IAM permissions for glacier archiving

[cristiano.cumer]

Hello Forum!

I'm a bit worried about the permission I need to assign to be able to use the archive tier on amazon, is there a way to restrict them to the relevant objects?
Maybe after a the needed IAM / VPC entries have been created.
As it is, the IAM user has too many permissions, at least this is my impression.

Code: Select all

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "ec2:AuthorizeSecurityGroupIngress",
               "ec2:DescribeInstances",
               "ec2:CreateKeyPair",
               "ec2:DescribeVolumesModifications",
               "iam:CreateRole",
               "s3:CreateBucket",
               "ec2:AttachInternetGateway",
               "iam:PutRolePolicy",
               "ec2:DescribeSnapshots",
               "ec2:AssociateRouteTable",
               "s3:GetBucketObjectLockConfiguration",
               "ec2:DeleteVolume",
               "ec2:StartInstances",
               "ec2:CreateRoute",
               "ec2:CreateInternetGateway",
               "ec2:RevokeSecurityGroupEgress",
               "s3:PutLifecycleConfiguration",
               "ec2:DescribeVolumes",
               "ec2:DescribeAccountAttributes",
               "s3:DeleteObject",
               "ec2:DescribeKeyPairs",
               "iam:GetRole",
               "ec2:ModifyVolume",
               "s3:GetObjectRetention",
               "ec2:CreateTags",
               "ec2:CreateRouteTable",
               "ec2:RunInstances",
               "s3:PutObjectLegalHold",
               "s3:GetObjectLegalHold",
               "ec2:StopInstances",
               "ec2:CreateVolume",
               "s3:ListMultipartUploadParts",
               "ec2:RevokeSecurityGroupIngress",
               "s3:PutObject",
               "s3:GetObject",
               "ec2:CreateSubnet",
               "ec2:DescribeSubnets",
               "ec2:DeleteKeyPair",
               "s3:DeleteObjectVersion",
               "s3:ListBucketVersions",
               "s3:RestoreObject",
               "ec2:CreateVpc",
               "ec2:DescribeDhcpOptions",
               "s3:ListBucket",
               "ec2:DescribeVpcAttribute",
               "s3:AbortMultipartUpload",
               "ec2:DescribeNetworkInterfaces",
               "ec2:DescribeAvailabilityZones",
               "iam:DeleteRolePolicy",
               "ec2:CreateSecurityGroup",
               "ec2:ModifyVpcAttribute",
               "ec2:ModifyInstanceAttribute",
               "s3:DeleteBucket",
               "ec2:AuthorizeSecurityGroupEgress",
               "s3:ListBucketMultipartUploads",
               "ec2:TerminateInstances",
               "ec2:CancelConversionTask",
               "s3:GetBucketVersioning",
               "ec2:DescribeSecurityGroups",
               "ec2:DescribeImages",
               "s3:ListAllMyBuckets",
               "s3:PutObjectRetention",
               "ec2:DescribeVpcs",
               "ec2:DeleteSecurityGroup",
               "ec2:CancelImportTask",
               "s3:GetBucketLocation",
               "s3:GetObjectVersion",
               "ec2:DescribeConversionTasks",
               "ec2:DescribeRouteTables"
           ],
           "Resource": "*"
       }
   ]
}

[HannesK]

Hello,
looks like the information is from https://helpcenter.veeam.com/docs/backu ... ml?ver=110 ?

Sure, if you pre-configure VPC and networks, then you need less permissions. Feel free to reduce permissions as long as everything works. The list above is for users that do "copy & paste" and "next, next, finish"

Best regards,
Hannes

[cristiano.cumer]

Hullo Hannes,

yes, it's the list from the documentation.

I will give a try and reduce the permissions, but it would be helpful to have a guide from Veeam. For example which IAM roles are created and assigned? To whom?
It needs only permission for the S3 bucket I'm closing for archiving? And so on.

Kind regards

Cristiano

[HannesK]

Hello,
agree that we can improve on documenting why we need each permission, as they might not be needed if a customer pre-configures a few things. I talked to the documentation team already.

A general documentation how to assign IAM roles in AWS is out of scope for a Veeam user guide.

Best regards,
Hannes

[NTmatter]

Does the Glacier Archive Tier create its resources with a particular prefix, or is there perhaps a more restrictive set of policies that I can use?

As per the Amazon S3 Glacier Storage Permissions document, the IAM user has broad rights to all S3 buckets (CreateBucket, DeleteBucket), all EC2 instances (StopInstances, TerminateInstances, DeleteKeypair, DeleteVolume, CreateVpc), and IAM Roles (PutRolePolicy) in the account. This is a rather large blast radius in the event that credentials are compromised.

Is there any way to constrain these rights at all? Registry keys to enforce some certain names, perhaps? At present, it's possible to restrict the S3 Capacity Tier IAM User to a particular set of buckets based on ARN, Wildcards, IP, and anything else supported by IAM Resource Policies.

[veremin]

You can tighten permissions by pre-creating required resources, as mentioned above.

Also, we are planning to support resource tagging in one of the next product versions. When implemented, this will allow to limit required permissions to resources with the specific (our) tag assigned. However, currently we cannot share any ETA for this feature.

Thanks!

[HannesK]

Hello,
we updated the user guide for pre-configured scenarios and those where VBR has to create everything

https://helpcenter.veeam.com/docs/backu ... positories

Best regards,
Hannes

[cristiano.cumer]

Thanks Hannes!