The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Required "actions" for IAM policy for s3 backups

Discussion in 'Data Protection' started by JustinArdoin, Aug 27, 2015.

  1. JustinArdoin

    JustinArdoin Member
    PartnerNOC

    Joined:
    Feb 3, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi all,

    I'm looking for the specific actions that need to be allowed in an IAM policy for backups. "s3:*" is not exactly least privileges. I am already aware of how to lock the policy to a specific user, bucket, and object, what I am looking for is the specific set of actions I must allow for the cpanel s3 backups to work. I didn't see anything in /scripts and nothing really covering the specific calls in the docs, so I thought I'd ask here before opening a ticket. While I appreciate any insights, I'd prefer to avoid guess work. If you know which file holds the API calls within cPanel I'll gladly look at it myself. Just trying to decrease surface area.

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may find this URL helpful if you are looking for general input on IAM policies:

    http://blogs.aws.amazon.com/securit...es-How-to-grant-access-to-an-Amazon-S3-bucket

    However, note there's no documentation on this from cPanel because the IAM policy is considered an Amazon feature. Could you let us know which information in particular you require about cPanel/WHM in order to customize your IAM policy?

    Thank you.
     
  3. JustinArdoin

    JustinArdoin Member
    PartnerNOC

    Joined:
    Feb 3, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1

    IAM might be an AWS thing, but cPanel makes use of the AWS API in their backup application. For each call that is made to the API, there is an associated "action" within IAM policy that can be allowed. I checked the subroutines called from the script (for anybody wondering, the script is /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/cpanel_lib/Amazon)
    I haven't locked it down any further than s3:* because of what your app requires from an initial readthrough. The best it gets is locking it to a particular bucket or directory beneath a bucket for now. I probably should have followed this up sooner. I'm hoping locking it to a particular directory within the bucket is good enough, and that access can't be escalated (I created a role for this) from the permissions. It would be nice to know the specific actions necessary to roll into the policy, but I'll have to save that for another day when I have the time to fully investigate how the REST API calls made map to "actions".
     

Share This Page