Required permissions for an IAM user to work properly with Amazon Simple Storage Service (S3) API migrator in Enterprise Vault.

book

Article ID: 100032260

calendar_today

Updated On:

Resolution

To use the Amazon (S3) migrator with an IAM user with access limited to a specific bucket it is recommended to use a Bucket policy in conjunction with an inline user policy for the IAM user. For the purposes of this article the IAM user will listed as 'vaultadmin' and the bucket will be listed as 'veritasbucket'.

For the bucket policy apply the following permissions:

{
                      "Version": "2012-10-17",
                      "Statement": [
                                     {
                                                "Sid": "statement1",
                                                "Effect": "Allow",
                                                "Principal": {
                       "AWS": "arn:aws:iam::690246178796:user/vaultadmin"
                                                   },
                                                  "Action": [
                                                               "s3:*"
                                                  ],
                                                 "Resource": "arn:aws:s3:::veritasbucket"
                                      },
                                     {
                                                 "Sid": "statement2",
                                                 "Effect": "Allow",
                                                 "Principal": {
                        "AWS": "arn:aws:iam::690246178796:user/vaultadmin"
                                                    },
                                                   "Action": "s3:*",
                                                  "Resource": "arn:aws:s3:::veritasbucket/*"
                                       }
                          ]
}

For the IAM user inline policy apply the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionForObjectOperations",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::veritasbucket/*"
            ]
        },
        {
            "Sid": "ListAllBuckets",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Issue/Introduction

When using Enterprise Vault (EV) and the Amazon (S3) storage migrator administrators may want to create an IAM user specifically for (EV) migrations as they may have buckets for other applications in use by other departments in the organization. The purpose being to specifically restrict the access of the IAM user to the bucket used by the (EV) application.

Additional Information

ETrack: 3874781
Powered by Wolken Software