Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersArq S3 Policy?
mgeek

123 posts

Master Geek
+1 received by user: 20


#253148 29-Jul-2019 14:48
Send private message

Has anyone got a sample S3 policy to set up a user for Arq?

 

 

It looks like something has changed in Arq since the docs, as I don't see the 'create restricted user' option - just 'change credentials'. And they don't seem to list permissions required anywhere.

Create new topic
mgeek

123 posts

Master Geek
+1 received by user: 20


  #2285613 30-Jul-2019 11:18
Send private message

Answering my own question...

 

 

Arq support (fast response!) say the 'Create Restricted IAM User' button is only in the Mac version, not the Windows version. But they also pointed to a doc page I didn't find with a sample policy here:-

 

https://www.arqbackup.com/documentation/pages/create_aws_key_pair.html

 

 

Basically the suggestion is to create a wildcard 'all S3 permissions' policy restricted to just the bucket you are using for backups.



timmmay
20858 posts

Uber Geek
+1 received by user: 5350

Trusted
Lifetime subscriber

  #2285656 30-Jul-2019 12:39
Send private message

Yes, the policy on that page is appropriate. It gives you access to the bucket, the bucket contents, and also to list the buckets in the account. I would create the policy, assign it to a group, then create an IAM user to put into that group. Make sure you use the credentials (access / secret key) of the IAM user not of the root user. The root user shouldn't have keys, and that account should never be used. Create yourself a separate admin account with MFA set up.

 

B2 is easier, and cheaper, but S3 is likely to be more reliable given that data is stored in three data centers and has S3 more features.

mgeek

123 posts

Master Geek
+1 received by user: 20


  #2285732 30-Jul-2019 13:42
Send private message

All good advice :-)

 

 

I've had Arq > B2 set up for a while now (ultimately to replace CrashPlan) - as you say, very easy to setup, and dead cheap.

 

 

The plan now is to add S3 (Glacier) as a secondary backup.



timmmay
20858 posts

Uber Geek
+1 received by user: 5350

Trusted
Lifetime subscriber

  #2285749 30-Jul-2019 14:07
Send private message

Suggestions:

 

  • Enable encryption inside S3
  • Enable object versioning in S3 to protect against accidental deletion / ransomware
  • Use S3 deep archive class for data files. Make sure you use standard or IA class for things like indexes or files that are changed, because you'll be charged a minimum of 6 months for storage in deep archive class. If Arq doesn't support this you can use a bucket lifecycle rule. I do this for my restic data, everything in the data folder (or something like that) get transitioned to IA class. I don't use Glacier class with backup tools, but I do use it when I upload large amounts of bulk data for backup

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright