) : null)

  policy = var.backup_vault_policy
main.tf#L20
resource "aws_backup_vault_policy" "destination" {
  backup_vault_name = aws_backup_vault.vault_destination.name

  policy = <<POLICY
{
    "Version": "2012-10-17",
backup_vault_policy.tf#L4
resource "aws_backup_vault_policy" "backup_vault_policy" {
  count = var.enable_backup_vault_policy ? 1 : 0

  backup_vault_name = var.backup_vault_policy_backup_vault_name != "" ? var.backup_vault_policy_backup_vault_name : (var.enable_backup_vault ? element(aws_backup_vault.backup_vault.*.name, 0) : null)

  policy = var.backup_vault_policy
main.tf#L29
resource "aws_backup_vault_policy" "allow-policy" {
  backup_vault_name = aws_backup_vault.vault-souce.name

  policy = <<POLICY
{
    "Version": "2012-10-17",

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides an AWS Backup vault policy resource.

>> from Terraform Registry

AWS::Backup::BackupVault (CloudFormation)

The BackupVault in Backup can be configured in CloudFormation with the resource name AWS::Backup::BackupVault. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

backup-tagoptions.yml#L23
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithDailyBackups"
      EncryptionKeyArn: !GetAtt KMSKey.Arn

  BackupVaultWithWeeklyBackups:
backup-tagoptions.yml#L23
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithDailyBackups"
      EncryptionKeyArn: !GetAtt KMSKey.Arn

  BackupVaultWithWeeklyBackups:
backup_daily_windows.yml#L21
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithDailyBackups"
      EncryptionKeyArn: !GetAtt KMSKey.Arn

  BackupPlanWithDailyBackups:
tag-based-backup-selection-no-parameters.yml#L20
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVault-01"
      AccessPolicy:
        Version: '2012-10-17'
        Statement:
fullbackup.yml#L19
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "AurorabackupVault"

  BackupPlan:
    Type: "AWS::Backup::BackupPlan"
vault.json#L3
        "Type" : "AWS::Backup::BackupVault",
        "Properties" : {
            "BackupVaultName": "0x4447_SFTP"
        }
    }
vault.json#L3
        "Type": "AWS::Backup::BackupVault",
        "Properties": {
            "BackupVaultName": {
                "Ref": "UniqueIdentifierParam"
            },
            "BackupVaultTags": {
vault.json#L3
        "Type": "AWS::Backup::BackupVault",
        "Properties": {
            "BackupVaultName": {
                "Ref": "UniqueIdentifierParam"
            },
            "BackupVaultTags": {
aws_backup.json#L13
      "ValueType": "AWS::Backup::BackupVault.BackupVaultName"
    }
  },
  {
    "op": "add",
    "path": "/PropertyTypes/AWS::Backup::BackupSelection.BackupSelectionResourceType/Properties/IamRoleArn/Value",
aws_backup.json#L13
      "ValueType": "AWS::Backup::BackupVault.BackupVaultName"
    }
  },
  {
    "op": "add",
    "path": "/PropertyTypes/AWS::Backup::BackupSelection.BackupSelectionResourceType/Properties/IamRoleArn/Value",

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

Creates a logical container where backups are stored. A CreateBackupVault request includes a name, optionally one or more resource tags, an encryption key, and a request ID.

Note Do not include sensitive data, such as passport numbers, in the name of a backup vault.

>> from AWS CloudFormation Documentation

The Other Related AWS Backup Resources

Frequently asked questions

What is AWS Backup Vault Policy?

AWS Backup Vault Policy is a resource for Backup of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Backup Vault Policy?

For Terraform, the SebastianUA/terraform, jipara/aws-backup-cross-account and asrkata/SebastianUA-terraform source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the mynameisakash/aws-service-catalog-reference-architectures, aws-samples/aws-service-catalog-reference-architectures and mobious999/Cloudformation source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents