This is an old revision of the document!


Amazon S3

We have an Amazon account (registered under [email protected]) to access S3, Amazon's cloud storage.

Security Policy

There is only one access and one API key regardless of how many buckets you use. Because of this, do not use any scripts that upload or access the S3 storage on an untrusted server.

Storage Policy

Any data uploaded to Amazon S3 should be first encrypted using GPG.

Security Access

Here's an IAM policy for a new user to upload files to an S3 bucket.

{
  "Statement": [ {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::dtrike-backups", 
    "Condition": {
    }
  }, {
    "Effect": "Allow",
    "Action": [ 
      "s3:PutObject",
      "s3:GetObject",
      "s3:DeleteObject"
    ],
    "Resource": "arn:aws:s3:::dtrike-backups/*", 
    "Condition": {}
  } ]
}

Creating a Backups Bucket

This is to setup a single bucket and a single user for backups for one server.

First, create an Amazon S3 bucket. Name syntax should be: dtrike-backups-<server>

Second, create a new IAM user. Name syntax should be: backups-<server> Generate a user Access Key ID and Secret Access Key and download them. Add the user to the Backups group (no real reason, other than to keep users organized).

Third, select the user, change the permissions, and create a user policy. Name the policy the same as the username.

Create a custom policy, and use the example above, renaming the bucket. The permissions will let you upload, download, and delete files on the bucket.

Once that's done, setup either backup-manager or s3cmd to transfer files.