Required S3 Permissions
We manage a few AWS accounts that our customers use to backup to S3. Each customer is setup with an IAM User and S3 Bucket, and we attach policies to the users to grant them specific S3 actions in order to perform backups and restores in MSP360 (CloudBerry) Backup.
Our list of allowed S3 actions tend to change over time, and we are currently trying to limit the allowed S3 actions on these users without affecting their ability to do backups/restores. What we currently allow is in the attached file: csr-General-S3-Actions.json
I have been looking through documentation for a list of S3 actions that is required by MSP360 in order to perform backups and restores to/from AWS S3, and found the following blog to be the most helpful:
. However, this article states that s3:PutObjectAcl is required, but I have been able to do backups/restores with only the above actions (which only allow s3:PutObject). With that being said, I'm looking for a list of the minimum required permissions for an IAM User to perform backups/restores in MSP360 Backup. A somewhat related blog post: <a href="https://www.msp360.com/resources/blog/how-to-sign-up-for-amazon-s3-service-and-connect-to-it/" target="_blank" rel="nofollow">https://www.msp360.com/resources/blog/how-to-sign-up-for-amazon-s3-service-and-connect-to-it/</a> states to use the account's root user credentials, which we can't do in our case.
Other blogs/articles have mentioned just allowing s3:* on the user, but this isn't allowed in our environment either. The main action that we are trying to remove from our list of allowed actions is s3:ObjectOwnerOverrideToBucketOwner. In some of my testing, I have found that this action is not needed for backups or restores, but we are seeing some weird behavior with customer installations. I want to make sure this isn't a needed action so I don't break any functionality on our existing users.
It's possible that I'm just missing something in the documentation, so any feedback on this is greatly appreciated.
You can do this with CloudBerry Explorer - feel free to run in trial mode if needed:
The link has an example script.
thanks David, that should work for us.
Sign in or register to add a comment.
Add a Comment
Welcome to MSP360 (CloudBerry) Forum!
MSP360 Managed Backup
Microsoft SQL Server
Microsoft SQL Server
MSP360 Remote Desktop
If we use AWS-CLI to copy files to the S3 bucket, can ClouldBerry Drive work with them properly ?
Backup fails with "S3 Transfer Acceleration is not configured on this bucket" error
set up S3 Bucket with Protected Content Withe Exploere
Cloudberry does not let me upload files into s3 bucket. I am able to upload through AWS console
S3 bucket acceleration not working in MacOS client
Terms of Service
Useful Hints and Tips
Created with PlushForums
© 2021 MSP360 (CloudBerry) Forum