AWS S3 as a Backup Target #
We can use AWS S3 as a target storage in Rclone configs. Following is the set of permission required to allow rclone CLI to read and write files:
- s3:ListBucket
- s3:DeleteObject
- s3:GetObject
- s3:PutObject
If a the backup path within the bucket is under a certain prefix, we can further refine the permissions to allow listing only objects below the given prefix.
For example, let’s say we want the backup server to only use the subdir backups/dataset-1/.
In this case, we can write the permissions in the following way:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[iam-arn]"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::[bucker-arn]",
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"backups/",
"backups/dataset-1/"
],
"s3:delimiter": "/"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[iam-arn]"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::[bucker-arn]",
"Condition": {
"StringLike": {
"s3:prefix": "backups/dataset-1/*"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[iam-arn]"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::[bucker-arn]/backups/dataset-1/*"
}
]
}
Notice that the first clause uses the StringEquals condition, while the second one uses StringLike.
This ensures that the rclone CLI can list only the contents of its own prefix and everything nested within the prefix.
I am not quite sure about this one, but the following action is often allowed together with the above object permissions:
- s3:PutObjectAcl