BackupBuddy Remote Destinations: Amazon S3

From IThemes Codex
Jump to: navigation, search

Amazon Simple Storage Service (Amazon S3) is a well known cloud storage provider. This destination is known to be reliable and works well with BackupBuddy. For more information about Amazon S3, visit http://aws.amazon.com/s3/.


Contents

Simple Method (inline user policy)

This is the easiest method for granting permission to access an S3 bucket to BackupBuddy.

  1. Log in to the Amazon Web Console at http://console.aws.amazon.com
  2. From the top menu select "Services" then click "IAM".
  3. From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users
  4. Click the "Create New Users" button.
  5. Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".
  6. Click "Show User Security Credentials" to display them.
  7. This is the Access Key and Secret Key you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.
  8. Click "Close" twice to move on.
  9. Click the username you just created to open its details.
  10. Select the "Permissions" tab.
  11. Under Inline Policies (click to expand), you will see "There are no inline policies to show. To create one, click here".
  12. Click where it says "click here".
  13. Choose "Policy Generator" and click "Select".
    • Effect: Allow
    • AWS Service: Amazon S3
    • Actions: All Actions
    • Amazon Resource Name (ARN): arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*
  14. Return to the Users page Permissions tab
  15. Next to the new Policy select "Edit policy"
  16. Under "Resource", copy the ARN line and paste to the next line below it
  17. From the new pasted line remove the /* from the end (should have two identical lines except one as /* at the end and one does not
  18. Add a comma (,) to the end of the first ARN line you copied
  19. See example policy below to see how this should look
  20. Click "Apply policy" to save the changes


Example Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1459964267000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*",
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE"
            ]
        }
    ]
}

Advanced Method (bucket policy)

Here we will walk you through creating IAM Security Credentials and a Security Policy and then attach said Security Policy to your bucket. You will also obtain your security and access keys during this process.

  1. Log in to the Amazon Web Console at http://console.aws.amazon.com
  2. From the top menu select "Services" then click "IAM".
  3. From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users
  4. Click the "Create New Users" button.
  5. Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".
  6. Click "Show User Security Credentials" to display them.
  7. This is the Access Key and Secret Key you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.
  8. Click "Close" twice to move on.
  9. Click the username you just created to open its details.
  10. Copy the following Security Policy into your favorite text editor or note taking app/site such as Notepad, TextEdit, Typity, Sublime Text 2, etc:
     {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": [
    					"YOUR_USER_ARN_HERE"
    				]
    			},
    			"Action": "s3:*",
    			"Resource": [
    				"arn:aws:s3:::YOUR_BUCKET_NAME_HERE",
    				"arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*"
    			]
    		}
    	]
    }
    
  11. Copy the text to the right of "User ARN". It will look something like arn:aws:iam::193065484832:user/backupbuddy_test_user
  12. Paste this "User Arn" replacing "YOUR_USER_ARN_HERE" in the Security Policy above that you pasted into your text editor.
  13. Replace "YOUR_BUCKET_NAME_HERE" with the name of your Amazon S3 Bucket you want to grant this user access to.
  14. From the top menu select "Services" then click "S3" or go to https://console.aws.amazon.com/s3/home
  15. Click the bucket you want to grant access to.
  16. At the upper right, make sure the "Properties" tab/button is selected so you see bucket details on the right.
  17. Expand "Permissions" and click "Edit bucket policy".
  18. Paste the Security Policy from your text editor (that big chunk of text you put your user ARN and bucket name in from above) in this box.
  19. Click "Save".
  20. You can now test this S3 destination in BackupBuddy.

Security Tips

  • You can grant multiple users access to the bucket by adding additional User ARNs into the policy, separated by commas. This lets you easily delete users or remove their access in the future.
  • You can modify Action permissions to limit user access. For instance to block them from deleting files to make sure backups don't get accidentally deleted or even download backups for ultimate security. For instance the following would allow uploading backups but prevent users with access to your BackupBuddy install from downloading your backups or deleting them. For a full list of actions see http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
"Action": [
        "s3:PutObject",
        "s3:ListBucket"
      ]


See also


← Back to BackupBuddy Codex Home

Personal tools
Namespaces
Variants
Actions
iThemes Codex
Codex Navigation
Toolbox