Difference between revisions of "BackupBuddy Remote Destinations: Amazon S3"

From iThemes Codex
Jump to: navigation, search
(S3 Security Credentials)
(Simple Method (inline user policy))
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Amazon Simple Storage Service (Amazon S3) is a well known cloud storage provider. This destination is known to be reliable and works well with BackupBuddy. For more information about Amazon S3, visit http://aws.amazon.com/s3/.
 
Amazon Simple Storage Service (Amazon S3) is a well known cloud storage provider. This destination is known to be reliable and works well with BackupBuddy. For more information about Amazon S3, visit http://aws.amazon.com/s3/.
  
=Adding Amazon S3 as a Remote Destination=
 
  
#Once on the [[BackupBuddy_Remote_Destinations:_Introduction|Remote Destinations]] page, click the '''+Add New''' button to add your Amazon S3 destination.<br /><br /><br />[[File:AddS3Destination.png|AddS3Destination.png|link=]]<br /><br /><br />
+
==Simple Method (inline user policy)==
#In the '''Add New Destination''' window, add the following information:<br /><br /><br />[[File:AmazonS3Settings.png|AmazonS3Settings.png|link=]]<br /><br /><br />
+
This is the easiest method for granting permission to access an S3 bucket to BackupBuddy.
##'''Destination name''' - Name of the new destination to create. This is for your convenience only.
+
<ol>
##'''AWS access key''' - [Example: BSEGHGSDEUOXSQOPGSBE] - Log in to your Amazon S3 AWS Account and navigate to Account: Access Credentials: Security Credentials
+
<li>Log in to the Amazon Web Console at http://console.aws.amazon.com</li>
##'''AWS secret key''' - [Example: GHOIDDWE56SDSAZXMOPR] - Log in to your Amazon S3 AWS Account and navigate to Account: Access Credentials: Security Credentials.
+
<li>From the top menu select "Services" then click "IAM".</li>
##'''Bucket name''' - [Example: wordpress_backups] - This bucket will be created for you automatically if it does not already exist. Bucket names must be globally unique amongst all Amazon S3 users.
+
<li>From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users</li>
##'''Directory''' - [Example: backupbuddy] - Directory name to place the backup within.
+
<li>Click the "Create New Users" button.</li>
##'''Archive limit''' - [Example: 5] - Enter 0 for no limit. This is the maximum number of archives to be stored in this specific destination. If this limit is met the oldest backups will be deleted.
+
<li>Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".</li>
##'''Encrypt connection''' - [Default: enabled] - When enabled, all transfers will be encrypted with SSL encryption. Please note that encryption introduces overhead and may slow down the transfer. If Amazon S3 sends are failing try disabling this feature to speed up the process.  Note that 32-bit servers cannot encrypt transfers of 2GB or larger with SSL, causing large file transfers to fail.<br /><br />
+
<li>Click "Show User Security Credentials" to display them.</li>
#Once you've entered all of your settings, you'll want to test your settings before adding the destination.<br /><br />
+
<li>This is the '''Access Key''' and '''Secret Key''' you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.</li>
#Your new location will now show on the Remote Destinations page in BackupBuddy.  If you need to change your settings, click the gear symbol to the right of the destination.<br /><br /><br />[[File:S3Existing.png|S3Existing.png|link=]]<br /><br /><br />
+
<li>Click "Close" twice to move on.</li>
 +
<li>Click the username you just created to open its details.</li>
 +
<li>Select the "Permissions" tab.</li>
 +
<li>Under Inline Policies (click to expand), you will see "There are no inline policies to show. To create one, click here".</li>
 +
<li>Click where it says "click here".</li>
 +
<li>Choose "Policy Generator" and click "Select".
 +
<ul>
 +
<li>Effect: Allow</li>
 +
<li>AWS Service: Amazon S3</li>
 +
<li>Actions: All Actions</li>
 +
<li>Amazon Resource Name (ARN): arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*</li>
 +
</ul>
 +
</li>
 +
<li>Return to the Users page Permissions tab</li>
 +
<li>Next to the new Policy select "Edit policy"</li>
 +
<li>Under "Resource", copy the ARN line and paste to the next line below it</li>
 +
<li>From the new pasted line remove the /* from the end (should have two identical lines except one as /* at the end and one does not</li>
 +
<li>Add a comma (,) to the end of the first ARN line you copied</li>
 +
<li>See example policy below to see how this should look</li>
 +
<li>Click "Apply policy" to save the changes</li>
 +
</ol>
  
  
==S3 Security Credentials==
+
'''Example Policy:'''
Here we will walk you through creating IAM Security Credentials and a Security Policy and then attach said Security Policy to your bucket.
+
<pre>
 +
{
 +
    "Version": "2012-10-17",
 +
    "Statement": [
 +
        {
 +
            "Sid": "Stmt1459964267000",
 +
            "Effect": "Allow",
 +
            "Action": [
 +
                "s3:*"
 +
            ],
 +
            "Resource": [
 +
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*",
 +
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE"
 +
            ]
 +
        }
 +
    ]
 +
}
 +
</pre>
  
 +
==Advanced Method (bucket policy)==
 +
Here we will walk you through creating IAM Security Credentials and a Security Policy and then attach said Security Policy to your bucket. You will also obtain your security and access keys during this process.
 
<ol>
 
<ol>
 
<li>Log in to the Amazon Web Console at http://console.aws.amazon.com</li>
 
<li>Log in to the Amazon Web Console at http://console.aws.amazon.com</li>
Line 26: Line 64:
 
<li>Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".</li>
 
<li>Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".</li>
 
<li>Click "Show User Security Credentials" to display them.</li>
 
<li>Click "Show User Security Credentials" to display them.</li>
<li>These are the access keys you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.</li>
+
<li>This is the '''Access Key''' and '''Secret Key''' you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.</li>
 
<li>Click "Close" twice to move on.</li>
 
<li>Click "Close" twice to move on.</li>
 
<li>Click the username you just created to open its details.</li>
 
<li>Click the username you just created to open its details.</li>
Line 60: Line 98:
 
<li>Click "Save".</li>
 
<li>Click "Save".</li>
 
<li>You can now test this S3 destination in BackupBuddy.</li>
 
<li>You can now test this S3 destination in BackupBuddy.</li>
 +
</ol>
  
 
==Security Tips==
 
==Security Tips==

Latest revision as of 18:30, 6 April 2016

Amazon Simple Storage Service (Amazon S3) is a well known cloud storage provider. This destination is known to be reliable and works well with BackupBuddy. For more information about Amazon S3, visit http://aws.amazon.com/s3/.


Simple Method (inline user policy)

This is the easiest method for granting permission to access an S3 bucket to BackupBuddy.

  1. Log in to the Amazon Web Console at http://console.aws.amazon.com
  2. From the top menu select "Services" then click "IAM".
  3. From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users
  4. Click the "Create New Users" button.
  5. Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".
  6. Click "Show User Security Credentials" to display them.
  7. This is the Access Key and Secret Key you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.
  8. Click "Close" twice to move on.
  9. Click the username you just created to open its details.
  10. Select the "Permissions" tab.
  11. Under Inline Policies (click to expand), you will see "There are no inline policies to show. To create one, click here".
  12. Click where it says "click here".
  13. Choose "Policy Generator" and click "Select".
    • Effect: Allow
    • AWS Service: Amazon S3
    • Actions: All Actions
    • Amazon Resource Name (ARN): arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*
  14. Return to the Users page Permissions tab
  15. Next to the new Policy select "Edit policy"
  16. Under "Resource", copy the ARN line and paste to the next line below it
  17. From the new pasted line remove the /* from the end (should have two identical lines except one as /* at the end and one does not
  18. Add a comma (,) to the end of the first ARN line you copied
  19. See example policy below to see how this should look
  20. Click "Apply policy" to save the changes


Example Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1459964267000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*",
                "arn:aws:s3:::YOUR_BUCKET_NAME_HERE"
            ]
        }
    ]
}

Advanced Method (bucket policy)

Here we will walk you through creating IAM Security Credentials and a Security Policy and then attach said Security Policy to your bucket. You will also obtain your security and access keys during this process.

  1. Log in to the Amazon Web Console at http://console.aws.amazon.com
  2. From the top menu select "Services" then click "IAM".
  3. From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users
  4. Click the "Create New Users" button.
  5. Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".
  6. Click "Show User Security Credentials" to display them.
  7. This is the Access Key and Secret Key you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.
  8. Click "Close" twice to move on.
  9. Click the username you just created to open its details.
  10. Copy the following Security Policy into your favorite text editor or note taking app/site such as Notepad, TextEdit, Typity, Sublime Text 2, etc:
     {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": [
    					"YOUR_USER_ARN_HERE"
    				]
    			},
    			"Action": "s3:*",
    			"Resource": [
    				"arn:aws:s3:::YOUR_BUCKET_NAME_HERE",
    				"arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*"
    			]
    		}
    	]
    }
    
  11. Copy the text to the right of "User ARN". It will look something like arn:aws:iam::193065484832:user/backupbuddy_test_user
  12. Paste this "User Arn" replacing "YOUR_USER_ARN_HERE" in the Security Policy above that you pasted into your text editor.
  13. Replace "YOUR_BUCKET_NAME_HERE" with the name of your Amazon S3 Bucket you want to grant this user access to.
  14. From the top menu select "Services" then click "S3" or go to https://console.aws.amazon.com/s3/home
  15. Click the bucket you want to grant access to.
  16. At the upper right, make sure the "Properties" tab/button is selected so you see bucket details on the right.
  17. Expand "Permissions" and click "Edit bucket policy".
  18. Paste the Security Policy from your text editor (that big chunk of text you put your user ARN and bucket name in from above) in this box.
  19. Click "Save".
  20. You can now test this S3 destination in BackupBuddy.

Security Tips

  • You can grant multiple users access to the bucket by adding additional User ARNs into the policy, separated by commas. This lets you easily delete users or remove their access in the future.
  • You can modify Action permissions to limit user access. For instance to block them from deleting files to make sure backups don't get accidentally deleted or even download backups for ultimate security. For instance the following would allow uploading backups but prevent users with access to your BackupBuddy install from downloading your backups or deleting them. For a full list of actions see http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
"Action": [
        "s3:PutObject",
        "s3:ListBucket"
      ]


See also


← Back to BackupBuddy Codex Home