Amazon S3 Extension Bucket Permissions

  • Created:
  • / Author: Bobby A
User-based policy

To properly export/import backups to Amazon S3, the Amazon S3 Extension requires the following permissions.


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*"
}
] }

Optional policies:

s3:ListAllMyBuckets – Returns a list of all buckets owned by the authenticated sender of the request. If you enable this permission, Amazon S3 Extension will list all buckets in a drop-down menu on the Amazon S3 Settings page.
s3:AbortMultipartUpload – Aborts a multipart upload. If you enable this permission, you can pause the export process during upload, and all temporarily uploaded chunks will be deleted from Amazon S3.
s3:DeleteBucket – Deletes the bucket named in the URI. Although the Amazon S3 Extension does not delete buckets during export/import, you may need to grant this permission to your Amazon S3 user if such an operation is required.

Bucket based policy


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::site-backups"] },
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::site-backups/*"] }
] }

In the preceding example, the bucket to which permissions are applied is called site-backups. Depending on the name of your bucket, you may need to change it.

You can find more information about user and bucket policies on Amazon S3 documentation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/

Why do we need these permissions?

CreateBucket: If there are no buckets or if they are not selected from the S3 settings page, this is required to create a bucket for initial export to S3
ListBucket: Required for the import functionality and to provide a list of files from which you can select the file to import
PutObject: For upload & export
GetObject: For download & import
DeleteObject: Required for Retention settings
GetBucketLocation: Required in order to export/import to/from S3

Leave A Comment?