Amazon S3 Storage Provider
This guide aims to help you set up Amazon S3 for storing site backups.
Start by signing in to the AWS Management Console.
Create Bucket
Navigate to S3 and click Create bucket.
Enter a unique bucket name. A good naming scheme is “domain-name-backups,” for example, “hellfish-media-backups”.
The region should be geographically close to your server location. This will improve the time it takes to copy backup files from your server to Amazon S3.
All other options can be left as the default values. Scroll down and click Create bucket.
Once the bucket is created, you’ll see it listed with the rest of your buckets. You can also filter buckets by name, if you ever need to find it quickly.
Create IAM User
For SpinupWP to authenticate with Amazon S3, you must create an IAM user. Head over to IAM and click Add user.
Enter a name for the user in the User name field.
Under Access type select the checkbox for Programmatic access, then click Next: Permissions.
To ensure that we give the IAM user an extremely secure set of S3 permissions, we need to create a custom access policy. Click the Attach existing policies directly button, and then click the Create policy button.
This will open a new “Create policy” window. Click on the JSON tab to open the policy JSON editor.
Delete what’s there, and paste the following JSON notation:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:Abort*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
If your JSON is correct, you will see no errors reported in the status bar at the bottom of the screen, and you can click Next: Tags.
Adding tags is optional, so you can click Next: Review to finalize your policy.
On the “Review policy” page, give your policy a name you will remember, ideally related to the user you’re creating the policy for. This makes it easier to attach to the user later. You can leave everything else as is and click Create policy.
Once you’ve created the policy, go back to your “Add user” window, and click the Refresh icon, to refresh the list of policies. Your newly created policy should appear on that list, which you can filter by searching for the policy name. Tick the checkbox next to the policy name to attach it to the user. Then click Next: Tags.
Optionally add any tags to help identify this user, then click Next: Review.
Confirm that the details are correct and click Create user.
You will be presented with your IAM credentials. Copy the Access key ID and Secret access key. These should be added to SpinupWP when asked for the Access Key ID and Secret Access Key.
These keys can then be added to SpinupWP when asked for the Access Key ID and Secret Access Key.
Restricting an IAM User to a Specific Bucket
You can also limit the IAM user to only have access to certain buckets by explicitly allowing specific bucket resource names (or ARN) in the access policy settings. This is useful if you manage multiple buckets and you want to keep them secured separately from others. The downside to this is that you have to create multiple IAM users, but if one IAM user’s access credentials are leaked somehow, you only have to worry about the contents of one bucket.
When creating a bucket, you can copy the bucket’s ARN from the list of available buckets by selecting the bucket from the list and clicking on the Copy ARN button.
Then, when creating a new policy or editing an existing policy, you can update the policy JSON to include the resource names in the “Resource” node.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::hellfish-media-backups",
"arn:aws:s3:::hellfish-media-backups/*"
]
}
]
}
When the policy is attached to a specific user, that user will only have access to the bucket(s) specified.
Reducing S3 Cost
Amazon S3 offers many different storage classes but for backups, the Glacier storage class is the best fit, assuming you’re not downloading your backups frequently. Amazon S3 also offers a feature called Lifecycle Rules, which allow you to automate actions on your bucket. We recommend configuring a Lifecycle Rule on your bucket to automatically transition your backups from the Standard storage class to a Glacier storage class after a certain number of days. This will reduce the cost of storing your backups long term.