Granular Permission Policy for AWS S3

Assigning full AWS S3 access permission policy to IAM user is generally not recommended due to security considerations, so users are encouraged to use granular permission policies instead.

Granular Permission Policy

This granular policy includes the minimal set of permissions required to use all of the Backup software’s functionality, including retention and immutability:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:GetBucketObjectLockConfiguration",
                "s3:PutBucketObjectLockConfiguration"
            ],
            "Resource": "arn:aws:s3:::bucket_name"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl",
                "s3:RestoreObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
        { 
            “Effect”: “Allow”, 
            “Action”: “sts:GetFederationToken”, 
            “Resource”: “*”, 
            “Condition”: {} 
        }
    ]
}

Make sure to replace “bucket_name” with the name of the target bucket.

Refer to the following Amazon article on how to create IAM policy.

https://git.cloudberrylab.com/egor.m/doc-help-mbs.git