Minimum S3 Backup Policy

avon · January 29, 2018, 7:53pm

Does anyone know the minimum permissions required on the bucket for S3 backup? It looks like everyone backing up to S3 using duplicity just gives the user full bucket access but if anyone knows just the bare minimum that would be much appreciated.

Here is the current policy I have that still fails backup.

{
    "Version": "2012-10-17",
    "Id": "Policy1517170247260",
    "Statement": [
        {
            "Sid": "Stmt1517170242888",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXX:user/XXXXX"
            },
            "Action": [
                "s3:Put*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::XXXXXX",
                "arn:aws:s3:::XXXXXX/*"
            ]
        }
    ]
}

haroldus · December 2, 2020, 12:32am

I used the point and click interface to make the following policy, which I named MailinaboxS3EmailBackup.

I attached the policy to a group (e.g. name email-backups-access).

I created an IAM user (e.g. name mailinabox) and added the user to the group.

A backup was created last night on a fresh box running v0.51.

Also see this article for more understanding.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
            "s3:GetBucketPublicAccessBlock",
            "s3:PutObject",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:DeleteObject",
            "s3:GetBucketLocation"
          ],
          "Resource": [
            "arn:aws:s3:::YOUR_S3_BUCKET/*",
            "arn:aws:s3:::YOUR_S3_BUCKET"
          ]
        }
      ]
    }