At Least One AWS Backup Vault Exists
Overview
This check verifies that your AWS account has at least one backup vault configured. A backup vault is a secure container where AWS Backup stores your recovery points (backups). Without a vault, you cannot use AWS Backup to protect your data.
Risk
If no backup vault exists:
- Data loss exposure: You cannot create or store backups using AWS Backup
- No recovery options: Accidental deletions, ransomware, or misconfigurations become permanent
- Compliance gaps: Many regulations require demonstrable backup capabilities
- Incident response failures: You cannot meet recovery time objectives (RTO) or recovery point objectives (RPO) during outages
Severity: Low (but foundational for any backup strategy)
Remediation Steps
Prerequisites
You need permission to create backup vaults in AWS Backup. This typically requires the backup:CreateBackupVault permission or an administrator role.
Required IAM permissions (for restricted accounts)
If you do not have full administrator access, ensure your IAM role or user has these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"backup:CreateBackupVault",
"backup:DescribeBackupVault",
"backup:ListBackupVaults"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "backup.us-east-1.amazonaws.com"
}
}
}
]
}
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to AWS Backup (search for "Backup" in the top search bar)
- In the left sidebar, click Backup vaults
- Click the Create backup vault button
- Enter a Backup vault name (e.g.,
my-backup-vault)- Names must be 2-50 characters using letters, numbers, and hyphens only
- For Encryption key, choose one of:
- AWS managed key (default, simplest option)
- Customer managed key (recommended for sensitive workloads)
- Optionally add Tags to help organize your resources
- Click Create backup vault
Your vault is now ready to store backups.
AWS CLI (optional)
Basic vault creation
aws backup create-backup-vault \
--backup-vault-name my-backup-vault \
--region us-east-1
With a customer-managed KMS key (recommended for production)
aws backup create-backup-vault \
--backup-vault-name my-backup-vault \
--encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/your-key-id \
--region us-east-1
With tags
aws backup create-backup-vault \
--backup-vault-name my-backup-vault \
--backup-vault-tags Environment=Production,Team=Platform \
--region us-east-1
Verify the vault was created
aws backup describe-backup-vault \
--backup-vault-name my-backup-vault \
--region us-east-1
CloudFormation (optional)
Basic backup vault template
AWSTemplateFormatVersion: '2010-09-09'
Description: Creates an AWS Backup vault
Parameters:
BackupVaultName:
Type: String
Default: my-backup-vault
Description: Name of the backup vault
MinLength: 2
MaxLength: 50
AllowedPattern: ^[a-zA-Z0-9\-\_]+$
Resources:
BackupVault:
Type: AWS::Backup::BackupVault
Properties:
BackupVaultName: !Ref BackupVaultName
BackupVaultTags:
Environment: Production
ManagedBy: CloudFormation
Outputs:
BackupVaultArn:
Description: ARN of the backup vault
Value: !GetAtt BackupVault.BackupVaultArn
BackupVaultName:
Description: Name of the backup vault
Value: !Ref BackupVault
With customer-managed KMS key
AWSTemplateFormatVersion: '2010-09-09'
Description: Creates an AWS Backup vault with customer-managed encryption
Parameters:
BackupVaultName:
Type: String
Default: my-backup-vault
Description: Name of the backup vault
Resources:
BackupVaultKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key for backup vault encryption
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow Backup Service
Effect: Allow
Principal:
Service: backup.amazonaws.com
Action:
- kms:Encrypt
- kms:Decrypt
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: '*'
BackupVaultKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: !Sub alias/${BackupVaultName}-key
TargetKeyId: !Ref BackupVaultKey
BackupVault:
Type: AWS::Backup::BackupVault
Properties:
BackupVaultName: !Ref BackupVaultName
EncryptionKeyArn: !GetAtt BackupVaultKey.Arn
BackupVaultTags:
Environment: Production
ManagedBy: CloudFormation
Outputs:
BackupVaultArn:
Description: ARN of the backup vault
Value: !GetAtt BackupVault.BackupVaultArn
KmsKeyArn:
Description: ARN of the KMS key used for encryption
Value: !GetAtt BackupVaultKey.Arn
Deploy the stack
aws cloudformation deploy \
--template-file backup-vault.yaml \
--stack-name backup-vault-stack \
--parameter-overrides BackupVaultName=my-backup-vault \
--region us-east-1
Terraform (optional)
Basic backup vault
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_backup_vault" "main" {
name = "my-backup-vault"
tags = {
Environment = "Production"
ManagedBy = "Terraform"
}
}
output "backup_vault_arn" {
description = "ARN of the backup vault"
value = aws_backup_vault.main.arn
}
With customer-managed KMS key (recommended)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
data "aws_caller_identity" "current" {}
resource "aws_kms_key" "backup_vault" {
description = "KMS key for backup vault encryption"
deletion_window_in_days = 30
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Action = "kms:*"
Resource = "*"
},
{
Sid = "Allow Backup Service"
Effect = "Allow"
Principal = {
Service = "backup.amazonaws.com"
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
Resource = "*"
}
]
})
tags = {
Purpose = "BackupVaultEncryption"
}
}
resource "aws_kms_alias" "backup_vault" {
name = "alias/backup-vault-key"
target_key_id = aws_kms_key.backup_vault.key_id
}
resource "aws_backup_vault" "main" {
name = "my-backup-vault"
kms_key_arn = aws_kms_key.backup_vault.arn
tags = {
Environment = "Production"
ManagedBy = "Terraform"
}
}
output "backup_vault_arn" {
description = "ARN of the backup vault"
value = aws_backup_vault.main.arn
}
output "kms_key_arn" {
description = "ARN of the KMS key used for encryption"
value = aws_kms_key.backup_vault.arn
}
Deploy with Terraform
terraform init
terraform plan
terraform apply
Verification
After creating your vault, confirm it exists:
- In the AWS Console, go to AWS Backup > Backup vaults
- Your new vault should appear in the list
- Click on the vault name to view its details and confirm encryption settings
CLI verification commands
List all backup vaults
aws backup list-backup-vaults --region us-east-1
Get details for a specific vault
aws backup describe-backup-vault \
--backup-vault-name my-backup-vault \
--region us-east-1
Expected output includes:
BackupVaultNameBackupVaultArnEncryptionKeyArnCreationDateNumberOfRecoveryPoints
Additional Resources
- AWS Backup Developer Guide: Working with Backup Vaults
- AWS Backup Vault Lock - Prevent deletion of recovery points
- AWS Backup Best Practices
- AWS Backup Pricing
Notes
- Default vault: AWS Backup automatically creates a
Defaultvault in each region when you first use the service. However, relying solely on the default vault is not recommended for production workloads. - Encryption: Backup vaults are always encrypted. You can use AWS-managed keys (default) or your own KMS customer-managed keys for additional control.
- Vault Lock: For compliance requirements (e.g., WORM storage), consider enabling Vault Lock to prevent anyone from deleting recovery points.
- Cross-region/cross-account: For disaster recovery, consider creating vaults in multiple regions or accounts and configuring backup copy jobs.
- Cost: You pay for the storage used by recovery points in your vaults. There is no charge for the vault itself.