Maintain control of your Microsoft Office 365 data
Post Reply
asdffdsa6131
Expert
Posts: 109
Liked: 23 times
Joined: Sep 30, 2018 9:03 pm
Contact:

minimum permissions for s3 bucket policy

Post by asdffdsa6131 »

hello and thanks,

what are the minimum set of s3 permissions for a bucket that is required by VBO365.
where can i find that policy?

thanks much

Mildur
Veeam Legend
Posts: 987
Liked: 458 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian
Location: Switzerland
Contact:

Re: minimum permissions for s3 bucket policy

Post by Mildur » 1 person likes this post

VMCE 9 | Veeam Legends 2021
Working with Veeam since 2017 for a VCSP in Switzerland
—————————————————————
VeeamOn 2021: https://www.veeam.com/veeamon

asdffdsa6131
Expert
Posts: 109
Liked: 23 times
Joined: Sep 30, 2018 9:03 pm
Contact:

Re: minimum permissions for s3 bucket policy

Post by asdffdsa6131 »

sorry, not sure how i missed that.
thanks much,
david

jimmyhurr
Enthusiast
Posts: 28
Liked: 1 time
Joined: Nov 08, 2019 4:32 pm
Full Name: James Hurrell
Contact:

Re: minimum permissions for s3 bucket policy

Post by jimmyhurr »

I have two tenants backed up by one VBO host. I use two S3 repos (one for each tenant) accessed with the same AWS user. I use this policy for the AWS user, tweaked from the Veeam recommended:

Code: Select all

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "VBO_host_public_IP"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::my_s3_repo1",
                "arn:aws:s3:::my_s3_repo2"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "VBO_host_public_IP"
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::my_s3_repo1/*",
                "arn:aws:s3:::my_s3_repo1/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "VBO_host_public_IP"
                }
            }
        }
    ]
}
Changes from the policy suggested in https://www.veeam.com/kb4046:

1) In the first statement I changed "Resource": "arn:aws:s3:::*" to "Resource": "*" otherwise the policy editor has a warning.
2) I moved "s3:GetBucketLocation" to the second statement, which means that VBO will only be able to see the specific buckets you list under "resource". This is useful if you have other unrelated S3 buckets that you do not want VBO to see.
3) I also add an IP address condition for all statements - access is restricted to the WAN IP address where the VBO hosts resides.

This works well.

Post Reply

Who is online

Users browsing this forum: No registered users and 8 guests