Bucket & IAM Permissions

This article contains minimal permissions for the Amazon AWS S3 bucket required to use the bucket as backup storage in the Xopero ONE service. The policies provided below allow you to add your own AWS S3 storage to Xopero ONE.

AWS bucket policy

The bucket that will be used to store the data must've assigned following policy(JSON):

{
     "Version": "2012-10-17",
     "Statement": [
          {
               "Effect": "Allow",
               "Principal": {
                    "AWS": "arn:aws:iam::{account}:user/backup-user"
          },
               "Action": [
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject"
                
               ],
               "Resource": [
                    "arn:aws:s3:::bucket-name",
                    "arn:aws:s3:::bucket-name/*"
               ]
          }
     ]
}

Support for Immutable Storage

If you want to use the Immutable storage, the following permissions are required:

s3:GetBucketObjectLockConfiguration - required to read Object Lock configuration.
s3:GetBucketVersioning - required to read the versioning configuration.

It must be added to the Action section, and after the changes, the section must look like the below:

"Action": [
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
		    "s3:GetBucketVersioning",
	            "s3:GetBucketObjectLockConfiguration"
               ],

Last updated