Custom access policies for AWS
When you back up to an Amazon S3 destination, you create an Identity Access Management (IAM) account for the backup job to use. In our guide and tutorial video, we add the PowerUserAccess policy to the IAM account so that the backup job has the access it needs.
PowerUserAccess enables full access to AWS services and resources. Because of this, some users may want to restrict the access that the IAM account gives. To do this, you can create a custom AWS access policy to add to the IAM account that the backup job will use.
To create a custom policy:
- Follow the AWS steps for creating a new user from Services > Security, Identity & Compliance> IAM.
- On the Set Permissions page, select the Attach existing policies directly menu item.
- Select Create policy.
- Select the JSON tab
- Once you have created the custom policy, select Next: Tags from the Set permissions screen
- Select Next: Review
- Review the settings and select Create User
A new Create Policy tab will open.
Use this tab to define the access that you would like to give the IAM account that your back job or jobs will use. This is an AWS feature and the syntax is defined in the JSON policy reference page. You can expand and view the JSON scripts for any existing policy, if you wish to view how they provide access.
When you create the account, an Access Key ID and Secret Access Key will be created. In this step, select the Download csv link to download a csv file containing the access keys. You will need to enter these keys when you create the backup job. Do not lose this csv file and keep it in a safe place.