Minimum privilege for s3ql on aws s3

7 views

Skip to first unread message

Elliot Kaplan

unread,

Jun 7, 2019, 10:32:02 AM6/7/19

to s3ql

(This is a, slightly edited, crosspost of https://stackoverflow.com/questions/56481421/least-privilege-necessary-for-s3ql-on-aws-s3)

l'm trying to set up an s3ql backup in an aws s3 bucket, but l'm having issues defining the proper permissions. l've defined an IAM policy for the backup users like

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::job/*",
                    "arn:aws:s3:::<bucket>/<object>",
                    "arn:aws:s3:::<bucket>"
                ]
            }
        ]
    }

The idea was to start with all s3 privileges and then reduce from
there. However, this is not enough. First of all l get a warning from
AWS about the permissions themselves. Second of all l get an access
denied message from `mkfs.s3ql`

lf, however, l take the action using my super-user account, the filesystem is created successfully.
Obviously l'm not going to leave super user permissions in the hands of a backup script intended

to run on its own roughly daily. What is a policy that provides the necessary permissions and no more?