Amazon S3 Storage Provider

This guide aims to help you set up Amazon S3 for storing site backups.

Start by signing in to the AWS Management Console.

Create Bucket

Navigate to S3 and click Create bucket.

Amazon S3 create bucket

Enter a unique bucket name. A good naming scheme is “domain-name-backups,” for example, “hellfish-media-backups”.

The region should be geographically close to your server location. This will improve the time it takes to copy backup files from your server to Amazon S3.

Amazon S3 Create Bucket Name

All other options can be left as the default values. Scroll down and click Create bucket.

Amazon S3 Bucket Create

Once the bucket is created, you’ll see it listed with the rest of your buckets. You can also filter buckets by name, if you ever need to find it quickly.

Amazon S3 Bucket ARN

Create IAM User

For SpinupWP to authenticate with Amazon S3, you must create an IAM user. Head over to IAM and click Add user.

Enter a name for the user in the User name field.

Under Access type select the checkbox for Programmatic access, then click Next: Permissions.

Amazon S3 IAM add user

To ensure that we give the IAM user an extremely secure set of S3 permissions, we need to create a custom access policy. Click the Attach existing policies directly button, and then click the Create policy button.

Amazon S3 User Create Policy

This will open a new “Create policy” window. Click on the JSON tab to open the policy JSON editor.

Amazon S3 Create Access Policy

Amazon S3 Create Access Policy JSON

Delete what’s there, and paste the following JSON notation:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject*",
        "s3:GetBucket*",
        "s3:List*",
        "s3:DeleteObject*",
        "s3:PutObject",
        "s3:Abort*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

If your JSON is correct, you will see no errors reported in the status bar at the bottom of the screen, and you can click Next: Tags.

Amazon S3 Create Access Policy JSON Edit

Adding tags is optional, so you can click Next: Review to finalize your policy.

Amazon S3 Create Access Policy Add Tags

On the “Review policy” page, give your policy a name you will remember, ideally related to the user you’re creating the policy for. This makes it easier to attach to the user later. You can leave everything else as is and click Create policy.

Amazon S3 Create Access Policy Review

Once you’ve created the policy, go back to your “Add user” window, and click the Refresh icon, to refresh the list of policies. Your newly created policy should appear on that list, which you can filter by searching for the policy name. Tick the checkbox next to the policy name to attach it to the user. Then click Next: Tags.

Amazon S3 Add User Attach Policy

Optionally add any tags to help identify this user, then click Next: Review.

Amazon S3 Add User Add Tags

Confirm that the details are correct and click Create user.

Amazon S3 Add User Review

You will be presented with your IAM credentials. Copy the Access key ID and Secret access key. These should be added to SpinupWP when asked for the Access Key ID and Secret Access Key.

Amazon S3 IAM User Access Keys

These keys can then be added to SpinupWP when asked for the Access Key ID and Secret Access Key.

Amazon S3 Backup Access Keys

Restricting an IAM User to a Specific Bucket

You can also limit the IAM user to only have access to certain buckets by explicitly allowing specific bucket resource names (or ARN) in the access policy settings. This is useful if you manage multiple buckets and you want to keep them secured separately from others. The downside to this is that you have to create multiple IAM users, but if one IAM user’s access credentials are leaked somehow, you only have to worry about the contents of one bucket.

When creating a bucket, you can copy the bucket’s ARN from the list of available buckets by selecting the bucket from the list and clicking on the Copy ARN button.

Amazon S3 Bucket Select ARN

Then, when creating a new policy or editing an existing policy, you can update the policy JSON to include the resource names in the “Resource” node.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::hellfish-media-backups",
                "arn:aws:s3:::hellfish-media-backups/*"
            ]
        }
    ]
}

Amazon S3 Create Policy with Resource ARNs

When the policy is attached to a specific user, that user will only have access to the bucket(s) specified.

Reducing S3 Cost

Amazon S3 offers many different storage classes but for backups, the Glacier storage class is the best fit, assuming you’re not downloading your backups frequently. Amazon S3 also offers a feature called Lifecycle Rules, which allow you to automate actions on your bucket. We recommend configuring a Lifecycle Rule on your bucket to automatically transition your backups from the Standard storage class to a Glacier storage class after a certain number of days. This will reduce the cost of storing your backups long term.