Set Amazon S3 access policy to minimum permission

Amazon S3 access policy to minimum permission
Most admins will prefer to create, due to security reasons, accounts for any system with minimum privilieges.
So, now you might wonder how to create a user for Amazon S3 service that has minimum permissions in order to backup databases with SQLBackupAndFTP in a certain bucket and folder? It’s quite easy…

 Set Amazon S3 access policy to minimum permission

In order to do this, as we said, it’s quite easy. You just have to connect to your AWS Console and create a group. After that, specify a policy for the group and add a user to the group. Below are the detailed steps you have to make:

    • Log into AWS Console

In order to log into your AWS Console just go to the following link  https://console.aws.amazon.com/console/home and log in with your e-mail and password.

If you do not have a user just select “I am a new user” which will take you through all the steps of creating a new user.

After logging in, you will see the navigation bar which will have a few menu items on it, at the top of your page. Looking at the right side, click your name and then go to the menu called “Security Credentials”.

Amazon S3 access policy to minimum permission

You might get a pop-up message saying that “You are accessing the configuration page for your root account credentials.”, go on and click “Get Started with IAM Users” in order to set up your security credentials.

On the other side of the page, on the left side, you will see a few items, “Groups”, “Users”, “Roles”, “Password Policy”. Let’s start by creating a group with security policy.

    • Create a group with security policy

To create a new group, please select “Groups” item on the left side of AWS Console and click on “Create New Group” button. You’ll see “Create New Group Wizard” window where you can enter new group name. Please enter group name (let it be SBFGroup) and click on “Continue” button to specify a policy on the next step.

Amazon S3 access policy to minimum permission

The wizard that is going to be displayed will allow you to select from multiple policy templates, but you will select the “Custom Policy” type and manually create one.

At this point, we can enter a policy name and manually specify its characteristics. You can find a good user guide here. But, we’re aiming for a specific situation, so we can use this policy document:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:AbortMultipartUpload",
      "s3:DeleteObject",
      "s3:GetObjectVersion",
      "s3:ListMultipartUploadParts"
    ],
    "Resource": "arn:aws:s3:::test.pranas.net/*"
  },
  {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": [
      "s3:GetObject",
      "s3:ListBucketMultipartUploads",
      "s3:ListBucket",
      "s3:GetBucketVersioning",
      "s3:GetBucketLocation"
    ],
    "Resource": [
      "arn:aws:s3:::test.pranas.net/*",
      "arn:aws:s3:::test.pranas.net"
    ]
  },
  {
    "Sid": "VisualEditor2",
    "Effect": "Allow",
    "Action": [
      "s3:ListAllMyBuckets",
      "s3:HeadBucket"
    ],
     "Resource": "*"
   }
 ]
}

 Be aware that backup/sql/ is the path to your backup files in yourbucketname bucket.

Next, press “Continue” button in order to review the information you added about the new group and then press “Create group”.

Amazon S3 access policy to minimum permission

Now that we have a group which has sufficient permissions in order to make database backups in your bucket using a specified path, let’s continue by creating a user which will be used to backup databases to Amazon S3.

And this is how you set Amazon S3 access policy to minimum permission.

    • Create a user in the group

In order to create a new user for this group, select “Users” which you can find on the left side of the AWS Console and the choose “Create new Users”. A dialog box will open where you can enter the username. Let’s assume it’s called SBFUser.

Amazon S3 access policy to minimum permission

After creating the user a dialog will prompt with an important message saying that “This is the last time these User security credentials will be available for download.

Please write these credentials either on a physical paper or in a simple text file, because you will need them later in order to connect to the Amazon S3 service with the user you just created. Alternatively, you can download a file with the credentials and keep it on your system.

Amazon S3 access policy to minimum permission

In case you saved the user’s credentials, you can close this window and continue to add the user you created in the group. To do this, just select the user “SBFUser” on the console and then click “Add User to Groups”. You’ll see the “Add User to Groups” window where you will be able to select the created SBFGroup you previously created.

Amazon S3 access policy to minimum permission

Next, you will click on “Add to Groups” in order to finalize the action of adding a user to the group and now let’s continue to backup a database with SQLBackupAndFTP into Amazon S3.

If you do not have a bucket, you can create it on this console. Just use the “S3” option from the “Services” menu to open the S3 console and continue by creating a bucket.

Backup to Amazon S3 with SQLBackupAndFTP

Now, the process of backing up your database to Amazon S3 service is going to be detailed.

The process of backing up a database to Amazon S3 is allowed both in the Standard version of SQLBackupAndFTP and also premium versions. The Free version of SQLBackupAndFTP will allow you to use this feature only during trial mode. In order to enable this mode just go to “Help” menu and select “Start 30 days Free Trial”.

In order to select the database that you want to backup, click the link “Add backup destination” and select the option corresponding to Amazon S3 in the popup window.

Amazon S3 access policy to minimum permission

After this step, you will have to enter your Access Key and your Secret Key, that you already have since you saved them after creating the backup user for your Amazon S3 service. Also, add the name of the bucket and the path where your backups will be stored on Amazon’s S3 service.

Please remember to enter the correct path for where the backups will be placed, the one that you have allowed to be used for backups using AWS Console.

Amazon S3 access policy to minimum permission

After all, this has been set up continue by clicking “Save & Close” button and now we will have a job that can be used to backup your databases to your backup destination on Amazon S3. You can at this point run the job by pressing the “Run Now” button.

This will trigger a popup window which will display the events that occur during the job, the progress of the job and the success or failure of execution.

Amazon S3 access policy to minimum permission

[Total: 1    Average: 5/5]