Skip to content
English
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

How to Set Up a Secure Programmatic Access to Impossible Cloud Storage for Backup Applications

This article provides a step-by-step guide on how to enhance security for backup software by applying the best practice in IAM (Identity and Access Management). 

To keep your data safe, it's essential to follow core cybersecurity principles like the Principle of Least Privilege and Separation of Duties. This guide puts those principles into practice by showing you exactly how to create a secure, dedicated user for your backup software. By following these steps, you will ensure your backup process has only the permissions it needs, significantly reducing your security risk.

This guide covers how to create a new IAM user, assign it a restrictive access policy using an inline policy, and generate the programmatic access keys needed by your backup application.

Step 1: Create a Dedicated IAM User

First, you need to create a new IAM (Identity and Access Management) user. This user will be used exclusively by your backup software.

  1. Log in to the Impossible Cloud Storage Console (ICSC).

  2. Navigate to the users menu.

  3. Click on  "Add user" on the top-right corner.

  4. Enter an email/username with clear description, example backup.user@example.com.

  5. Do not forget to uncheck the "Enable Console Access" checkbox. This will allow only "Programmatic access" for the user. This is a key part of the Principle of Least Privilege, as your backup software does not need to log in to ICSC.

Step 2: Assign a Proper IAM Policy

By default, a new IAM user has no permissions - it cannot access any of your resources. You need to attach a policy that grants it the specific permissions required for backups. For simplicity, We will use an inline policy in this example.

  1. After creating the user, select it from the user list and go to the "Inline Policies" tab.

  2. Click "Create New Policy".

  3. Give a meaningful name to the policy, example backup-permission-my-bucket

  4. Use the JSON editor and paste a policy that grants access only to the necessary backup bucket and actions.

Here is an example policy that allows the user to perform immutable backup operations in Veeam to a specific bucket named my-backup-bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListAllMyBuckets",
        "s3:GetBucketVersioning",
        "s3:GetBucketObjectLockConfiguration",
        "s3:ListBucketVersions",
        "s3:GetObjectVersion",
        "s3:GetObjectRetention",
        "s3:GetObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:PutObjectLegalHold",
        "s3:DeleteObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::my-backup-bucket",
        "arn:aws:s3:::my-backup-bucket/*"
      ]
    }
  ]
}

Note: While inline policies are great for single users, if you have multiple backup services, you could create a single IAM policy in the policy menu and assign it to an IAM group for easier management.

Depending on each application, the user may require specific actions to run the backup job. Please consult your backup software's documentation to find the list of the required actions and include them in your policy. 

Step 3: Generate the Access Key

Now that the user has the right permissions, the final step is to generate the access key that your backup software will use.

  1. Select the backup.user@example.com user and navigate to the "Access Keys" tab.

  2. Click "Add access key" to generate a new access key and secret key.

  3. The console will display an access key and a secret key. This is the only time the secret key will be shown, so copy or download it as csv to store it in a secure location.

  4. Provide these keys to your backup software configuration.

Conclusion

You have now successfully created a secure, isolated IAM user for your backup software by applying the Principle of Least Privilege and Separation of Duties. This user has only the permissions it needs to do its job and cannot be used to log in to the console or access other resources, dramatically improving your security posture.

If you have any questions or need further assistance, please do not hesitate to contact our support team at help@impossiblecloud.com.