Set AWS IAM Permissions for s3cmd backup to a single bucket

10/02/2012
0

Our Linux machines use a S3 bucket to backup some files every night.

The machines only need write access (PutObject) to a single bucket on S3.

AWS Identity and Access Management (IAM) allows to define this permission on a single bucket. However to configure s3cmd correctly and run a successful test there is a little trick, otherwise the final configuration test of s3cmd shows this error:

ERROR: Test failed: 403 (AccessDenied): Access Denied

s3cmd needs the ListAllMyBuckets permission.

Here is the policy document that worked.

{
  "Statement": [
    {
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Action": [ 
          "s3:ListBucket", 
          "s3:PutObject" 
      ],
      "Effect": "Allow",
      "Resource": [
          "arn:aws:s3:::mybackupbucket", 
          "arn:aws:s3:::mybackupbucket/*"
      ]
    }
  ]
}

Important: Make sure you replace the mybackupbucket with your own bucket name.

If you've read this far you might as well follow me on Twitter here.


Comments