• Ryley Rodriguez
    0
    Hello,

    We manage a few AWS accounts that our customers use to backup to S3. Each customer is setup with an IAM User and S3 Bucket, and we attach policies to the users to grant them specific S3 actions in order to perform backups and restores in MSP360 (CloudBerry) Backup.

    Our list of allowed S3 actions tend to change over time, and we are currently trying to limit the allowed S3 actions on these users without affecting their ability to do backups/restores. What we currently allow is in the attached file: csr-General-S3-Actions.json

    I have been looking through documentation for a list of S3 actions that is required by MSP360 in order to perform backups and restores to/from AWS S3, and found the following blog to be the most helpful: https://www.msp360.com/resources/blog/backup-with-iam-users/ . However, this article states that s3:PutObjectAcl is required, but I have been able to do backups/restores with only the above actions (which only allow s3:PutObject). With that being said, I'm looking for a list of the minimum required permissions for an IAM User to perform backups/restores in MSP360 Backup. A somewhat related blog post: <a href="https://www.msp360.com/resources/blog/how-to-sign-up-for-amazon-s3-service-and-connect-to-it/" target="_blank" rel="nofollow">https://www.msp360.com/resources/blog/how-to-sign-up-for-amazon-s3-service-and-connect-to-it/</a> states to use the account's root user credentials, which we can't do in our case.

    Other blogs/articles have mentioned just allowing s3:* on the user, but this isn't allowed in our environment either. The main action that we are trying to remove from our list of allowed actions is s3:ObjectOwnerOverrideToBucketOwner. In some of my testing, I have found that this action is not needed for backups or restores, but we are seeing some weird behavior with customer installations. I want to make sure this isn't a needed action so I don't break any functionality on our existing users.

    It's possible that I'm just missing something in the documentation, so any feedback on this is greatly appreciated.
    Thanks,
    Ryley

    Attachment
    csr-General-S3-Actions.json (2K)
  • David GugickAccepted Answer
    67
    You can do this with CloudBerry Explorer - feel free to run in trial mode if needed: https://www.msp360.com/resources/blog/backup-with-iam-users/ The link has an example script.
  • Ryley Rodriguez
    0
    thanks David, that should work for us.
bold
italic
underline
strike
code
quote
ulist
image
url
mention
reveal
youtube
tweet
Add a Comment