Configuring S3 for backups

Configuring S3 for backups

A quick way to configure an S3 bucket for automated backups with a retention policy.

  1. Creating and configuring the bucket
  2. IAM user and policy
  3. Configuring backup retention

Creating and configuring the bucket

Head over to the AWS S3 console and Create bucket.

  • Specify the bucket name. We'll use crm-backups for this example.
  • Choose the region you want to store your backups in.
  • Make sure that Block all public access is checked.

IAM user and policy

We need to create a new identity that we'll be using to upload (and only upload) our backups.

  • Navigate to the IAM service (you'll find it in the Services dropdown in the top left corner, or just search for IAM).
  • Click UsersCreate user
  • Specify a name for the user, e.g. crm-backups-user, click Next
  • Click Attach policies directly, and Create policy - this will open in a new tab.
  • In the Policy editor, select JSON and paste the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PutObjectsOnly",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::crm-backups/*"
    }
  ]
}

This policy grants the permission to upload (PutObject) objects to the bucket we created earlier (crm-backups).

  • Click Next, specify a name for the policy, e.g. crm-backups-policy, and click Create policy.
  • Back in the Create user tab, click Refresh and search for the policy we just created, check it off and create the user.
  • Click on the user that got created and click Create access key.
  • Select Command Line Interface (CLI) and create the access key.
  • Copy the Access key and Secret access key and store them somewhere safe. We'll need them to authenticate.

You should now be able to upload files to your bucket using awscli.

Configuring backup retention

If we're performing backups often, we'll want to configure a retention policy to only keep the latest backups. Not only will this save on our storage costs, but it also is a requirement in various customer data protection laws.

We'll configure a policy that keeps the last 60 days of backups, and discards backups older than that, but you can also tell AWS to move your backups to a cheaper storage class after a certain amount of time.

  • Head back to the S3 service and click on your bucket.
  • Click on the Management tab and click Create lifecycle rule.
  • Name the lifecycle rule (e.g. crm-backups-lifecycle).
  • In case the backups will be uploaded to a path inside the bucket (e.g. backups/), we can limit the scope using Prefix filter. If we want this policy to apply to all the files in the bucket, select Apply to all objects in the bucket.
  • Under Lifecycle rule actions check Permanently delete noncurrent versions of objects.
  • Specify how many days we'll want to keep the backups (let's say 60) for and Create rule.

That's it - we now have a bucket that we can upload our backups to, and a policy that will automatically delete backups older than 60 days.

Note that if for whatever reason our backups stop working and we don't upload any for 60 days, we'll be left without any backups whatsoever.

It's a good idea to set up a monitor, such as AnomalyAlert, that will alert us if no backups have been uploaded for a certain amount of time.