🚧 Coming Soon! 🚧
Please visit HERE for more information
Last modified June 24, 2025

Isolating S3 Bucket Access

To enhance security and control over your JetBackup Storage S3 Buckets, it is best practice to isolate access by creating dedicated IAM sub-users with restricted permissions. This guide walks your through on creating a sub-user, generating access keys, and attaching a bucket-specific policy.

Step 1: Create a bucket

Log in to JetBackup Storage Console, locate the “buckets” tab, and click on “Add Bucket

Ensure that Bucket Versioning / Object Lock is not selected.

Step 2: Creating a Sub-User

Navigate to the ‘Users’ tab, and click ‘Add User

Fill out the E-Mail and Password for the user

After the user is created, navigate to the ‘Users’ Tab and click the pencil icon next to the subuser to edit their properties.

Step 3: Generating Access Keys

In the subusers profile, navigate to the ‘Access Keys’ and click ‘Add access key

Save these credentials securely. They will be required for any API or backup tool that will access the S3 bucket.

Step 4: Create the Inline Policy

Navigate to the ‘Inline Policies’ Tab and click ‘Create new Policy

Enter a unique name for the Inline Policy and add the relevant commands for “Action” and “Resources”. In the “Resource” section, be sure to specify the exact bucket the subuser have access to. Here’s an example policy:

{ 
"Statement": [ 
{ 
"Action": [ 
    "s3:ListBucket", 
    "s3:ListBucketVersions", 
    "s3:ListBucketMultipartUploads", 
    "s3:GetBucketLocation", 
    "s3:GetObject", 
    "s3:GetObjectVersion", 
    "s3:GetObjectTagging", 
    "s3:GetBucketObjectLockConfiguration", 
    "s3:GetBucketVersioning", 
    "s3:GetObjectLegalHold", 
    "s3:GetObjectRetention", 
    "s3:CreateBucket", 
    "s3:PutBucketObjectLockConfiguration", 
    "s3:PutBucketVersioning", 
    "s3:DeleteObjectVersion", 
    "s3:PutObjectRetention", 
    "s3:BypassGovernanceRetention", 
    "s3:DeleteObject", 
    "s3:DeleteObjectTagging", 
    "s3:PutObject", 
    "s3:PutObjectTagging", 
    "s3:PutObjectAcl", 
    "s3:CreateMultipartUpload", 
    "s3:UploadPart", 
    "s3:ListMultipartUploadParts", 
    "s3:CompleteMultipartUpload", 
    "s3:AbortMultipartUpload" 
], 
"Effect": "Allow", 
"Resource": [ 
    "arn:aws:s3:::BUCKET_NAME", 
    "arn:aws:s3:::BUCKET_NAME/*" 
], 
"Sid": "1728907013030" 
} 
], 
"Version": "2012-10-17" 
}

Lastly, add the destination to JetBackup 5 by filling out the form with the S3 bucket details and the access credentials you just created. This ensures that JetBackup can securely connect to the bucket using the sub-user with limited bucket permissions, following best practices for access control and data protection.