Minimum permissions to backup accounts into Amazon S3

dccsi

• May 21, 2017 06:58

As we know we can use Cpanel for copying backup files into Amazon S3 using "Additional Destinations" in Backup configuration. There may articles talking about how to do that and today I'am just discussing the S3 permissions only. As many articles described we can use "Security Credentials" to access the S3 bucket, also we can use IAM to create a new user and give it a full access to s3. Actually I have used both methods but I have security vision here. If we use the Security Credentials we give the Cpanel Server the whole permissions to control our amazon account, and If you create IAM user and give it a full access to s3 buckets. why should we do that while we are just want to give the user access to single bucket only. so if anything happens it will affect one single bucket only not the whole amazon account or s3 buckets. in the past I have used s3cmd to manually copy the backup files to amazon s3 and I have use 1-way strategy to copy the files from cpanel server to s3 (I mean the cpanel server have the permission put object only ) and do not have the permission to delete or get the files from s3 and it was awsem. When I try to use the same access policy with Cpanel Additional Destinations It says access dined. I try many polices and the same problem occurred. here are a list of the policy I have used. { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1425965910000", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucketnamehere" ] }, { "Sid": "Stmt1425965927000", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucketnamehere/*" ] } ] } so can anyone know that is the minimum permissions to backup accounts into Amazon S3? thanks

• 

  cPanelMichael

  • May 24, 2017 19:39

  Hello, We document the recommended Amazon S3 bucket policy at: Backup Configuration - Version 68 Documentation - cPanel Documentation Could you review this document and let us know if it helps? Thank you.

  0
• 

  dccsi

  • August 06, 2017 12:09

  Hello, We document the recommended Amazon S3 bucket policy at: Backup Configuration - Version 68 Documentation - cPanel Documentation Could you review this document and let us know if it helps? Thank you.

  
  I have checked

  0
• 

  cPanelMichael

  • August 07, 2017 16:28

  But I just ask about why Cpanel needs to delete files. and what happens if I deny the AIM user from delete objects.

  
  It's for the retention functionality in backups:

  0
• 

  dccsi

  • August 07, 2017 20:31

  Okay That mean Cpanel need to delete files from S3 for retention so any one has the access key and secret key can delete files from s3 The question is does Cpanel store the secret key encrypted? or in its text plain mode? In one scenario let says that the server has been hacked and the hacker has the root password, so the hacker can see the s3 secret key and can also use some external tools using the sorcerer key to delete the backup files also. and the result will be terrible (server hacked and remote backup deleted).

  It's for the retention functionality in backups:

  0
• 

  cPanelMichael

  • August 08, 2017 17:27

  The question is does Cpanel store the secret key encrypted? or in its text plain mode?

  
  It's encrypted. You can verify this by viewing the backup destination's configuration file in the following directory: /var/cpanel/backups/ Thank you.

  0
• 

  Alien_Technology

  • September 08, 2017 18:11

  Hello, We document the recommended Amazon S3 bucket policy at:

  0
• 

  cPanelMichael

  • September 11, 2017 19:10

  Note: Replace all references to $BUCKET with your policy name. Shouldn't that be "Replace all references to $BUCKET with your bucket name"?

  
  I've opened an internal case (DOC-9448) with our Documentation Team to have the document updated to reflect this. I'll update this thread once the case is solved. Thank you.

  0
• 

  cPanelMichael

  • September 12, 2017 14:09

  Hello @Alien_Technology, The document is now updated to reflect the change in wording: Replace all references to $BUCKET with your bucket name.
  Thanks!

  0
• 

  rappie

  • December 01, 2017 22:31

  Hello, We document the recommended Amazon S3 bucket policy at:

  0
• 

  cPanelMichael

  • December 04, 2017 15:54

  Hello, I've updated the link in the earlier post to match the new URL: Backup Configuration - Version 68 Documentation - cPanel Documentation It's now found under the "Amazon S3" tab, and includes links to the actual Amazon documentation website. Let us know if this helps. Thank you.

  0
• 

  rappie

  • December 04, 2017 22:17

  Hello, I've updated the link in the earlier post to match the new URL:
  Thank you Michael. However there doesn't seem to be any information on this page about what S3 access policy would appropriate for WHM backups. Guessing from the name of the page (How to Create an AWS S3 Policy for a Bucket) you initially linked to there was some information available about this topic before. I'd love to have some guidance about what S3 access policy could best be used.

  0
• 

  cPanelMichael

  • December 05, 2017 16:21

  Hello, We now link directly to Amazon's documentation on how to setup a bucket. However, if you are looking for the information from the document we removed, it's found on the following post: Unable to prune transport S3 Thank you.

  0

Please sign in to leave a comment.