WordPress Backwpup to S3 and AWS permissions

If you have a WordPress blog, it makes sense to use an automatic way of backing up your data to some cloud storage solution. AWS S3 is the most popular and many WordPress plugins allow you to automatic schedule your backups to be uploaded to it. One plugin that does a very good job is the Backwpup. Even using the free version you can still have your backups saved to the cloud very easily.

When using S3 or any other cloud solutions you must provide some sort of authentication. It is a good practice to provide only the required permissions and nothing more.

Leia também

• Docker: failed to build: max depth exceeded
• How to recover a MySQL or Percona database backup

For Backwpup when uploading to S3 this plugin, the minimum permissions you will need are listed bellow.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts"            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ]
        }
    ]
}

How to secure backup your WordPress site?

If you ara using the plugin to upload backups to S3, you should make your S3 key very specific for this task.

• Restrict the bucket: The most important step here is to ensure you select only the bucket where your backups will be stored. This will limit the risk of all your other buckets get compromised in case your backup key gets leaked. The plugin could be better and work without requiring the GetObject permission. A write only permission is even more safe but it does not work if you remove the GetObject permission.
• Do not use the same bucket for multiple websites: if you share the key among multiple websites and one gets compromised, the key can be used to read the backup from the other sites you have and potentially compromise them as well.
• Restrict the SourceIp when creating your AWS Policy: by doing this, the key will not work outside of the server hosting your site. This is a very good security measure to avoid your backups being copied or erased if someone get your key but have no access to your server.

Sobre o autor

IT professional with over 20 years of experience in industry. BSc in Computational Mathematics, always learning and enthusiastic about software development and automation. Full stack developer proficient in Javascript, Node, React, Python, Docker, API design and many more!

Veja a biografia completa

Veja também

(RESOLVED) Can not authenticate to IMAP server: [ALERT] Please log in via your web browser

Docker exec not working inside cron! SOLVED

Docker + VirtualBox on Windows 10

How to create a virtual environment for Python in Ubuntu