Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Building an AWS S3 backup environment

0

Details

I am currently building an S3 environment that meets all of the following requirements.

Access is only possible from a specific IP address. Access is only possible from a specific IAM user.

I have built an S3 environment that meets the above requirements.

However, I am unable to build an environment that uses the AWS Backup service to periodically obtain backups. Specifically, when allocating resources in a backup plan, the bucket I created is not displayed. The following are the steps I have tried to resolve the issue.

1.Check the IAM policy

2.Check the bucket policy

3.Check that the region matches

*Please check each policies that written end of sentence.

Ideal state

Meet the requirements of "access is only possible from a specific IP address" and "access is only possible from a specific IAM user" and also use AWS Backup to periodically obtain backups.

I am sorry my bad english. Thanks.

=======

IAM Policy

I assigned "AmazonS3FullAccess" and "AWSBackupFullAccess". I also attached the following .json.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::{bucket_name}",
                "arn:aws:s3:::{bucket_name}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "backup:*"
            ],
            "Resource": "*"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::{bucket_name}t",
                "arn:aws:s3:::{bucket_name}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "backup:*"
            ],
            "Resource": "*"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketVersioning"
            ],
            "Resource": [
                "arn:aws:s3:::{bucket_name}",
                "arn:aws:s3:::{bucket_name}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetBucketVersioning"
            ],
            "Resource": [
                "arn:aws:s3:::{bucket_name}",
                "arn:aws:s3:::{bucket_name}/*"
            ]
        }
    ]
}

Bucket Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::{bucket_name}",
                "arn:aws:s3:::{bucket_name}/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:username": "{created_iam_user_name}"
                }
            }
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::{bucket_name}",
                "arn:aws:s3:::{bucket_name}/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:VpcSourceIp": [
                        "124.215.101.111/32",
                        "60.112.161.29/32"
                    ]
                }
            }
        }
    ]
}
Topics
StorageSecurity, Identity, & Compliance
Tags
IAM PoliciesAWS BackupAmazon Simple Storage Service
Language
English
asked 2 years ago415 views
1 Answer
2
Accepted Answer

I answered the question below, but I'll post it here as well.
https://repost.aws/ja/questions/QU4FV_KOKYRS24qKSDRiNlRw/aws-s-3-%E3%81%AE-backup%E7%92%B0%E5%A2%83%E6%A7%8B%E7%AF%89

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::{bucket_name}",
                "arn:aws:s3:::{bucket_name}/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": [
                        "AWS Backup Service Role ARN",
                        "IAM User ARN"
                    ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::{bucket_name}",
                "arn:aws:s3:::{bucket_name}/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": "AIDxxxxxxxxxxxxxxxxx"
                },
                "NotIpAddress": {
                    "aws:VpcSourceIp": [
                        "124.215.101.111/32",
                        "60.112.161.29/32"
                    ]
                }
            }
        }
    ]
}

You can check "aws:userId" with the following command.
When executing the command below, please execute it as the IAM user who will be setting up the backup plan.

aws sts get-caller-identity

Executing the command returns results like the following:
Please set "UserId" in this to your bucket policy.

{
    "UserId": "AIDxxxxxxxxxxxxxxxxx",
    "Account": "1111111111111",
    "Arn": "arn:aws:iam::1111111111111:user/test"
}
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
  • Leo K EXPERT
    2 years ago

    To be clear, the second Deny statement will only match if both conditions are true: if the identity doesn't match the tested value and the IP doesn't match. If the intent is to block access from unexpected IPs, the IP check will have to be separated into its own statement. Also, AWS Backup won't be coming from those IPs, so this statement will block it too, unless the role AWS Backup is using is exempted in the condition clause.

  • Leo K EXPERT
    2 years ago

    The aws:VpcSourceIp request context condition key shouldn't be used alone. It should always be combined with the aws:SourceVpc or aws:SourceVpce key. That's because aws:VpcSourceIp checks for the client IP for requests received through a VPC endpoint, and within a VPC, anyone can use whichever IP addresses they like. If the intent is to permit access over the internet and not via a VPC endpoint, as I'm suspecting is the case based on the public-looking IPs, the correct key is aws:SourceIp, which is appropriate to use by itself. It won't match requests received over a VPC endpoint.

  • garden
    2 years ago

    In conclusion, it worked well. Thank you for your cooperation. I appreciate it.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content