Securing your AWS S3 bucket

If you want to store one-time or recurring backups to your own Amazon S3 bucket at Amazon Web Services (AWS), you must secure your container using AWS Identity and Access Management (IAM).

Below we provide step-by-step instructions on how you can use IAM to create an account user specifically for mLab that can only access a single bucket in your S3 account. Steps

  1. Log in to the AWS Management Console
  2. Click “IAM” or visit this URL after logging in
  3. Create a custom policy (e.g “mLabS3BackupsPolicy”)
    • Copy and paste the policy below but replace “youraccountname-mlab-backups” with something that will make your bucket name unique (note that it must be unique across all AWS accounts and cannot include underscores or upper case characters)
    • Do not change the “Version” date (for more information, see AWS’s IAM documentation)
  4. Create a new group (e.g. “mLabGroup”) and attach the policy created in step 3 to this new group.
  5. Create a user for your mLab backups (e.g. “mLabUser”)
  6. Make note of the user’s credentials (Access Key ID and Secret Access Key) since they will be required when scheduling backups in the mLab management portal
  7. Add the user you created in Step 5 to the group that you created in Step 4
  8. Going back to the S3 home in the AWS console, create a new bucket for your mLab backups using the value that you updated in step 4 (i.e., the value you replaced “youraccountname-mlab-backups” with)
    • Bucket names need to be unique across all AWS accounts
    • Bucket names cannot include underscores or upper case characters; otherwise, backups will fail

Policy to cut and paste

{
  "Version": "2012-10-17", 
  "Statement": [
        {
          "Effect": "Allow",
          "Action": [ "s3:ListBucket" ],
          "Resource": "arn:aws:s3:::youraccountname-mlab-backups"
		},
		{
          "Effect": "Allow",
          "Action": [
              "s3:GetObject",
              "s3:GetObjectAcl",
              "s3:PutObject",
              "s3:PutObjectAcl",
              "s3:DeleteObject",
              "s3:DeleteObjectAcl"
          ],
          "Resource": [ "arn:aws:s3:::youraccountname-mlab-backups/*" ]
        }
    ]
}