Saturday, 21 January 2017

BackWPup S3 policy

I run WordPress for my private blog (a spot where I stash notes and other junk which isn't worth posting publicly) and I'm using BackWPup to back up the contents of my WordPress instance to S3. In order to follow good security practice, we should create a specific user which only has the permissions it requires to save backups. In AWS this means you need to create a user and then create an IAM policy for saving backups and then apply this policy to the user.

The way I’ve done this is to create a new S3 bucket for WordPress backups, created a new user called and created a policy which is then applied to the new user. In this post I've named it "wordpress.backup.homenetwork.dns", if you're copying the code from here replace that with the name of your wordpress backup bucket. The policy JSON looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::wordpress.backup.homenetwork.dns",
                "arn:aws:s3:::wordpress.backup.homenetwork.dns/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*",
            "Condition": {}
        }
    ]
}
 
This gives the user full access to the wordpress.backup.homenetwork.dns bucket. It also gives the user access to list all the buckets in S3 as BackWPup uses this to populate the target bucket drop down list. Apply this policy to your backup user and you're good to go.