Support

Akeeba Backup for Joomla!

#9084 Secure back-ups with Amazon S3

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by nicholas on Sunday, 02 October 2011 05:02 CDT

Saturday, 01 October 2011 08:34 CDT

Spark
Hi Nicholas,

I've setup Akeeba Backup Pro (3.3.4) to upload files to Amazon S3, with a Cronjob: "keeping daily backups for one month and for older backups keeping only one for every month".

I would like to make it secure, but still automate the process.

I have one bucket with multiple directories and sites in it. At the moment, each site uses the same (Secret) Access Key. Which are stored in encrypted format at Akeeba Config (CMIIW). What if one site gets hacked? Will the encryption hold off hackers accessing back-ups from other sites?

If I create a write-only account for Amazon, it'll help I think. But the account can't delete older files. So I have to do that manually then? What do you suggest? Leave it as it is? Or really use a write only account? I think you suggest the last one?:

Not all cloud storage services support file deletes. DropBox and backup-to-email most notably can't do that. Even those which can may not be allowed to do so due to ACLs. For example, I always use a write-only account to save my backup archives to S3. This account can neither list files nor delete them. This differences between each cloud storage engine would also cause support requests as people would consider them bugs when they're not.


If you have nice tips for a decent directory structure, they're also welcome.

Regards!

Saturday, 01 October 2011 08:51 CDT

nicholas
Hi!

The encryption will hold off hackers who only have access to your database. If they also have access to your filesystem, they can recover the secret key used for the encryption of the parameters and eventually decrypt them. In that case, they'd have full access to everything inside that bucket.

Well, there are quite a few possibilities here. For starters, you can create a different user for each bucket, using Amazon IAM Policies, and give him read/write access only to a specific subdirectory in your bucket. Just read our Amazon S3 integration walkthrough where we explain how's that possible. This method won't prevent a hacker who pwned your site from accessing your backups.

The other possibility is to create a write-only Amazon S3 user and use that instead. As you observed, that would render the quotas ineffective, as the user would be unable to delete old backups. However this is the most secure option, as a potential hacker can never access your backups (download or delete).

There is a middle ground. You can create an Amazon S3 user with write and delete privileges using Amazon IAM Policies. This allows you to have a user who can upload the backup archives and apply the quotas. Akeeba Backup doesn't need browse access to apply the quotas (it has the paths stored in the database), it just needs to be able to run DeleteObject. In case you're hacked, the attacker won't be able to download any backup archives but he will be able to delete existing backups if he goes through all the pain in deciphering the settings, dumping the ak_stats table, figuring out the paths to the backup files and write a script to delete them (visual tools won't work without browse access).

IMHO, the last method is the best compromise between security and ease of use. The only thing you can't do is to transfer the backup archives from S3 to your server for easy restoration. But this is easy to work around; just go to the Configuration page and enter your regular access credentials before using the Manage Remote Files feature of Akeeba Backup :)

I hope this information helps!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 01 October 2011 10:05 CDT

Spark
Thank you very much for your detailed answer Nicholas!

I'll choose the 2nd or 3rd option. It's almost clear:
  • I think one group would be okay? Else I have one group for every website.
  • I'll create one user for every website.
  • And then attach the policy to the users (Putobject or PutObject+DeleteObject) in stead of to the groups.
  • Fill in the (Secret) Access Keys in Akeeba.

Is this correct?

Regards!

Saturday, 01 October 2011 15:55 CDT

nicholas
Hi!

Only one group, having no permissions whatsoever set up for the bucket.

One user per site, yes.

Attach the PutObject and DeleteObject policy to each user, yes.

Fill in each user's access credentials (Access and Secret Key) in Akeeba Backup, yes.

I think that this should be a very solid setup. Well, if you get stuck somewhere, ping me :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 02 October 2011 03:43 CDT

Spark
Okay, nice it works good now :)
CLI was not even needed. I think you've missed this last post:
https://www.akeebabackup.com/support/forum/akeeba-backup-support/amazon-s3-backup-iam-policy/51100.html#p51100
I recommend you to add it to the user manual, works great!

The user group was not needed btw.

Sunday, 02 October 2011 04:00 CDT

nicholas
Aw, snap, I forgot to add that in the user's guide :s Thank you for the reminder, I am adding this info to the manual right now.

Just a note: that post describes how to give only the PutObject privilege to the user. You should also add the DeleteObject privilege for quotas to work :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 02 October 2011 04:17 CDT

Spark
Yes I noticed it, but thanks for pointing it out. I'll first use only the PutObject and check (and delete) my back-ups once a month. If I prefer the other method, I'll adjust it :)

Sunday, 02 October 2011 05:02 CDT

nicholas
OK, cool :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!