BackupBuddy Remote Destinations: Amazon S3

From iThemes Codex
Revision as of 18:30, 10 August 2015 by Dustin (talk | contribs)
Jump to: navigation, search

Amazon Simple Storage Service (Amazon S3) is a well known cloud storage provider. This destination is known to be reliable and works well with BackupBuddy. For more information about Amazon S3, visit http://aws.amazon.com/s3/.

S3 Security Credentials

Here we will walk you through creating IAM Security Credentials and a Security Policy and then attach said Security Policy to your bucket. You will also obtain your security and access keys during this process.

  1. Log in to the Amazon Web Console at http://console.aws.amazon.com
  2. From the top menu select "Services" then click "IAM".
  3. From the left menu select "Users" or go to https://console.aws.amazon.com/iam/home#users
  4. Click the "Create New Users" button.
  5. Enter a username you wish to create to give access to your bucket. For this example I am entering the username "backupbuddy_test_user".
  6. Click "Show User Security Credentials" to display them.
  7. This is the Access Key and Secret Key you will enter into BackupBuddy when creating the Amazon S3 Remote Destination. Enter them now into BackupBuddy, copy them, or download them for entering later. If you lose these you cannot get them later & will have to generate new keys.
  8. Click "Close" twice to move on.
  9. Click the username you just created to open its details.
  10. Copy the following Security Policy into your favorite text editor or note taking app/site such as Notepad, TextEdit, Typity, Sublime Text 2, etc:
     {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": [
    					"YOUR_USER_ARN_HERE"
    				]
    			},
    			"Action": "s3:*",
    			"Resource": [
    				"arn:aws:s3:::YOUR_BUCKET_NAME_HERE",
    				"arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*"
    			]
    		}
    	]
    }
    
  11. Copy the text to the right of "User ARN". It will look something like arn:aws:iam::193065484832:user/backupbuddy_test_user
  12. Paste this "User Arn" replacing "YOUR_USER_ARN_HERE" in the Security Policy above that you pasted into your text editor.
  13. Replace "YOUR_BUCKET_NAME_HERE" with the name of your Amazon S3 Bucket you want to grant this user access to.
  14. From the top menu select "Services" then click "S3" or go to https://console.aws.amazon.com/s3/home
  15. Click the bucket you want to grant access to.
  16. At the upper right, make sure the "Properties" tab/button is selected so you see bucket details on the right.
  17. Expand "Permissions" and click "Edit bucket policy".
  18. Paste the Security Policy from your text editor (that big chunk of text you put your user ARN and bucket name in from above) in this box.
  19. Click "Save".
  20. You can now test this S3 destination in BackupBuddy.

Security Tips

  • You can grant multiple users access to the bucket by adding additional User ARNs into the policy, separated by commas. This lets you easily delete users or remove their access in the future.
  • You can modify Action permissions to limit user access. For instance to block them from deleting files to make sure backups don't get accidentally deleted or even download backups for ultimate security. For instance the following would allow uploading backups but prevent users with access to your BackupBuddy install from downloading your backups or deleting them. For a full list of actions see http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
"Action": [
        "s3:PutObject",
        "s3:ListBucket"
      ]


See also


← Back to BackupBuddy Codex Home