Skip to content

Instantly share code, notes, and snippets.

@jogeshpi03
Forked from patric-boehner/Bucket-Properties.md
Created February 12, 2021 11:36
Show Gist options
  • Save jogeshpi03/b5da4f28b23604e59d945b95a6ad1e4a to your computer and use it in GitHub Desktop.
Save jogeshpi03/b5da4f28b23604e59d945b95a6ad1e4a to your computer and use it in GitHub Desktop.
Amazon AWS S3 User Policy for Updraft Plus

#User Policy for Amazon S3 Backups Using Updraft Plus

This user policy prevents the user credentials from being used to deleate backups from within the wordpress admin settings page for the plugin. This prevents anyone accidentaly or delibertly removing backups. The versioning and deleating is handeled by S3 bucket policies.

To make this user policy useful, we need to removed these two actions: "s3:DeleteObject", "s3:DeleteObjectVersion",

To update and use this policy, run a find and replace on "mybucket" and replace with your S3 bucket name.

For added security you can limit the IP addresses that can act as the source, your server. To use this option run a find and replace on Your IP Address

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": "arn:aws:s3:::mybucket",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectAclVersion"
      ],
      "Resource": "arn:aws:s3:::mybucket/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*",
      "Condition": {}
    }
  ]
}

Source

#Bucket Properties for Versioning and Lifecycle

###Versioning

Turn on versioning. This allows us to preserve, reterieve and restore versions of each backup file. This is important incase a backup file is ever overwritten with a bad or corupted file.

###Lifecycle

We will create a lifecycle rule tp ultimelty deal with deleating old backups, since the user we have assigned to updraft can no longer autoamticaly delate old backups based on the plugins settings. For this example I set the limit to 30 days.


####Rule Two - Reduce Storage After 15 Days Action on Current Version

Expire:
30 Days after the object's creation date

Action on Previous Versions

Permanetly Delete:
30 Days after becoming a pervious version

{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::mybucket",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"Your IP Address",
"Your IP Address"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectAclVersion"
],
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment