Granular User Policy for Wasabi

This granular policy includes the minimal set of permissions required to use all of the Backup software’s functionality, including backing up, restore, retention policy, Object Lock for GFS backups, and backup data deletion.

It is strictly recommended to not use root user, create a dedicated user for backups and use the policy below for this user.

Make sure to enter Resource: the name of the target bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions",
        "s3:GetBucketObjectLockConfiguration",
        "s3:PutBucketObjectLockConfiguration",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObject",
        "s3:PutObjectRetention",
        "s3:ListAllMyBuckets",
        "s3:CreateBucket"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "s3:BypassGovernanceRetention",
        "s3:DeleteBucket"
      ],
      "Resource": "*"
    }
  ]
}

This user policy allows the following:

perform backup
list data
run restores
enable Object Lock for GFS backups
create buckets

This policy denyes:

deletion of data protected by Object Lock/WORM/Immutability
deletion of buckets

Create User Policy for Wasabi User Account

In Wasabi Management Console create the user policy using the above suggestion.

To associate a policy with the user, perform the following:

In Wasabi Management console click Users in the Wasabi menu on the left of the screen. Find the user you want to associate the policy with.
Check whether the user access in configured as follows:

Programmatic (create API key)

-OR-

Console (Wasabi Management Console access)

Click in the Attach Policy To User area and attach the newly created policy defined for your account. You can enter text to find a specific policy. For details refer to Wasabi Documentation.