Skip to content

Instantly share code, notes, and snippets.

@patric-boehner
Last active May 30, 2024 11:11
Show Gist options
  • Save patric-boehner/281cef68d8956034002b to your computer and use it in GitHub Desktop.
Save patric-boehner/281cef68d8956034002b to your computer and use it in GitHub Desktop.
Amazon AWS S3 User Policy for Updraft Plus

#User Policy for Amazon S3 Backups Using Updraft Plus

This user policy prevents the user credentials from being used to deleate backups from within the wordpress admin settings page for the plugin. This prevents anyone accidentaly or delibertly removing backups. The versioning and deleating is handeled by S3 bucket policies.

To make this user policy useful, we need to removed these two actions: "s3:DeleteObject", "s3:DeleteObjectVersion",

To update and use this policy, run a find and replace on "mybucket" and replace with your S3 bucket name.

For added security you can limit the IP addresses that can act as the source, your server. To use this option run a find and replace on Your IP Address

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": "arn:aws:s3:::mybucket",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectAclVersion"
      ],
      "Resource": "arn:aws:s3:::mybucket/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*",
      "Condition": {}
    }
  ]
}

Source

#Bucket Properties for Versioning and Lifecycle

###Versioning

Turn on versioning. This allows us to preserve, reterieve and restore versions of each backup file. This is important incase a backup file is ever overwritten with a bad or corupted file.

###Lifecycle

We will create a lifecycle rule tp ultimelty deal with deleating old backups, since the user we have assigned to updraft can no longer autoamticaly delate old backups based on the plugins settings. For this example I set the limit to 30 days.


####Rule Two - Reduce Storage After 15 Days Action on Current Version

Expire:
30 Days after the object's creation date

Action on Previous Versions

Permanetly Delete:
30 Days after becoming a pervious version

{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::mybucket",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"Your IP Address",
"Your IP Address"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectAclVersion"
],
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}
@geodefender
Copy link

Thank you for this, very useful.
Can I ask you please to advise the recommended configuration we need to apply here: https://snipboard.io/bCPUYu.jpg
There are a lot of options.

The other questions is about the policy, Amazon is showing this error: Invalid Action: The action s3:PutObjectAclVersion does not exist.

Thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment