Maintain control of your Microsoft 365 data
Post Reply
asdffdsa6131
Expert
Posts: 121
Liked: 24 times
Joined: Sep 30, 2018 9:03 pm
Contact:

minimum permissions for s3 bucket policy

Post by asdffdsa6131 »

hello and thanks,

what are the minimum set of s3 permissions for a bucket that is required by VBO365.
where can i find that policy?

thanks much
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: minimum permissions for s3 bucket policy

Post by Mildur » 1 person likes this post

Product Management Analyst @ Veeam Software
asdffdsa6131
Expert
Posts: 121
Liked: 24 times
Joined: Sep 30, 2018 9:03 pm
Contact:

Re: minimum permissions for s3 bucket policy

Post by asdffdsa6131 »

sorry, not sure how i missed that.
thanks much,
david
jimmyhurr
Enthusiast
Posts: 32
Liked: 4 times
Joined: Nov 08, 2019 4:32 pm
Full Name: James Hurrell
Contact:

Re: minimum permissions for s3 bucket policy

Post by jimmyhurr »

I have two tenants backed up by one VBO host. I use two S3 repos (one for each tenant) accessed with the same AWS user. I use this policy for the AWS user, tweaked from the Veeam recommended:

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "VBO_host_public_IP"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::my_s3_repo1",
                "arn:aws:s3:::my_s3_repo2"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "VBO_host_public_IP"
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::my_s3_repo1/*",
                "arn:aws:s3:::my_s3_repo1/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "VBO_host_public_IP"
                }
            }
        }
    ]
}
Changes from the policy suggested in https://www.veeam.com/kb4046:

1) In the first statement I changed "Resource": "arn:aws:s3:::*" to "Resource": "*" otherwise the policy editor has a warning.
2) I moved "s3:GetBucketLocation" to the second statement, which means that VBO will only be able to see the specific buckets you list under "resource". This is useful if you have other unrelated S3 buckets that you do not want VBO to see.
3) I also add an IP address condition for all statements - access is restricted to the WAN IP address where the VBO hosts resides.

This works well.
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests