PROBLEM:
-
There is not much documentation on how to configure Amazon Web Services to receive S3 backups from MIAB. You might have followed the tutorial at http://www.meanly.io/aws/2017/09/22/storing-mail-in-a-box-backups-in-s3.html.
-
Your backups are running, but you receive nightly emails with the following error messages:
Attempt 1 failed. S3ResponseError: S3ResponseError: 403 Forbidden
…
Attempt 5 failed. S3ResponseError: S3ResponseError: 403 Forbidden -
Your backups are running, but it takes 4-5 minutes to transfer 250MB to your S3 bucket due to attempts failing.
-
When it is time for the first full backup to be deleted, backups stop working altogether and you receive the following error message:
Attempt 1 failed. S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version=“1.0” encoding=“UTF-8”?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>0020XXXXXXX303E</RequestId><HostId>nGztXXXXdkuFff6S4695DzEhTqx2kNi0Ld4z9XXXXXXXw86cg0jM4pCeVF+XXXXXXpKBfk=</HostId></Error>
ROOT CAUSE ANALYSIS:
The tutorial is a bit out of date. Apparently, MIAB didn’t rotate backups in 2017, so there was no need to grant the GetObject and DeleteObject permissions to items within the bucket.
SOLUTION:
Make sure that the group that the MIAB AWS user belongs to has at least the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket-name"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}