The aws:backup/selection:Selection resource, part of the Pulumi AWS provider, defines which AWS resources a backup plan should protect using tags, conditions, or explicit ARNs. This guide focuses on three capabilities: tag-based selection, condition-based filtering, and explicit ARN inclusion/exclusion.
Backup selections require an existing backup plan and an IAM role with permissions to perform backups and restores. The examples are intentionally small. Combine them with your own backup plans, IAM roles, and resource tagging strategy.
Select resources by tag key-value pairs
Many organizations tag resources with metadata like environment, application, or owner. Backup selections can target all resources matching specific tag criteria.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.backup.Selection("example", {
iamRoleArn: exampleAwsIamRole.arn,
name: "my_example_backup_selection",
planId: exampleAwsBackupPlan.id,
selectionTags: [{
type: "STRINGEQUALS",
key: "foo",
value: "bar",
}],
});
import pulumi
import pulumi_aws as aws
example = aws.backup.Selection("example",
iam_role_arn=example_aws_iam_role["arn"],
name="my_example_backup_selection",
plan_id=example_aws_backup_plan["id"],
selection_tags=[{
"type": "STRINGEQUALS",
"key": "foo",
"value": "bar",
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/backup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := backup.NewSelection(ctx, "example", &backup.SelectionArgs{
IamRoleArn: pulumi.Any(exampleAwsIamRole.Arn),
Name: pulumi.String("my_example_backup_selection"),
PlanId: pulumi.Any(exampleAwsBackupPlan.Id),
SelectionTags: backup.SelectionSelectionTagArray{
&backup.SelectionSelectionTagArgs{
Type: pulumi.String("STRINGEQUALS"),
Key: pulumi.String("foo"),
Value: pulumi.String("bar"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Backup.Selection("example", new()
{
IamRoleArn = exampleAwsIamRole.Arn,
Name = "my_example_backup_selection",
PlanId = exampleAwsBackupPlan.Id,
SelectionTags = new[]
{
new Aws.Backup.Inputs.SelectionSelectionTagArgs
{
Type = "STRINGEQUALS",
Key = "foo",
Value = "bar",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.backup.Selection;
import com.pulumi.aws.backup.SelectionArgs;
import com.pulumi.aws.backup.inputs.SelectionSelectionTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Selection("example", SelectionArgs.builder()
.iamRoleArn(exampleAwsIamRole.arn())
.name("my_example_backup_selection")
.planId(exampleAwsBackupPlan.id())
.selectionTags(SelectionSelectionTagArgs.builder()
.type("STRINGEQUALS")
.key("foo")
.value("bar")
.build())
.build());
}
}
resources:
example:
type: aws:backup:Selection
properties:
iamRoleArn: ${exampleAwsIamRole.arn}
name: my_example_backup_selection
planId: ${exampleAwsBackupPlan.id}
selectionTags:
- type: STRINGEQUALS
key: foo
value: bar
The selectionTags property defines tag-based filters. Each filter specifies a type (STRINGEQUALS), key, and value. AWS Backup automatically includes any resource with matching tags, even resources created after the selection is defined.
Filter resources with complex tag conditions
When simple tag matching isn’t enough, condition-based filters support multiple operators to build sophisticated selection logic.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.backup.Selection("example", {
iamRoleArn: exampleAwsIamRole.arn,
name: "my_example_backup_selection",
planId: exampleAwsBackupPlan.id,
resources: ["*"],
conditions: [{
stringEquals: [{
key: "aws:ResourceTag/Component",
value: "rds",
}],
stringLikes: [{
key: "aws:ResourceTag/Application",
value: "app*",
}],
stringNotEquals: [{
key: "aws:ResourceTag/Backup",
value: "false",
}],
stringNotLikes: [{
key: "aws:ResourceTag/Environment",
value: "test*",
}],
}],
});
import pulumi
import pulumi_aws as aws
example = aws.backup.Selection("example",
iam_role_arn=example_aws_iam_role["arn"],
name="my_example_backup_selection",
plan_id=example_aws_backup_plan["id"],
resources=["*"],
conditions=[{
"string_equals": [{
"key": "aws:ResourceTag/Component",
"value": "rds",
}],
"string_likes": [{
"key": "aws:ResourceTag/Application",
"value": "app*",
}],
"string_not_equals": [{
"key": "aws:ResourceTag/Backup",
"value": "false",
}],
"string_not_likes": [{
"key": "aws:ResourceTag/Environment",
"value": "test*",
}],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/backup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := backup.NewSelection(ctx, "example", &backup.SelectionArgs{
IamRoleArn: pulumi.Any(exampleAwsIamRole.Arn),
Name: pulumi.String("my_example_backup_selection"),
PlanId: pulumi.Any(exampleAwsBackupPlan.Id),
Resources: pulumi.StringArray{
pulumi.String("*"),
},
Conditions: backup.SelectionConditionArray{
&backup.SelectionConditionArgs{
StringEquals: backup.SelectionConditionStringEqualArray{
&backup.SelectionConditionStringEqualArgs{
Key: pulumi.String("aws:ResourceTag/Component"),
Value: pulumi.String("rds"),
},
},
StringLikes: backup.SelectionConditionStringLikeArray{
&backup.SelectionConditionStringLikeArgs{
Key: pulumi.String("aws:ResourceTag/Application"),
Value: pulumi.String("app*"),
},
},
StringNotEquals: backup.SelectionConditionStringNotEqualArray{
&backup.SelectionConditionStringNotEqualArgs{
Key: pulumi.String("aws:ResourceTag/Backup"),
Value: pulumi.String("false"),
},
},
StringNotLikes: backup.SelectionConditionStringNotLikeArray{
&backup.SelectionConditionStringNotLikeArgs{
Key: pulumi.String("aws:ResourceTag/Environment"),
Value: pulumi.String("test*"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Backup.Selection("example", new()
{
IamRoleArn = exampleAwsIamRole.Arn,
Name = "my_example_backup_selection",
PlanId = exampleAwsBackupPlan.Id,
Resources = new[]
{
"*",
},
Conditions = new[]
{
new Aws.Backup.Inputs.SelectionConditionArgs
{
StringEquals = new[]
{
new Aws.Backup.Inputs.SelectionConditionStringEqualArgs
{
Key = "aws:ResourceTag/Component",
Value = "rds",
},
},
StringLikes = new[]
{
new Aws.Backup.Inputs.SelectionConditionStringLikeArgs
{
Key = "aws:ResourceTag/Application",
Value = "app*",
},
},
StringNotEquals = new[]
{
new Aws.Backup.Inputs.SelectionConditionStringNotEqualArgs
{
Key = "aws:ResourceTag/Backup",
Value = "false",
},
},
StringNotLikes = new[]
{
new Aws.Backup.Inputs.SelectionConditionStringNotLikeArgs
{
Key = "aws:ResourceTag/Environment",
Value = "test*",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.backup.Selection;
import com.pulumi.aws.backup.SelectionArgs;
import com.pulumi.aws.backup.inputs.SelectionConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Selection("example", SelectionArgs.builder()
.iamRoleArn(exampleAwsIamRole.arn())
.name("my_example_backup_selection")
.planId(exampleAwsBackupPlan.id())
.resources("*")
.conditions(SelectionConditionArgs.builder()
.stringEquals(SelectionConditionStringEqualArgs.builder()
.key("aws:ResourceTag/Component")
.value("rds")
.build())
.stringLikes(SelectionConditionStringLikeArgs.builder()
.key("aws:ResourceTag/Application")
.value("app*")
.build())
.stringNotEquals(SelectionConditionStringNotEqualArgs.builder()
.key("aws:ResourceTag/Backup")
.value("false")
.build())
.stringNotLikes(SelectionConditionStringNotLikeArgs.builder()
.key("aws:ResourceTag/Environment")
.value("test*")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:backup:Selection
properties:
iamRoleArn: ${exampleAwsIamRole.arn}
name: my_example_backup_selection
planId: ${exampleAwsBackupPlan.id}
resources:
- '*'
conditions:
- stringEquals:
- key: aws:ResourceTag/Component
value: rds
stringLikes:
- key: aws:ResourceTag/Application
value: app*
stringNotEquals:
- key: aws:ResourceTag/Backup
value: 'false'
stringNotLikes:
- key: aws:ResourceTag/Environment
value: test*
The conditions property combines multiple filter types: stringEquals for exact matches, stringLikes for wildcard patterns, stringNotEquals to exclude specific values, and stringNotLikes to exclude patterns. The resources property set to ["*"] means “evaluate all resources in the account against these conditions.”
Specify individual resources by ARN
For precise control, you can list specific resource ARNs rather than relying on tag-based discovery.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.backup.Selection("example", {
iamRoleArn: exampleAwsIamRole.arn,
name: "my_example_backup_selection",
planId: exampleAwsBackupPlan.id,
resources: [
exampleAwsDbInstance.arn,
exampleAwsEbsVolume.arn,
exampleAwsEfsFileSystem.arn,
],
});
import pulumi
import pulumi_aws as aws
example = aws.backup.Selection("example",
iam_role_arn=example_aws_iam_role["arn"],
name="my_example_backup_selection",
plan_id=example_aws_backup_plan["id"],
resources=[
example_aws_db_instance["arn"],
example_aws_ebs_volume["arn"],
example_aws_efs_file_system["arn"],
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/backup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := backup.NewSelection(ctx, "example", &backup.SelectionArgs{
IamRoleArn: pulumi.Any(exampleAwsIamRole.Arn),
Name: pulumi.String("my_example_backup_selection"),
PlanId: pulumi.Any(exampleAwsBackupPlan.Id),
Resources: pulumi.StringArray{
exampleAwsDbInstance.Arn,
exampleAwsEbsVolume.Arn,
exampleAwsEfsFileSystem.Arn,
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Backup.Selection("example", new()
{
IamRoleArn = exampleAwsIamRole.Arn,
Name = "my_example_backup_selection",
PlanId = exampleAwsBackupPlan.Id,
Resources = new[]
{
exampleAwsDbInstance.Arn,
exampleAwsEbsVolume.Arn,
exampleAwsEfsFileSystem.Arn,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.backup.Selection;
import com.pulumi.aws.backup.SelectionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Selection("example", SelectionArgs.builder()
.iamRoleArn(exampleAwsIamRole.arn())
.name("my_example_backup_selection")
.planId(exampleAwsBackupPlan.id())
.resources(
exampleAwsDbInstance.arn(),
exampleAwsEbsVolume.arn(),
exampleAwsEfsFileSystem.arn())
.build());
}
}
resources:
example:
type: aws:backup:Selection
properties:
iamRoleArn: ${exampleAwsIamRole.arn}
name: my_example_backup_selection
planId: ${exampleAwsBackupPlan.id}
resources:
- ${exampleAwsDbInstance.arn}
- ${exampleAwsEbsVolume.arn}
- ${exampleAwsEfsFileSystem.arn}
The resources property accepts an array of ARNs. This approach works well when you have a small, stable set of resources to back up, or when resources don’t share common tags.
Exclude specific resources from backup
Sometimes it’s easier to back up everything except a few resources. The notResources property inverts the selection logic.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.backup.Selection("example", {
iamRoleArn: exampleAwsIamRole.arn,
name: "my_example_backup_selection",
planId: exampleAwsBackupPlan.id,
notResources: [
exampleAwsDbInstance.arn,
exampleAwsEbsVolume.arn,
exampleAwsEfsFileSystem.arn,
],
});
import pulumi
import pulumi_aws as aws
example = aws.backup.Selection("example",
iam_role_arn=example_aws_iam_role["arn"],
name="my_example_backup_selection",
plan_id=example_aws_backup_plan["id"],
not_resources=[
example_aws_db_instance["arn"],
example_aws_ebs_volume["arn"],
example_aws_efs_file_system["arn"],
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/backup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := backup.NewSelection(ctx, "example", &backup.SelectionArgs{
IamRoleArn: pulumi.Any(exampleAwsIamRole.Arn),
Name: pulumi.String("my_example_backup_selection"),
PlanId: pulumi.Any(exampleAwsBackupPlan.Id),
NotResources: pulumi.StringArray{
exampleAwsDbInstance.Arn,
exampleAwsEbsVolume.Arn,
exampleAwsEfsFileSystem.Arn,
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Backup.Selection("example", new()
{
IamRoleArn = exampleAwsIamRole.Arn,
Name = "my_example_backup_selection",
PlanId = exampleAwsBackupPlan.Id,
NotResources = new[]
{
exampleAwsDbInstance.Arn,
exampleAwsEbsVolume.Arn,
exampleAwsEfsFileSystem.Arn,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.backup.Selection;
import com.pulumi.aws.backup.SelectionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Selection("example", SelectionArgs.builder()
.iamRoleArn(exampleAwsIamRole.arn())
.name("my_example_backup_selection")
.planId(exampleAwsBackupPlan.id())
.notResources(
exampleAwsDbInstance.arn(),
exampleAwsEbsVolume.arn(),
exampleAwsEfsFileSystem.arn())
.build());
}
}
resources:
example:
type: aws:backup:Selection
properties:
iamRoleArn: ${exampleAwsIamRole.arn}
name: my_example_backup_selection
planId: ${exampleAwsBackupPlan.id}
notResources:
- ${exampleAwsDbInstance.arn}
- ${exampleAwsEbsVolume.arn}
- ${exampleAwsEfsFileSystem.arn}
The notResources property lists ARNs to exclude. This is useful when most resources should be backed up but a few need to be skipped (test databases, temporary volumes, scratch file systems).
Beyond these examples
These snippets focus on specific selection features: tag-based and condition-based resource selection, and explicit ARN inclusion and exclusion. They’re intentionally minimal rather than complete backup configurations.
The examples reference pre-existing infrastructure such as AWS Backup plans (planId), IAM roles with backup permissions (iamRoleArn), and resources to back up (RDS instances, EBS volumes, EFS file systems). They focus on defining selection criteria rather than provisioning the backup infrastructure.
To keep things focused, common selection patterns are omitted, including:
- IAM role creation and policy attachment (shown in Example 1 but not integrated)
- Backup plan configuration (schedule, retention, lifecycle)
- Cross-region or cross-account backup
- Advanced condition operators (stringLike wildcards, multiple conditions)
These omissions are intentional: the goal is to illustrate how each selection method is wired, not provide drop-in backup modules. See the Backup Selection resource reference for all available configuration options.
Let's configure AWS Backup Selection Rules
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection Methods
What are the different ways to select resources for backup?
You have three options:
- By tags - Use
selectionTagswith operators likeSTRINGEQUALS - By conditions - Use
conditionsfor advanced tag filtering withstringEquals,stringLikes,stringNotEquals,stringNotLikes - By ARN - Use
resourcesto specify explicit resource ARNs
What's the difference between selectionTags and conditions?
selectionTags provides simple tag matching with a single operator type. conditions offers advanced filtering with multiple operators (stringEquals, stringLikes, stringNotEquals, stringNotLikes) that can be combined in a single selection.How do I exclude specific resources from backup?
Use
notResources with an array of ARNs or match patterns to exclude resources from the backup plan.Can I use wildcards or patterns in resource selection?
Yes, use the
conditions property with stringLikes for wildcard patterns (e.g., app*), or use resources: ["*"] to select all resources.IAM & Permissions
What IAM permissions does AWS Backup need?
Attach the
arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup managed policy to the IAM role. The role must have a trust policy allowing backup.amazonaws.com to assume it.Where can I find more information about IAM roles for AWS Backup?
See the AWS Backup Developer Guide for details on managed policies and creating custom policies for the IAM role.
Configuration & Limitations
What properties can't be changed after creating a backup selection?
These properties are immutable and force replacement if changed:
conditions, iamRoleArn, name, notResources, planId, resources, and selectionTags. Only region can be modified in-place.Can I change which backup plan a selection is associated with?
No,
planId is immutable. Changing it forces replacement of the selection resource.How do I import an existing backup selection?
Use
pulumi import aws:backup/selection:Selection example plan-id|selection-id with the plan ID and selection ID separated by a pipe character.