Amazon S3 Extension Bucket Permissions

User based policy

Amazon S3 Extension requires the following permissions in order to export/import backups to Amazon S3 properly.


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*"
}
] }

Optional policies:

s3:ListAllMyBuckets – Returns a list of all buckets owned by the authenticated sender of the request. If this permission is enabled, Amazon S3 Extension will list all buckets in a dropdown on Amazon S3 Settings page.
s3:AbortMultipartUpload – Aborts a multipart upload. If this permission is enabled, you are allowed to interrupt export process during upload and all temporary uploaded chunks will be deleted on Amazon S3.
s3:DeleteBucket – Deletes the bucket named in the URI. Amazon S3 Extension will not delete buckets on export/import, but you may need to apply this permission on your Amazon S3 user if such operation is needed.

Bucket based policy


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::site-backups"] },
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::site-backups/*"] }
] }

In the above example, site-backups is the name of the bucket that permissions are applied. You may need to change it depending on your bucket name.

You can find more information about user and bucket policies on Amazon S3 documentation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/

Leave A Comment?