WordPress Backwpup to S3 and AWS permissions

If you have a WordPress blog, it makes sense to use an automatic way of backing up your data to some cloud storage solution. AWS S3 is the most popular and many WordPress plugins allow you to automatic schedule your backups to be uploaded to it. One plugin that does a very good job is the Backwpup. Even using the free version you can still have your backups saved to the cloud very easily.

When using S3 or any other cloud solutions you must provide some sort of authentication. It is a good practice to provide only the required permissions and nothing more.

For Backwpup when uploading to S3 this plugin, the minimum permissions you will need are listed bellow.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts"            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ]
        }
    ]
}












    
    

    

    

    
    
    
















    
    

    

    

    
    
    

How to secure backup your WordPress site?

If you ara using the plugin to upload backups to S3, you should make your S3 key very specific for this task.

• Restrict the bucket: The most important step here is to ensure you select only the bucket where your backups will be stored. This will limit the risk of all your other buckets get compromised in case your backup key gets leaked. The plugin could be better and work without requiring the GetObject permission. A write only permission is even more safe but it does not work if you remove the GetObject permission.
• Do not use the same bucket for multiple websites: if you share the key among multiple websites and one gets compromised, the key can be used to read the backup from the other sites you have and potentially compromise them as well.
• Restrict the SourceIp when creating your AWS Policy: by doing this, the key will not work outside of the server hosting your site. This is a very good security measure to avoid your backups being copied or erased if someone get your key but have no access to your server.