S3Bubble OTT Streaming

shape
shape
shape
shape
shape
shape
shape
shape

S3Bubble Support Forums

To stay up to date with the latest S3Bubble updates and tutorials please make sure you sign up to our YouTube Channel.

home Forums General Questions & Bugs Bucket Backup

Viewing 5 reply threads
  • Author
    Posts
    • April 11, 2017 at 2:07 pm #30121
      dani74
      Participant

      I am wondering what backup options should I choose for the S3 buckets. I would like to protect the videos from accidental deletion. Will s3bubble work if there is versioning enabled with MFA Delete protection. Or should I find a way to create incremental backups to another bucket with glacier storage? Currently I have more than 200GB of data and growing.

    • April 11, 2017 at 3:42 pm #30122
      s3bubble
      Keymaster

      Hi dani74,

      You can attach no-delete policy to your s3 bucket.

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1480692207000",
            "Effect": "Deny",
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteBucketWebsite",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>/*"
            ]
        }
    ]
}

      The above would prevent any objects from being deleted within your bucket.

      Best Regards

      Sam

      • This reply was modified 7 years, 1 month ago by s3bubble.
    • April 12, 2017 at 2:47 am #30126
      dani74
      Participant

      When I try to add the policy I get the following error:

      Error
      Missing required field Principal

      Not sure what to put as principle. Looked at the AWS docs and there are a lot of options, could be “*”, not sure what is the best to put. Please advise.

      Also once I put “s3:DeleteBucketPolicy”
      Will I be able to change the policy in the future if i need to delete an object in the bucket?

    • April 12, 2017 at 2:47 pm #30129
      s3bubble
      Keymaster

      Hi dani74,

      Thanks for the update we took a look at doing this ourselves on a test bucket, the bucket already had a Cloudfront lockdown policy so we looked to apply it to this.

      The current bucket policy was.

      {
    "Version": "2008-10-17",
    "Id": "S3BubbleCloudfrontSecurity",
    "Statement": [
        {
            "Sid": "S3BubbleAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2D70SZTA01982"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::s3bubble-test-support/*"
        }
    ]
}

      After trying to add the policy we stated above we had the same issue which seemed to be related to the “s3:DeleteBucket” action this may need to be applied to a user policy.

      After testing the full policy below works for us.

      {
    "Version": "2008-10-17",
    "Id": "S3BubbleCloudfrontSecurity",
    "Statement": [
        {
            "Sid": "S3BubbleAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2D70SZTA01982"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::s3bubble-test-support/*"
        },
        {
            "Sid": "S3BubbleDenyDelete",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": "arn:aws:s3:::s3bubble-test-support/*"
        }
    ]
}

      After adding this policy and saving we then tried to delete an object through S3Bubble admin and got the correct Access Denied message.

      You can remove and add policies as needed.

      Hope this helps

      Best Regards

      Sam

      • This reply was modified 7 years, 1 month ago by s3bubble.
    • April 14, 2017 at 2:12 pm #30149
      dani74
      Participant

      I attached the above policy to a test bucket and used only the deny statement and it works fine:
      {
      “Version”: “2008-10-17”,
      “Id”: “S3BubbleCloudfrontSecurity”,
      “Statement”: [
      {
      “Sid”: “S3BubbleDenyDelete”,
      “Effect”: “Deny”,
      “Principal”: “*”,
      “Action”: [
      “s3:DeleteObject”,
      “s3:DeleteObjectVersion”
      ],
      “Resource”: “arn:aws:s3:::<bucket-name>/*”
      }
      ]
      }

      But this is a little bit inconvenient for me as the HLS encoding and encryption has to be done in the same bucket, which leaves the original video file in the bucket. I would like to delete the original files as they are huge and I have to pay for storage. Also what if the bucket itself gets deleted by mistake or if somebody gains access to the account with malicious intends? I know these are very rare probabilities, but back to the general question, is there a way to backup the whole bucket somehow and having a script checking for new files and backing them up on regular basis?

    • April 17, 2017 at 5:34 pm #30170
      s3bubble
      Keymaster

      Hi dani74,

      I think what you need to do is remove the delete policy from the IAM user, you have full control over what actions you can allow for your setup user.

      Here is what we did for testing.

      Go to IAM users: https://console.aws.amazon.com/iam/home

      Select your group or user depending on how you have attached S3Bubble.

      You can detach the AmazonS3FullAccess policy and then create an Inline polcy

      Select the policy generator you can then select

      Effect: Allow
      AWS Service: S3
      Actions: Select every action here you would like this policy to allow.

      You have full control over the permissions you would like this policy to have.

      Hope this helps

      Best Regards

      Sam

  • Author
    Posts
Viewing 5 reply threads
  • The topic ‘Bucket Backup’ is closed to new replies.