S3 backup remove DeleteObject permission
I have S3 configured as an "Additional Destination" for my cPanel backups. However, in order for the bucket to validate, the bucket policy needs to contain the DeleteObject permission. I'd like to remove that permission so that no one can accidentally (or maliciously) delete backups from this bucket. If I do that, cPanel's retention rules obviously won't work. Other than that, will this cause any issues?
-
Hi @solventweb1 There wouldn't be a way to allow the bucket to validate without the DeleteObject perms. In theory though, no one should have access to your bucket to make any modifications such as this. 0 -
Hi @solventweb1 There wouldn't be a way to allow the bucket to validate without the DeleteObject perms. In theory though, no one should have access to your bucket to make any modifications such as this.
Thanks @cPanelLauren Yes, I got around that issue by removing the DeleteObject permission after I validated the destination. Everything seems to be working. But I didn't know if that would cause other issues. My concern is that someone with access to the server can also delete the backups. That's what I want to prevent.0 -
Yes, I got around that issue by removing the DeleteObject permission after I validated the destination. Everything seems to be working. But I didn't know if that would cause other issues.
You might want to confirm the transport is in fact working with that removed now, the only thing I would worry about is it does some validation of the destination before backups are sent over.My concern is that someone with access to the server can also delete the backups. That's what I want to prevent.
I do understand this concern, pending you have adequate security measures in place this shouldn't ever occur though.0
Please sign in to leave a comment.
Comments
3 comments