tracphil/aws-backup-cloudformation-template.yaml

## aws-backup-cloudformation-template.yaml
---

AWSTemplateFormatVersion: '2010-09-09'

Description: AWS Backup

Resources:
  rBackupPlan:
    Type: AWS::Backup::BackupPlan
    Properties:
      BackupPlan:
        BackupPlanName: default
        BackupPlanRule:
          - RuleName: daily-backups
            TargetBackupVault: !Ref 'BackupVault'
            ScheduleExpression: cron(0 5 ? * * *)
            StartWindowMinutes: 60
            Lifecycle:
              DeleteAfterDays: 60

  rBackupVault:
    Type: AWS::Backup::BackupVault
    Properties:
      BackupVaultName: default
      EncryptionKeyArn: !GetAtt BackupVaultKey.Arn

  rBackupVaultKey:
    Type: AWS::KMS::Key
    Properties:
      Description: Encryption key for daily
      Enabled: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
            Action:
              - kms:*
            Resource: '*'

  rBackupVaultKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/cmk/backup
      TargetKeyId: !Ref 'BackupVaultKey'

  rBackupRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - backup.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup

  rBackupSelection:
    Type: AWS::Backup::BackupSelection
    Properties:
      BackupSelection:
        SelectionName: daily-backup-tag
        IamRoleArn: !GetAtt 'BackupRole.Arn'
        ListOfTags:
          - ConditionType: STRINGEQUALS
            ConditionKey: backup
            ConditionValue: daily
      BackupPlanId: !Ref 'BackupPlan'

...
	---

	AWSTemplateFormatVersion: '2010-09-09'

	Description: AWS Backup

	Resources:
	rBackupPlan:
	Type: AWS::Backup::BackupPlan
	Properties:
	BackupPlan:
	BackupPlanName: default
	BackupPlanRule:
	- RuleName: daily-backups
	TargetBackupVault: !Ref 'BackupVault'
	ScheduleExpression: cron(0 5 ? * * *)
	StartWindowMinutes: 60
	Lifecycle:
	DeleteAfterDays: 60

	rBackupVault:
	Type: AWS::Backup::BackupVault
	Properties:
	BackupVaultName: default
	EncryptionKeyArn: !GetAtt BackupVaultKey.Arn

	rBackupVaultKey:
	Type: AWS::KMS::Key
	Properties:
	Description: Encryption key for daily
	Enabled: true
	KeyPolicy:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Principal:
	AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
	Action:
	- kms:*
	Resource: '*'

	rBackupVaultKeyAlias:
	Type: AWS::KMS::Alias
	Properties:
	AliasName: alias/cmk/backup
	TargetKeyId: !Ref 'BackupVaultKey'

	rBackupRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- backup.amazonaws.com
	Action:
	- sts:AssumeRole
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup

	rBackupSelection:
	Type: AWS::Backup::BackupSelection
	Properties:
	BackupSelection:
	SelectionName: daily-backup-tag
	IamRoleArn: !GetAtt 'BackupRole.Arn'
	ListOfTags:
	- ConditionType: STRINGEQUALS
	ConditionKey: backup
	ConditionValue: daily
	BackupPlanId: !Ref 'BackupPlan'

	...