Wasabi Policy

[flomp]

When reading several documents on the web regarding the implementation of a Capacity Tier using (Wasabi) S3, I found a lot of good documentation. However, I was missing info on how to restrict access to the bucket. I hope this post helps others that have the same problem. Also, I am interested in your comments and opinions - especially if access can be restricted further.

Obviously, I did not want to use the access keys of the Wasabi main user in Veeam. I wanted to create a Sub-User which can only access the Veeam bucket. So this is what I did:

1. Create the bucket as described in the tutorials

2. Create the following policy:

Code: Select all

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::BUCKETNAME",
        "arn:aws:s3:::BUCKETNAME/*"
      ]
    }
  ]
}

3. Create a sub-user and assign this policy - and no other policies

The sub-user does not have `s3:ListAllMyBuckets` rights on `arn:aws:s3:::*`. Therefore, when adding the bucket in Veeam, the "Browse"-Button will not work. You have to enter the bucket name manually.

[HannesK]

Hello,
yes, that's how it is supposed to work

Best regards,
Hannes

[chrisWasabi]

Hello! Veeam has a nice KB that gives you a copy and paste IAM Policy to do this, all you need to do is update your bucket.

https://www.veeam.com/kb3151

[flomp]

Many thanks!
Looks like I missed that KB article...

[chris.childerhose]

Hello! Veeam has a nice KB that gives you a copy and paste IAM Policy to do this, all you need to do is update your bucket.

https://www.veeam.com/kb3151

Great to see this article and thanks for sharing. Will be doing this with my Wasabi account soon.

[flomp]

Hello! Veeam has a nice KB that gives you a copy and paste IAM Policy to do this, all you need to do is update your bucket.

https://www.veeam.com/kb3151

I was just revisiting this topic because I had to do some changes and had a closer look.

Is there a reason, that the `s3:ListBucket` action is allowed for all buckets? I think it should be enough to include it in the `VisualEditor0` part.

[Regnor]

I think the problem is, if you leave out the ListBucket and ListAllMyBuckets permission for all buckets, you won't be able to use the browse button during setup ob the S3 object bucket. But as I've learned, you can then just manually fill in the bucket name and it will work. So, you don't necessarily need those permissions.

[flomp]

For me, it also works if there is only the `s3:ListAllMyBuckets` permission on all buckets.
And yes: you can also manually fill in the bucket name if the `s3:ListAllMyBuckets` is missing - I already did that.

[Regnor]

Well then I have no clue why the s3:ListBucket is there. Perhaps someone else can explain that.

[chrisWasabi]

It used to be that Veeam required ListAllMyBuckets, this was updated in a patch on v11. Depending on how up-to-date you keep the Veeam install, you may have this requirement or not. Looks like the KB has not been reflected with this patch.

https://www.veeam.com/kb4126

Object storage: ListBuckets API call is issued when registering an S3-compatible object storage repository even if a user does not browse for a bucket but rather specifies its name manually. This prevents bucket registration when the ListBuckets permission is missing from the account used to connect to the bucket.

[m.gether]

Hello, I am in the process of designing an MSP structure with Veeam and Wasabi.

At the moment I am at the policys for the Wasabi subusers.

The goal should be that only the own bucket name is visible at Veeam, and the bucket names of the other subusers (customers) are not visible. Furthermore, the subuser should only have the necessary S3 rights and support immutability features.

According to my research, this should be possible with the following IAM attached to the subuser:

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketVersioning",
                "s3:GetBucketObjectLockConfiguration",
                "s3:ListBucketVersions",
                "s3:GetObjectVersion",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectLegalHold",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketname/*",
                "arn:aws:s3:::yourbucketname"
            ]
        }
    ]
}

With the latest version of B&R this should be possible without "s3:ListAllMyBuckets", "s3:ListBucket".

Do you have any suggestions for the IAM to make it even more secure?

Thank you!

Best,

Martin

[veremin]

You are right that the current version of VB&R does not require "s3:ListAllMyBuckets" permission, as long as the bucket name is specified explicitly in the repository wizard.

However, I believe "s3:ListBucket" is still needed to list the content of a particular bucket.

Thanks!

[m.gether]

Thank you for your answer!

In this case, this should be the right IAM:

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetBucketVersioning",
                "s3:GetBucketObjectLockConfiguration",
                "s3:ListBucketVersions",
                "s3:GetObjectVersion",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectLegalHold",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketname/*",
                "arn:aws:s3:::yourbucketname"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}

[veremin]

Seems correct to me. Thanks!

[veremin]

Looks like the KB has not been reflected with this patch.

Good catch, the KB article has been updated. Thanks for raising this!