Add an S3 Account Using IAM Role

This chapter covers the following topic: how to add an Amazon S3 account to Managed Backup using IAM roles.

To start backing up your data, you need to specify cloud storage your data will be backed up to. One of the most popular storage providers is AWS S3. You can add an S3 account in Management Console using the following authentication modes:

• Secret & Access keys (legacy)
• Using the AWS IAM role (recommended)

However, AWS recommends users use IAM roles for security purposes. IAM roles allow flexible custom settings for available features. Thus, for example, you can create a policy for a user that can back up only to S3 or restore image-based backups to EC2.

To add an S3 account using the IAM role, proceed as follows:

1. Open the Management Console.
2. In the Storage menu, select Storage Accounts.
3. Click Add Account.
4. Specify the displayed name, then in the Authentication type select IAM Role (Manual, best practice).
5. In the Provider ID field, click Copy to clipboard or copy the ID manually.

6. Open the AWS console.
7. Click Create Role.

8. In account ID, enter 626709717326.
9. Select the Require external ID (Best practice when a third party will assume this role) checkbox.
10. Paste the Provider ID you copied on step 5 to the External ID field.
11. Click Next: Permissions.

12. Click Create Policy.

13. Click JSON and insert the following policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:DeleteBucket",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "iam:SimulatePrincipalPolicy",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "ses:*",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*",
"Condition": {}
},
{
"Effect": "Deny",
"Action": "s3:BypassGovernanceRetention",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:ImportInstance",
"ec2:ImportImage",
"ec2:DescribeInstances",
"ec2:MonitorInstances",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",
"ec2:CreateTags",
"ec2:CancelImportTask",
"ec2:StartInstances",
"ec2:DescribeConversionTasks",
"ec2:DescribeImportImageTasks",
"ec2:ImportVolume",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:StopInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeImages",
"ec2:ImportSnapshot",
"ec2:DescribeImportSnapshotTasks",
"ec2:CreateVolume",
"ec2:CreateImage",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DeleteSnapshot",
"ec2:CreateSnapshot",
"ec2:AttachVolume",
"ec2:DeregisterImage"
],
"Resource": "*",
"Condition": {}
}
]
}

14. Review the policy settings, then click Create Policy.

15. Go to the previous tab, then click Refresh and specify the created policy name:

16. Select it, then click Review.
17. Specify the role name (with no spaces), then click Create.
18. Open the role you created and copy its ARN.

19. Get back to the Management Console, then paste the copied ARN to the Role ARN field.