This script creates an AWS backup vault, adds a backup plan and a backup selection.

Set up profile, region and Account ID first.

<pre lang="bash">
#!/bin/bash
profile="default"
region="us-east-1"
id=$(aws sts get-caller-identity --query Account --output text)

Create a vault.

<pre lang="bash">
aws backup create-backup-vault \
--backup-vault-name my-vault \
--profile $profile \
--region $region

Create a backup plan.

<pre lang="bash">
aws backup create-backup-plan \
--backup-plan file://back-plan.json \ 
--profile $profile \
--region $region

backup-plan.json

<pre lang="bash">
{
    "BackupPlan": {
        "BackupPlanName": "efs-0000",
        "Rules": [
            {
                "RuleName": "efs-0000",
                "TargetBackupVaultName": "my-vault",
                "ScheduleExpression": "cron(0 0 ? * * *)",
                "StartWindowMinutes": 60,
                "CompletionWindowMinutes": 10080,
                "Lifecycle": {
                    "DeleteAfterDays": 7
                }
            }
        ]
    }
}

Get the backup plan ID.

<pre lang="bash">
planid=$(aws backup list-backup-plans \
  --query "BackupPlansList[?BackupPlanName=='efs-0000'].BackupPlanId" \
  --profile $profile \
  --region $region \
  --output text)

Create a backup selection.

<pre lang="bash">
# Create a backup selection
aws backup create-backup-selection \
--backup-plan-id $planid \
--cli-input-json file://backup-selection.json \
--profile $profile \
--region $region

backup-selection.json

<pre lang="bash">
{
    "BackupSelection": {
		"SelectionName": "efs-0000",
        "IamRoleArn": "arn:aws:iam::xxxxxxxxxxxx:role/service-role/AWSBackupDefaultServiceRole",
        "Resources": [],
        "ListOfTags": [
            {
                "ConditionType": "STRINGEQUALS",
                "ConditionKey": "aws-backup",
                "ConditionValue": "efs-0000"
            }
        ]
    }
}

The enable EFS backup, add a tag key of aws-backup with a value of efs-0000.