Support

Hi,

I'm trying to create an IAM Policy with the least amount of permissions needed for Akeeba Backup to function. For example I don't want my AWS keys to allow deletion of my backups in the event of a site hack. Or even for the keys to allow downloading of backups.

Has anybody tried putting together an Akeeba compatible policy? Amazon has a nice tool for generating policies: http://awspolicygen.s3.amazonaws.com/policygen.html

Regards.

Ok I figured it out. If you're running Akeeba Backup with Amazon S3 using your root AWS credentials you should consider the following alternative.

First a warning. Amazon has not made it easy to setup additional login credentials. You'll need to work with a command line interface.

To get this working you'll need to do the following:

• Install and configure the Command Line Interface (CLI)
• Create a Group
• Give Group Access to S3 Bucket
• Create User and Add to Group
• Create Login Profile and Create Keys
• Test Access

These steps are detailed here: http://newtech.about.com/od/cloudcomputing/a/How-To-Setup-Amazon-Identity-And-Access-Management-Iam-With-S3-And-Cloudfront.htm

Note: when you're following the "Install & configure the Command line" instructions in the above tutorial, make sure to also add this into your system path:
%AWS_IAM_HOME%\bin

It seems they left that step out.

Once the CLI is working, here are the commands I ran (don't enter the lines with #Comments. Also enter them one at a time).

# Create the group
iam-groupcreate -g MYSITE-backup

# Create the user & add to the group
iam-usercreate -u MYSITE-backup -g MYSITE-backup

# Attach the policy to the group
iam-groupuploadpolicy -g MYSITE-backup -p MYSITE-backup -f L:\IAMCli-1.2.0\policy\MYSITE-backup.txt

# Get the credentials
iam-useraddkey -u MYSITE-backup

I've created a bucket for all site backups. Within that bucket I have folders for each site. I create credentials for each site and they can only access their subfolder. Also the credentials can only add backups. Backups can not be deleted or even downloaded. The only access the credential has is "PutObject" to upload the backup file. Here is my policy file (L:\IAMCli-1.2.0\policy\MYSITE-backup.txt):

{
  "Statement":[{
      "Sid":"XXXXXXXXXXXXXXX",
      "Action"["s3:PutObject"
      ],
      "Effect":"Allow",
      "Resource":"arn:aws:s3:::MYBUCKET/MYSITE/*"
    }
  ]
}

You can generate your own policy file here: http://awspolicygen.s3.amazonaws.com/policygen.html

Hopefully this brief overview guides you in the right direction.

Yes feel free to use any of my post in the User Guide. And thanks for putting together such a great backup solution. I works perfectly.

Just thought I'd chime in with the lazy way to do this. I downloaded Cloudberry S3 Explorer Pro which has an "Access Manager" function that make this process very easy.

There is a 15 day free trial you can use to set this all up. After 15 days it's $39 for a license (I bought it, it's a handy file manager).

You can create as many groups as you want and easily create policies for each group. I created a group and policy for each subdirectory in my S3 bucket. Each subdirectory contains a different website.

Then create a user to put in each group. Once that is done you can right click on the user and select "Manage Access Keys". That will give you the S3 Access keys you need to enter into your Akeeba Backup profile.

The only gotcha is that when you create the policy and are browsing for the bucket and directory to apply the "PutObject" rights to, it doesn't add the "/*" at the end that is needed to make this work (thanks LEOIII, I never would have figured that out). You have to specify the resource and then go back and edit it so you can add the slash and star.

Anyway, hope this helps someone else.

Sounds like a great way to setup users & policies. Thanks for posting that jgurrier.

Since Amazon Web Services now includes a web based IAM management interface, I thought I'd post an updated version of the instructions above. For those who haven't purchased Cloudberry Pro this may be a nice alternative:

1. Create bucket to store backups in.
2. Log into the AWS Management Console.
3. Click on the "IAM" tab.
4. Click "Users" under the "Navigation" section.
5. Click "Create New Users".
6. Enter the name of the new user.
7. Copy & paste the credentials to a text editor.
8. Click on the newly created user.
9. Go to the user's "Permissions" tab.
10. Click "Attach User Policy".
11. Choose "Custom Policy".
12. Enter the following Policy Document:

{
  "Statement": [
	{
	  "Action":[
		"s3:PutObject"
	  ],
	  "Effect": "Allow",
	  "Resource": "arn:aws:s3:::YOURBUCKETNAMEHERE/*"
	}
  ]
}

13. Click "Apply Policy"

Done. Now you can use those S3 credentials in your Akeeba Backup profile.