BackWPup to S3 – IAM policy

If you’re planning on using BackWPUp to backup to Amazon’s S3 storage service, here’s an IAM policy which has worked for me.

To avoid people hacking your WordPress site and then deleting your backups, this policy does not enable you to delete backups – so on the “To: S3 Service” tab, change the “File Deletion” entry to 0 to stop it trying. You’ll have to manage the backups yourself via an S3 file manager.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetBucketAcl",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": "arn:aws:s3:::<bucket_name>"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload"
      ],
      "Resource": "arn:aws:s3:::<bucket_name>/<folder_name>/*"
    }
  ]
}

Change for the name of your S3 bucket. Change to the name of the folder to store the backups in (can be a subdirectory – eg “myblog/backups”).

The first section enables listing of your buckets.

The second enables some bucket operations – looks like BackWPup uses the “ListBucketMultipartUploads” permission if you’ve got “Multipart upload” enabled, and performs a check to list incomplete multipart uploads prior to performing the actual backup.

The third part enables you to do the backup. If you want WordPress to manage the backups, then you should add “s3:DeleteObject” to the permissions list in this section.