hello and thanks,
what are the minimum set of s3 permissions for a bucket that is required by VBO365.
where can i find that policy?
thanks much
-
asdffdsa6131
- Expert
- Posts: 121
- Liked: 24 times
- Joined: Sep 30, 2018 9:03 pm
- Contact:
-
Mildur
- Product Manager
- Posts: 9847
- Liked: 2605 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: minimum permissions for s3 bucket policy
Product Management Analyst @ Veeam Software
-
asdffdsa6131
- Expert
- Posts: 121
- Liked: 24 times
- Joined: Sep 30, 2018 9:03 pm
- Contact:
Re: minimum permissions for s3 bucket policy
sorry, not sure how i missed that.
thanks much,
david
thanks much,
david
-
jimmyhurr
- Enthusiast
- Posts: 32
- Liked: 4 times
- Joined: Nov 08, 2019 4:32 pm
- Full Name: James Hurrell
- Contact:
Re: minimum permissions for s3 bucket policy
I have two tenants backed up by one VBO host. I use two S3 repos (one for each tenant) accessed with the same AWS user. I use this policy for the AWS user, tweaked from the Veeam recommended:
Changes from the policy suggested in https://www.veeam.com/kb4046:
1) In the first statement I changed "Resource": "arn:aws:s3:::*" to "Resource": "*" otherwise the policy editor has a warning.
2) I moved "s3:GetBucketLocation" to the second statement, which means that VBO will only be able to see the specific buckets you list under "resource". This is useful if you have other unrelated S3 buckets that you do not want VBO to see.
3) I also add an IP address condition for all statements - access is restricted to the WAN IP address where the VBO hosts resides.
This works well.
Code: Select all
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "VBO_host_public_IP"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my_s3_repo1",
"arn:aws:s3:::my_s3_repo2"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "VBO_host_public_IP"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my_s3_repo1/*",
"arn:aws:s3:::my_s3_repo1/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "VBO_host_public_IP"
}
}
}
]
}1) In the first statement I changed "Resource": "arn:aws:s3:::*" to "Resource": "*" otherwise the policy editor has a warning.
2) I moved "s3:GetBucketLocation" to the second statement, which means that VBO will only be able to see the specific buckets you list under "resource". This is useful if you have other unrelated S3 buckets that you do not want VBO to see.
3) I also add an IP address condition for all statements - access is restricted to the WAN IP address where the VBO hosts resides.
This works well.
Who is online
Users browsing this forum: No registered users and 25 guests