Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Minimum permissions to backup accounts into Amazon S3

Discussion in 'Data Protection' started by dccsi, May 21, 2017.

Tags:
  1. dccsi

    dccsi Member

    Joined:
    Feb 11, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    As we know we can use Cpanel for copying backup files into Amazon S3 using "Additional Destinations" in Backup configuration.

    There may articles talking about how to do that and today I'am just discussing the S3 permissions only.

    As many articles described we can use "Security Credentials" to access the S3 bucket , also we can use IAM to create a new user and give it a full access to s3.

    Actually I have used both methods but I have security vision here.

    If we use the Security Credentials we give the Cpanel Server the whole permissions to control our amazon account, and If you create IAM user and give it a full access to s3 buckets.

    why should we do that while we are just want to give the user access to single bucket only. so if anything happens it will affect one single bucket only not the whole amazon account or s3 buckets.

    in the past I have used s3cmd to manually copy the backup files to amazon s3 and I have use 1-way strategy to copy the files from cpanel server to s3 (I mean the cpanel server have the permission put object only ) and do not have the permission to delete or get the files from s3 and it was awsem.

    When I try to use the same access policy with Cpanel Additional Destinations It says access dined. I try many polices and the same problem occurred.

    here are a list of the policy I have used.

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "Stmt1425965910000",
    "Effect": "Allow",
    "Action": [
    "s3:GetBucketLocation",
    "s3:PutObject"
    ],
    "Resource": [
    "arn:aws:s3:::bucketnamehere"
    ]
    },
    {
    "Sid": "Stmt1425965927000",
    "Effect": "Allow",
    "Action": [
    "s3:GetBucketLocation",
    "s3:PutObject"
    ],
    "Resource": [
    "arn:aws:s3:::bucketnamehere/*"
    ]
    }
    ]
    }

    so can anyone know that is the minimum permissions to backup accounts into Amazon S3?

    thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. dccsi

    dccsi Member

    Joined:
    Feb 11, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    I have checked
    How to Create an AWS S3 Policy for a Bucket - cPanel Knowledge Base - cPanel Documentation

    and It works fine without problems.

    But I just ask about why Cpanel needs to delete files. and what happens if I deny the AIM user from delete objects.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    It's for the retention functionality in backups:

    Backup Configuration - Retention

    Thank you.
     
  5. dccsi

    dccsi Member

    Joined:
    Feb 11, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    Okay That mean Cpanel need to delete files from S3 for retention

    so any one has the access key and secret key can delete files from s3

    The question is does Cpanel store the secret key encrypted? or in its text plain mode?

    In one scenario let says that the server has been hacked and the hacker has the root password , so the hacker can see the s3 secret key and can also use some external tools using the sorcerer key to delete the backup files also. and the result will be terrible (server hacked and remote backup deleted).





     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    It's encrypted. You can verify this by viewing the backup destination's configuration file in the following directory:

    /var/cpanel/backups/

    Thank you.
     
  7. Alien_Technology

    Alien_Technology Registered

    Joined:
    Sep 8, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    US
    cPanel Access Level:
    Root Administrator
    The S3 document link above helped me (needed to set Sid to CpFilePermission), but I think there is a typo.

    Note:
    Replace all references to $BUCKET with your policy name.

    Shouldn't that be "Replace all references to $BUCKET with your bucket name"?

    Excellent documentation by the way.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I've opened an internal case (DOC-9448) with our Documentation Team to have the document updated to reflect this. I'll update this thread once the case is solved.

    Thank you.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Alien_Technology,

    The document is now updated to reflect the change in wording:

    Thanks!
     
Loading...

Share This Page