Granular Permission Policy for AWS S3
Applies to Backup for Windows standalone version. Not applicable for Managed Backup Agent
Situation
Assigning of full S3 access permission policy to the IAM user is generally not recommended, so users are encouraged to use granular permission policies instead.
Solution
This granular policy includes the minimal set of permissions required to use all of the backup software’s functionality, including retention and immutability:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:GetBucketObjectLockConfiguration",
"s3:PutBucketObjectLockConfiguration"
],
"Resource": "arn:aws:s3:::bucket_name"
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:RestoreObject"
],
"Resource": "arn:aws:s3:::bucket_name/*"
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
Make sure to replace “bucket_name” with the name of the target bucket.
Refer to the following article on how to create an IAM policy: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html