BackupsToS3WithKMS
Secure your AWS S3 backups using KMS encryption. This IAM policy allows listing, putting, and getting objects, with KMS encryption and decryption.
S3 Backup Policy with KMS
This IAM policy enables secure backups to S3 using KMS encryption. It grants permissions to list the bucket, put and get objects, and encrypt/decrypt using a specified KMS key.
IAM Policy for S3 Backup with KMS
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-backups-bucket"
]
},
{
"Sid": "AllowPutAndGet",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-backups-bucket/*"
]
},
{
"Sid": "AllowEncryptionAndDecryption",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt"
],
"Resource": [
"arn:aws:kms:eu-west-1:xxxxxxxxxxxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
]
}
]
}
Explanation
This policy includes the following statements:
- AllowListBucket: Permits listing objects in the specified S3 bucket.
- AllowPutAndGet: Allows putting and getting objects to/from the S3 bucket.
- AllowEncryptionAndDecryption: Grants permissions to encrypt and decrypt data using the specified KMS key.
Considerations
Ensure the KMS key and S3 bucket ARNs are correctly configured for your environment. Properly securing your KMS key is crucial for protecting your backups.