When you back up to an Amazon S3 destination, you create an IAM account for the backup job to use. In our Amazon S3 storage guide we add the PowerUserAccess policy to the IAM account so that the backup job has the access it needs.
PowerUserAccess enables full access to AWS services and resources. Because of this, some users may want to restrict the access that the IAM account gives. To do this, you can create a custom AWS access policy to add to the IAM account that the backup job will use.
To create a custom policy:
- Follow the steps in our Amazon S3 storage guide for creating an IAM account.
- On the Set Permissions step, select the Attach existing policies directly menu item.
- Select Create policy.
- Select the JSON tab.
- Once you have created the custom policy, select Next: Tags from the Set permissions screen.
- Select Next: Review.
- Review the settings and select Create User.
- Save the CSV file.
The Create Policy tab will open.
Use this tab to define the access you want to give the IAM account that your backup job or jobs will use. This is an AWS feature and the syntax is defined in the JSON policy reference page. You can expand and view the JSON scripts for any existing policy if you wish to view how they provide access.
The final step is to save a CSV file containing an Access key ID and a Secret Access Key. These keys will be used by BackupAssist ER to create a cloud container (bucket) and to access that container each time the job runs. You will need to refer to this CSV file when you create the backup job.
Warning: Do not lose this CSV file as this is the only time you can view or save a copy of the secret access key.