Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to set S3 backup permission with a strong access limit?

0

I have an S3 bucked with access limited only from my external server by ip address:

{
    "Version": "2012-10-17",
    "Id": "BackupPolicy01",
    "Statement": [
        {
            "Sid": "BackupPolicy01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::83743546469343:user/user-backup"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-backup/*",
                "arn:aws:s3:::my-backup"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "123.87.210.171/32"
                }
            }
        }
    ]
}

Now I'm trying to add a Backup Plan using the default role, but it fails due to missing permissions.
I tried to search how to give access to defaul backup rules but I didn't find it.

Topics
Storage
Tags
AWS BackupAmazon S3 Access Grants
Language
English
asked a year ago186 views
2 Answers
0

To allow AWS Backup to work with your S3 bucket while maintaining your strict access controls, you need to modify your bucket policy to include an exception for the AWS Backup service role. Here's how to do it:

  1. First, identify the Role ID of the AWS Backup service role you're using. You can find this using the AWS CLI command:

    aws iam get-role --role-name AWSBackupDefaultServiceRole

    Look for the "RoleId" value in the response (it will look something like "AROASAMPLESAMPLESAMPL").

  2. Modify your bucket policy to include an exception for the AWS Backup role while maintaining your IP restriction:

    {
    "Version": "2012-10-17",
    "Id": "BackupPolicy01",
    "Statement": [
        {
            "Sid": "BackupPolicy01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::837409669343:user/user-backup"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-backup/*",
                "arn:aws:s3:::my-backup"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "123.87.210.171/32"
                }
            }
        },
        {
            "Sid": "AllowAWSBackupService",
            "Effect": "Allow",
            "Principal": {
                "Service": "backup.amazonaws.com"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-backup/*",
                "arn:aws:s3:::my-backup"
            ],
            "Condition": {
                "StringLike": {
                    "aws:userid": "BACKUP_ROLE_ID:*"
                }
            }
        }
    ]
}

    Replace "BACKUP_ROLE_ID" with the actual Role ID you found in step 1.

  3. Make sure your AWS Backup role has the necessary permissions by attaching these managed policies:

    • AWSBackupServiceRolePolicyForS3Backup
    • AWSBackupServiceRolePolicyForS3Restore

This approach allows you to maintain your strict IP-based access control while creating an exception specifically for the AWS Backup service to perform backup operations on your S3 bucket.

Sources
Perform AWS Backup on S3 with access restricted to VPC | AWS re:Post
Amazon S3 backups - AWS Backup

answered a year ago
EXPERT
reviewed a year ago
0

Hello.

The bucket policy you shared only has the Allow statement set, so I think you will be able to perform backups if the IAM policy for S3 access is set in the IAM role for AWS Backup.
Please make sure that you have set "AWSBackupServiceRolePolicyForS3Backup" and "AWSBackupServiceRolePolicyForS3Restore" to the AWS Backup IAM role as described in the following document.
https://docs.aws.amazon.com/aws-backup/latest/devguide/s3-backups.html#s3-backup-prerequisites

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content