Granular User Policies for Wasabi
Create User Policy for Wasabi User Account
In Wasabi Management Console create the user policy using the above suggestion.
To associate a policy with the user, perform the following:
- In Wasabi Management console click Users in the Wasabi menu on the left of the screen. Find the user you want to associate the policy with.
- Check whether the user access in configured as follows:
- Programmatic (create API key)
-OR-
- Console (Wasabi Management Console access)
- Click in the Attach Policy To User area and attach the newly created policy defined for your account. You can enter text to find a specific policy. For details refer to Wasabi Documentation.
Multy-bucket policy
This granular policy includes the minimal set of permissions required to use all of the Backup software’s functionality, including backing up, restore, retention policy, Object Lock for GFS backups, and backup data deletion.
It is strictly recommended to not use root user, create a dedicated user for backups and use the policy below for this user.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:GetBucketObjectLockConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectRetention",
"s3:ListAllMyBuckets",
"s3:CreateBucket"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"s3:BypassGovernanceRetention",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}
This user policy allows the following:
- perform backup
- list data
- run restores
- enable Object Lock for GFS backups
- create buckets
This policy denies:
- deletion of data protected by Object Lock/WORM/Immutability
- deletion of buckets
Single-Bucket policy
This granular policy includes the minimal set of permissions required to use all of the Backup software’s functionality, including backing up, restore, retention policy, immutability and backup data deletion.
Make sure to replace bucket_name with the name of the target bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:GetObjectRetention",
"s3:PutBucketVersioning",
"s3:PutLifecycleConfiguration",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:GetBucketObjectLockConfiguration",
"s3:PutBucketObjectLockConfiguration"
],
"Resource": "arn:aws:s3:::bucket_name"
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectRetention"
],
"Resource": "arn:aws:s3:::bucket_name/*"
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}