Using object storage as a backup target
Post Reply
cristiano.cumer
Influencer
Posts: 19
Liked: 8 times
Joined: Nov 23, 2011 11:18 pm
Full Name: Cristianno Cumer
Contact:

IAM permissions for glacier archiving

Post by cristiano.cumer » 1 person likes this post

Hello Forum!

I'm a bit worried about the permission I need to assign to be able to use the archive tier on amazon, is there a way to restrict them to the relevant objects?
Maybe after a the needed IAM / VPC entries have been created.
As it is, the IAM user has too many permissions, at least this is my impression.

Code: Select all

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "ec2:AuthorizeSecurityGroupIngress",
               "ec2:DescribeInstances",
               "ec2:CreateKeyPair",
               "ec2:DescribeVolumesModifications",
               "iam:CreateRole",
               "s3:CreateBucket",
               "ec2:AttachInternetGateway",
               "iam:PutRolePolicy",
               "ec2:DescribeSnapshots",
               "ec2:AssociateRouteTable",
               "s3:GetBucketObjectLockConfiguration",
               "ec2:DeleteVolume",
               "ec2:StartInstances",
               "ec2:CreateRoute",
               "ec2:CreateInternetGateway",
               "ec2:RevokeSecurityGroupEgress",
               "s3:PutLifecycleConfiguration",
               "ec2:DescribeVolumes",
               "ec2:DescribeAccountAttributes",
               "s3:DeleteObject",
               "ec2:DescribeKeyPairs",
               "iam:GetRole",
               "ec2:ModifyVolume",
               "s3:GetObjectRetention",
               "ec2:CreateTags",
               "ec2:CreateRouteTable",
               "ec2:RunInstances",
               "s3:PutObjectLegalHold",
               "s3:GetObjectLegalHold",
               "ec2:StopInstances",
               "ec2:CreateVolume",
               "s3:ListMultipartUploadParts",
               "ec2:RevokeSecurityGroupIngress",
               "s3:PutObject",
               "s3:GetObject",
               "ec2:CreateSubnet",
               "ec2:DescribeSubnets",
               "ec2:DeleteKeyPair",
               "s3:DeleteObjectVersion",
               "s3:ListBucketVersions",
               "s3:RestoreObject",
               "ec2:CreateVpc",
               "ec2:DescribeDhcpOptions",
               "s3:ListBucket",
               "ec2:DescribeVpcAttribute",
               "s3:AbortMultipartUpload",
               "ec2:DescribeNetworkInterfaces",
               "ec2:DescribeAvailabilityZones",
               "iam:DeleteRolePolicy",
               "ec2:CreateSecurityGroup",
               "ec2:ModifyVpcAttribute",
               "ec2:ModifyInstanceAttribute",
               "s3:DeleteBucket",
               "ec2:AuthorizeSecurityGroupEgress",
               "s3:ListBucketMultipartUploads",
               "ec2:TerminateInstances",
               "ec2:CancelConversionTask",
               "s3:GetBucketVersioning",
               "ec2:DescribeSecurityGroups",
               "ec2:DescribeImages",
               "s3:ListAllMyBuckets",
               "s3:PutObjectRetention",
               "ec2:DescribeVpcs",
               "ec2:DeleteSecurityGroup",
               "ec2:CancelImportTask",
               "s3:GetBucketLocation",
               "s3:GetObjectVersion",
               "ec2:DescribeConversionTasks",
               "ec2:DescribeRouteTables"
           ],
           "Resource": "*"
       }
   ]
}

HannesK
Veeam Software
Posts: 8778
Liked: 1575 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: IAM permissions for glacier archiving

Post by HannesK » 1 person likes this post

Hello,
looks like the information is from https://helpcenter.veeam.com/docs/backu ... ml?ver=110 ?

Sure, if you pre-configure VPC and networks, then you need less permissions. Feel free to reduce permissions as long as everything works. The list above is for users that do "copy & paste" and "next, next, finish" :-)

Best regards,
Hannes

cristiano.cumer
Influencer
Posts: 19
Liked: 8 times
Joined: Nov 23, 2011 11:18 pm
Full Name: Cristianno Cumer
Contact:

Re: IAM permissions for glacier archiving

Post by cristiano.cumer »

Hullo Hannes,

yes, it's the list from the documentation.

I will give a try and reduce the permissions, but it would be helpful to have a guide from Veeam. For example which IAM roles are created and assigned? To whom?
It needs only permission for the S3 bucket I'm closing for archiving? And so on.

Kind regards

Cristiano

HannesK
Veeam Software
Posts: 8778
Liked: 1575 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: IAM permissions for glacier archiving

Post by HannesK » 1 person likes this post

Hello,
agree that we can improve on documenting why we need each permission, as they might not be needed if a customer pre-configures a few things. I talked to the documentation team already.

A general documentation how to assign IAM roles in AWS is out of scope for a Veeam user guide.

Best regards,
Hannes

NTmatter
Influencer
Posts: 21
Liked: 8 times
Joined: Mar 14, 2014 11:16 am
Full Name: Thomas Johnson
Contact:

[MERGED] Tightening S3 Archive Tier Permissions

Post by NTmatter »

Does the Glacier Archive Tier create its resources with a particular prefix, or is there perhaps a more restrictive set of policies that I can use?

As per the Amazon S3 Glacier Storage Permissions document, the IAM user has broad rights to all S3 buckets (CreateBucket, DeleteBucket), all EC2 instances (StopInstances, TerminateInstances, DeleteKeypair, DeleteVolume, CreateVpc), and IAM Roles (PutRolePolicy) in the account. This is a rather large blast radius in the event that credentials are compromised.

Is there any way to constrain these rights at all? Registry keys to enforce some certain names, perhaps? At present, it's possible to restrict the S3 Capacity Tier IAM User to a particular set of buckets based on ARN, Wildcards, IP, and anything else supported by IAM Resource Policies.

veremin
Product Manager
Posts: 18764
Liked: 1888 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: IAM permissions for glacier archiving

Post by veremin » 2 people like this post

You can tighten permissions by pre-creating required resources, as mentioned above.

Also, we are planning to support resource tagging in one of the next product versions. When implemented, this will allow to limit required permissions to resources with the specific (our) tag assigned. However, currently we cannot share any ETA for this feature.

Thanks!

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests