The aws:backup/selection:Selection resource, part of the Pulumi AWS provider, defines which AWS resources a backup plan protects using tags, ARNs, or condition-based filters. This guide focuses on three capabilities: tag-based discovery, condition-based filtering, and explicit ARN inclusion or exclusion.
Backup selections require an existing backup plan and an IAM role with permissions to perform backups and restores. The examples are intentionally small. Combine them with your own backup plans, IAM roles, and resource tagging strategy.
Select resources by tag key and value
Many organizations tag resources by environment, application, or cost center. AWS Backup automatically discovers and protects resources based on these tags.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.backup.Selection("example", {
iamRoleArn: exampleAwsIamRole.arn,
name: "my_example_backup_selection",
planId: exampleAwsBackupPlan.id,
selectionTags: [{
type: "STRINGEQUALS",
key: "foo",
value: "bar",
}],
});
import pulumi
import pulumi_aws as aws
example = aws.backup.Selection("example",
iam_role_arn=example_aws_iam_role["arn"],
name="my_example_backup_selection",
plan_id=example_aws_backup_plan["id"],
selection_tags=[{
"type": "STRINGEQUALS",
"key": "foo",
"value": "bar",
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/backup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := backup.NewSelection(ctx, "example", &backup.SelectionArgs{
IamRoleArn: pulumi.Any(exampleAwsIamRole.Arn),
Name: pulumi.String("my_example_backup_selection"),
PlanId: pulumi.Any(exampleAwsBackupPlan.Id),
SelectionTags: backup.SelectionSelectionTagArray{
&backup.SelectionSelectionTagArgs{
Type: pulumi.String("STRINGEQUALS"),
Key: pulumi.String("foo"),
Value: pulumi.String("bar"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Backup.Selection("example", new()
{
IamRoleArn = exampleAwsIamRole.Arn,
Name = "my_example_backup_selection",
PlanId = exampleAwsBackupPlan.Id,
SelectionTags = new[]
{
new Aws.Backup.Inputs.SelectionSelectionTagArgs
{
Type = "STRINGEQUALS",
Key = "foo",
Value = "bar",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.backup.Selection;
import com.pulumi.aws.backup.SelectionArgs;
import com.pulumi.aws.backup.inputs.SelectionSelectionTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Selection("example", SelectionArgs.builder()
.iamRoleArn(exampleAwsIamRole.arn())
.name("my_example_backup_selection")
.planId(exampleAwsBackupPlan.id())
.selectionTags(SelectionSelectionTagArgs.builder()
.type("STRINGEQUALS")
.key("foo")
.value("bar")
.build())
.build());
}
}
resources:
example:
type: aws:backup:Selection
properties:
iamRoleArn: ${exampleAwsIamRole.arn}
name: my_example_backup_selection
planId: ${exampleAwsBackupPlan.id}
selectionTags:
- type: STRINGEQUALS
key: foo
value: bar
The selectionTags property defines tag-based filters. Each filter specifies a type (STRINGEQUALS for exact matches), a key, and a value. AWS Backup scans your account for resources matching all specified tags and includes them in the backup plan.
Filter resources with complex tag conditions
When simple tag matching isn’t enough, condition-based filters combine multiple tag criteria with string operators.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.backup.Selection("example", {
iamRoleArn: exampleAwsIamRole.arn,
name: "my_example_backup_selection",
planId: exampleAwsBackupPlan.id,
resources: ["*"],
conditions: [{
stringEquals: [{
key: "aws:ResourceTag/Component",
value: "rds",
}],
stringLikes: [{
key: "aws:ResourceTag/Application",
value: "app*",
}],
stringNotEquals: [{
key: "aws:ResourceTag/Backup",
value: "false",
}],
stringNotLikes: [{
key: "aws:ResourceTag/Environment",
value: "test*",
}],
}],
});
import pulumi
import pulumi_aws as aws
example = aws.backup.Selection("example",
iam_role_arn=example_aws_iam_role["arn"],
name="my_example_backup_selection",
plan_id=example_aws_backup_plan["id"],
resources=["*"],
conditions=[{
"string_equals": [{
"key": "aws:ResourceTag/Component",
"value": "rds",
}],
"string_likes": [{
"key": "aws:ResourceTag/Application",
"value": "app*",
}],
"string_not_equals": [{
"key": "aws:ResourceTag/Backup",
"value": "false",
}],
"string_not_likes": [{
"key": "aws:ResourceTag/Environment",
"value": "test*",
}],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/backup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := backup.NewSelection(ctx, "example", &backup.SelectionArgs{
IamRoleArn: pulumi.Any(exampleAwsIamRole.Arn),
Name: pulumi.String("my_example_backup_selection"),
PlanId: pulumi.Any(exampleAwsBackupPlan.Id),
Resources: pulumi.StringArray{
pulumi.String("*"),
},
Conditions: backup.SelectionConditionArray{
&backup.SelectionConditionArgs{
StringEquals: backup.SelectionConditionStringEqualArray{
&backup.SelectionConditionStringEqualArgs{
Key: pulumi.String("aws:ResourceTag/Component"),
Value: pulumi.String("rds"),
},
},
StringLikes: backup.SelectionConditionStringLikeArray{
&backup.SelectionConditionStringLikeArgs{
Key: pulumi.String("aws:ResourceTag/Application"),
Value: pulumi.String("app*"),
},
},
StringNotEquals: backup.SelectionConditionStringNotEqualArray{
&backup.SelectionConditionStringNotEqualArgs{
Key: pulumi.String("aws:ResourceTag/Backup"),
Value: pulumi.String("false"),
},
},
StringNotLikes: backup.SelectionConditionStringNotLikeArray{
&backup.SelectionConditionStringNotLikeArgs{
Key: pulumi.String("aws:ResourceTag/Environment"),
Value: pulumi.String("test*"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Backup.Selection("example", new()
{
IamRoleArn = exampleAwsIamRole.Arn,
Name = "my_example_backup_selection",
PlanId = exampleAwsBackupPlan.Id,
Resources = new[]
{
"*",
},
Conditions = new[]
{
new Aws.Backup.Inputs.SelectionConditionArgs
{
StringEquals = new[]
{
new Aws.Backup.Inputs.SelectionConditionStringEqualArgs
{
Key = "aws:ResourceTag/Component",
Value = "rds",
},
},
StringLikes = new[]
{
new Aws.Backup.Inputs.SelectionConditionStringLikeArgs
{
Key = "aws:ResourceTag/Application",
Value = "app*",
},
},
StringNotEquals = new[]
{
new Aws.Backup.Inputs.SelectionConditionStringNotEqualArgs
{
Key = "aws:ResourceTag/Backup",
Value = "false",
},
},
StringNotLikes = new[]
{
new Aws.Backup.Inputs.SelectionConditionStringNotLikeArgs
{
Key = "aws:ResourceTag/Environment",
Value = "test*",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.backup.Selection;
import com.pulumi.aws.backup.SelectionArgs;
import com.pulumi.aws.backup.inputs.SelectionConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Selection("example", SelectionArgs.builder()
.iamRoleArn(exampleAwsIamRole.arn())
.name("my_example_backup_selection")
.planId(exampleAwsBackupPlan.id())
.resources("*")
.conditions(SelectionConditionArgs.builder()
.stringEquals(SelectionConditionStringEqualArgs.builder()
.key("aws:ResourceTag/Component")
.value("rds")
.build())
.stringLikes(SelectionConditionStringLikeArgs.builder()
.key("aws:ResourceTag/Application")
.value("app*")
.build())
.stringNotEquals(SelectionConditionStringNotEqualArgs.builder()
.key("aws:ResourceTag/Backup")
.value("false")
.build())
.stringNotLikes(SelectionConditionStringNotLikeArgs.builder()
.key("aws:ResourceTag/Environment")
.value("test*")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:backup:Selection
properties:
iamRoleArn: ${exampleAwsIamRole.arn}
name: my_example_backup_selection
planId: ${exampleAwsBackupPlan.id}
resources:
- '*'
conditions:
- stringEquals:
- key: aws:ResourceTag/Component
value: rds
stringLikes:
- key: aws:ResourceTag/Application
value: app*
stringNotEquals:
- key: aws:ResourceTag/Backup
value: 'false'
stringNotLikes:
- key: aws:ResourceTag/Environment
value: test*
The conditions property supports four operators: stringEquals for exact matches, stringLikes for wildcard patterns, stringNotEquals to exclude specific values, and stringNotLikes to exclude patterns. The resources property set to ["*"] means “evaluate all resources in the account against these conditions.” AWS Backup applies all conditions together, backing up resources that match the combined logic.
Specify resources by ARN
For precise control, you can list specific ARNs rather than relying on tag discovery.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.backup.Selection("example", {
iamRoleArn: exampleAwsIamRole.arn,
name: "my_example_backup_selection",
planId: exampleAwsBackupPlan.id,
resources: [
exampleAwsDbInstance.arn,
exampleAwsEbsVolume.arn,
exampleAwsEfsFileSystem.arn,
],
});
import pulumi
import pulumi_aws as aws
example = aws.backup.Selection("example",
iam_role_arn=example_aws_iam_role["arn"],
name="my_example_backup_selection",
plan_id=example_aws_backup_plan["id"],
resources=[
example_aws_db_instance["arn"],
example_aws_ebs_volume["arn"],
example_aws_efs_file_system["arn"],
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/backup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := backup.NewSelection(ctx, "example", &backup.SelectionArgs{
IamRoleArn: pulumi.Any(exampleAwsIamRole.Arn),
Name: pulumi.String("my_example_backup_selection"),
PlanId: pulumi.Any(exampleAwsBackupPlan.Id),
Resources: pulumi.StringArray{
exampleAwsDbInstance.Arn,
exampleAwsEbsVolume.Arn,
exampleAwsEfsFileSystem.Arn,
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Backup.Selection("example", new()
{
IamRoleArn = exampleAwsIamRole.Arn,
Name = "my_example_backup_selection",
PlanId = exampleAwsBackupPlan.Id,
Resources = new[]
{
exampleAwsDbInstance.Arn,
exampleAwsEbsVolume.Arn,
exampleAwsEfsFileSystem.Arn,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.backup.Selection;
import com.pulumi.aws.backup.SelectionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Selection("example", SelectionArgs.builder()
.iamRoleArn(exampleAwsIamRole.arn())
.name("my_example_backup_selection")
.planId(exampleAwsBackupPlan.id())
.resources(
exampleAwsDbInstance.arn(),
exampleAwsEbsVolume.arn(),
exampleAwsEfsFileSystem.arn())
.build());
}
}
resources:
example:
type: aws:backup:Selection
properties:
iamRoleArn: ${exampleAwsIamRole.arn}
name: my_example_backup_selection
planId: ${exampleAwsBackupPlan.id}
resources:
- ${exampleAwsDbInstance.arn}
- ${exampleAwsEbsVolume.arn}
- ${exampleAwsEfsFileSystem.arn}
The resources property accepts an array of ARNs. AWS Backup protects exactly these resources, regardless of their tags. This approach works well when you have a known, stable set of resources to protect.
Exclude specific resources from backup
Sometimes you want to back up most resources in a category but exclude a few.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.backup.Selection("example", {
iamRoleArn: exampleAwsIamRole.arn,
name: "my_example_backup_selection",
planId: exampleAwsBackupPlan.id,
notResources: [
exampleAwsDbInstance.arn,
exampleAwsEbsVolume.arn,
exampleAwsEfsFileSystem.arn,
],
});
import pulumi
import pulumi_aws as aws
example = aws.backup.Selection("example",
iam_role_arn=example_aws_iam_role["arn"],
name="my_example_backup_selection",
plan_id=example_aws_backup_plan["id"],
not_resources=[
example_aws_db_instance["arn"],
example_aws_ebs_volume["arn"],
example_aws_efs_file_system["arn"],
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/backup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := backup.NewSelection(ctx, "example", &backup.SelectionArgs{
IamRoleArn: pulumi.Any(exampleAwsIamRole.Arn),
Name: pulumi.String("my_example_backup_selection"),
PlanId: pulumi.Any(exampleAwsBackupPlan.Id),
NotResources: pulumi.StringArray{
exampleAwsDbInstance.Arn,
exampleAwsEbsVolume.Arn,
exampleAwsEfsFileSystem.Arn,
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Backup.Selection("example", new()
{
IamRoleArn = exampleAwsIamRole.Arn,
Name = "my_example_backup_selection",
PlanId = exampleAwsBackupPlan.Id,
NotResources = new[]
{
exampleAwsDbInstance.Arn,
exampleAwsEbsVolume.Arn,
exampleAwsEfsFileSystem.Arn,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.backup.Selection;
import com.pulumi.aws.backup.SelectionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Selection("example", SelectionArgs.builder()
.iamRoleArn(exampleAwsIamRole.arn())
.name("my_example_backup_selection")
.planId(exampleAwsBackupPlan.id())
.notResources(
exampleAwsDbInstance.arn(),
exampleAwsEbsVolume.arn(),
exampleAwsEfsFileSystem.arn())
.build());
}
}
resources:
example:
type: aws:backup:Selection
properties:
iamRoleArn: ${exampleAwsIamRole.arn}
name: my_example_backup_selection
planId: ${exampleAwsBackupPlan.id}
notResources:
- ${exampleAwsDbInstance.arn}
- ${exampleAwsEbsVolume.arn}
- ${exampleAwsEfsFileSystem.arn}
The notResources property inverts the selection logic. Instead of specifying what to back up, you specify what to exclude. This works well with wildcard patterns or when combined with tag-based selection to carve out exceptions.
Beyond these examples
These snippets focus on specific selection features: tag-based resource discovery, condition-based filtering with string operators, and explicit ARN inclusion and exclusion. They’re intentionally minimal rather than complete backup solutions.
The examples rely on pre-existing infrastructure such as AWS Backup plans (planId), IAM roles with backup permissions (iamRoleArn), and tagged resources for tag-based examples. They focus on defining selection criteria rather than provisioning the surrounding backup infrastructure.
To keep things focused, common selection patterns are omitted, including:
- IAM role creation and policy attachment (shown in Example 1 but not in selection examples)
- Backup plan configuration (schedule, retention, lifecycle)
- Cross-region or cross-account backup
- Advanced condition operators (stringNotLikes, nested conditions)
These omissions are intentional: the goal is to illustrate how each selection method is wired, not provide drop-in backup modules. See the Backup Selection resource reference for all available configuration options.
Let's configure AWS Backup Selection Rules
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection Methods
What are the different ways to select resources for backup?
You have four selection methods:
- selectionTags - Simple tag matching with STRINGEQUALS
- conditions - Advanced tag filtering with multiple operators (stringEquals, stringLikes, stringNotEquals, stringNotLikes)
- resources - Explicit list of resource ARNs to include
- notResources - Explicit list of resource ARNs to exclude
Can I use wildcards to select all resources?
Yes, set
resources to ["*"] to select all resources, then optionally use conditions to filter by tags.How do I exclude specific resources from my backup plan?
Use
notResources with an array of ARNs to exclude specific resources from the backup plan.What's the difference between selectionTags and conditions?
selectionTags provides simple STRINGEQUALS matching, while conditions supports multiple operators (stringEquals, stringLikes, stringNotEquals, stringNotLikes) for complex filtering scenarios.Can I combine multiple selection methods?
Yes, you can combine
resources with conditions to select all resources and then filter by tags. The conditions example shows resources: ["*"] combined with tag-based conditions.How do pattern matching operators work in conditions?
The
conditions block supports four operators: stringEquals for exact matches, stringLikes for wildcard patterns (e.g., app*), stringNotEquals for exclusions, and stringNotLikes for pattern exclusions.IAM & Permissions
What IAM permissions does AWS Backup need?
The IAM role needs the
AWSBackupServiceRolePolicyForBackup managed policy for creating backups. The role must trust backup.amazonaws.com as shown in the IAM example.Configuration & Immutability
What happens if I change my selection criteria after creation?
Most properties (
conditions, resources, selectionTags, name, planId, iamRoleArn) are immutable and force resource replacement when changed. Plan your selection criteria carefully before creation.