- Enable Multi-Factor Authentication on the Sub-Account
- Create a Bucket(s) (each pc being backed up goes in its own bucket)
- Create two folders inside the bucket. One for the Duplicati files and one for a backup of the Duplicati database.
- Create a user (each pc being backed up should have its own user)
- Create and apply a policy to the user (not the bucket)
- Test the Wasabi policy
1. Create a bucket with the following naming convention: "duplicati-pcname" where "pcname" is the actual name of the computer.
2. Create two folders inside the bucket. One is for the Duplicati backups of files on the computer and the other folder is for a backup of the database. This will come into play later when we do the restore for very large backups (100gb and up). Instead of pointing Duplicati to the files and saying recover them, which will be slow as it builds a new database, we can copy the existing database over and it'll accomplish this process much faster.
3. Create a Wasabi user and save the Access and Secret key (one user and one set of keys per computer to be backed up)
4. Create a policy and apply it to the Wasabi user.
"duplicati-pcname"
- duplicati
- duplicati-database
- AllowRootAndHomeListingOfCompanyBucket
- AllowListingOfUserFolder
- AllowAllS3ActionsInUserFolder
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-pcname", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "duplicati" ] } } }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-pcname", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "duplicati-database" ] } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-pcname", "Condition": { "StringLike": { "s3:prefix": "duplicati/*" } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-pcname", "Condition": { "StringLike": { "s3:prefix": "duplicati-database/*" } } }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::duplicati-pcname/duplicati*" }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::duplicati-pcname/duplicati-database*" }, { "Effect": "Deny", "Action": "s3:DeleteBucket", "Resource": [ "arn:aws:s3:::duplicati-pcname", "arn:aws:s3:::duplicati-pcname/*" ] } ] } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketCompliance" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-desktop-488gd38", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "duplicati" ] } } }, { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-desktop-488gd38", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "duplicati-database" ] } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-desktop-488gd38", "Condition": { "StringLike": { "s3:prefix": "duplicati/*" } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::duplicati-desktop-488gd38", "Condition": { "StringLike": { "s3:prefix": "duplicati-database/*" } } }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::duplicati-desktop-488gd38/duplicati*" }, { "Sid": "AllowAllS3ActionsInUserFolder", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::duplicati-desktop-488gd38/duplicati-database*" }, { "Effect": "Deny", "Action": "s3:DeleteBucket", "Resource": [ "arn:aws:s3:::duplicati-desktop-488gd38", "arn:aws:s3:::duplicati-desktop-488gd38/*" ] } ] } |
6. Note there is no save button on this page. After you select the policy it will show up as a bubble near the bottom of the policy tab.
- Display Name = duplicati-desktop-488gd38
- Access Key = Your access key
- Secret Key = Your secret key
- Enable - Use SSL
- duplicati
- duplicati-database
- WAIT FOR THE KEYS TO BE GENERATED AND COPY THEM!!!
- Use, "Allows Duplicati user to read and write in its own bucket and nothing else" as the description.