Veeam M365 with Wasabi S3 repository - security questions

[HenryA]

Good day all.

We have a very simple setup for our Veeam M365 server. It's an all-in-one, running the Veeam M365 server itself, Proxy, and Console on the same Windows VM. We have one Wasabi S3 bucket and a Wasabi account with "BucketAdmin-API" policy attached. This has the two policies "Administrator" and "WasabiAdmin", etc.

We encrypt the backups of our M365 environment, but I am looking into further securing the buckets. Is this document to secure S3 access relevant to my case? https://www.veeam.com/kb3151 <-- it says it's for B&R only, but seems that it would be useful to do it on a bucket accessed by M365 as well.

[Mildur]

Hi Henry

Please use for VB365 KB4046 instead of KB3151: https://www.veeam.com/kb4046

Best,
Fabian

[HenryA]

Hi Fabian.

I should note we are running our Veeam M365 on-premises (hosted in our local vSphere environment. So I think none of those IAM policies are relevant to our case, since we are not hosting the M365 server on any cloud platform.

My knowledge of policies is limited though, so I may be incorrect, but for our case, what might be more useful is to create a bucket policy that allows only one IP to access it (the IP from our Veeam server) and only one Wasabi account to access it. Does that sound right? Any info is greatly appreciated.

[Mildur]

Hi Henry

Every S3 object storage provider (cloud or on-premise) is using IAM-policies to manage access permissions on S3 object storage. The documentation is provided by Wasabi here: https://docs.wasabi.com/docs/creating-a-policy

I have never tested the Account ACL in the bucket options.
But Wasabi throws me a warning that ACLs are deprecated when I try to change it.
Therefore I recommend to use IAM policies to configure the access permissions to your buckets.



Best,
Fabian

[HenryA]

Hi Fabian. Thank you for your reply. Sorry I might be confusing things unnecessarily.

Currently we have a Wasabi S3 storage service, and one service account that uses programmatic access (user key/secret key) to allow Veeam M365 to connect to Wasabi S3 as a repo and store into our M365 bucket.

The IAM policy assigned to that account is full admin right now. But there's only 2 users in our Wasabi storage right now, my root account, and a subuser service account with only programmatic access, which is where we are connecting Veeam M365.

We just got Veeam Backup and Replication, and I figured this was a good time to start locking down some potential security holes.

I plan to replace the current "allow everything" Administrator policy on the M365 IAM user account with the one in kb4046. That will lock down so that account only has access to its current bucket.

because now we will be creating new buckets to store B&R data, we will use KB3151 to lock down the Wasabi IAM accounts we will use with the VB&R server.

So my question was more to do on whether in our case, it was necessary to use these policies instead of the default Administrator ones, but in my research I kind of answered my own question (seems that as a best practice, this is recommended).

Appreciate your help though

[pat_ren]

I would wait a little bit longer for v8 to release, it will have a lot of new changes, so don't go reinventing anything just yet.

[Mildur]

Hi Henry

Yes, using the security policies in those KBs will provide you with better security.
Imagine a hacker gets access to the VB365 server where you have used a user with the "allow everything" policy. This attacker would also get access to the buckets with the VBR backups.

So it's better to use a dedicated user for each service. Create an account for VB365 with dedicated IAM policies and create an account for VBR with dedicated IAM policies.

You can switch to the new IAM policies today already. But for redesigning your repository/proxy infrastructure, I would as suggested by Pat wait for VB365 v8.

Best,
Fabian