Amazon S3 Storage Permissions

Note

Make sure the account you are using has access to Amazon S3 buckets and folders.

Permissions for S3 Standard and S3 Standard-IA Storage Classes

The following are required permissions to use Amazon S3 object storage repository (S3 Standard and S3 Standard-IA storage classes):

  • For Amazon S3 object storage

{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
}

  • For a bucket

{
"s3:ListBucket"
}

  • For an object

{
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
}

For examples, see this Veeam KB article. For more information on permissions, see this Amazon article.

Permissions for S3 Glacier and S3 Glacier Deep Archive Storage Classes

The following are required permissions to use Amazon S3 object storage repository (S3 Glacier and S3 Glacier Deep Archive storage classes):

{
"ec2:CreateTags",
"ec2:DescribeInstances",

"ec2:StartInstances",

"ec2:RunInstances",

"ec2:StopInstances",

"ec2:TerminateInstances",

"ec2:CreateKeyPair",

"ec2:DeleteKeyPair",

"ec2:DescribeVpcs",

"ec2:CreateVpc",

"ec2:DeleteVpc",

"ec2:DescribeSubnets",

"ec2:CreateSubnet",

"ec2:DeleteSubnet",

"ec2:DescribeRouteTables",

"ec2:CreateRouteTable",

"ec2:DeleteRouteTable",

"ec2:CreateRoute",

"ec2:DeleteRoute",

"ec2:DescribeInternetGateways",

"ec2:CreateInternetGateway",

"ec2:AttachInternetGateway",

"ec2:DeleteInternetGateway",

"ec2:DescribeSecurityGroups",

"ec2:CreateSecurityGroup",

"ec2:DeleteSecurityGroup",

"ec2:DescribeConversionTasks",

"ec2:DescribeInstanceTypes",

"ec2:AuthorizeSecurityGroupIngress",

"ssm:GetParameter"
}

{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"

}

{
"s3:ListBucket",

"s3:ListBucketMultipartUploads",

"s3:GetBucketObjectLockConfiguration"
}

{
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",

"s3:ListMultipartUploadParts",

"s3:RestoreObject",

"s3:GetObjectVersion"
}

Related Topics

Supported Amazon S3 Storage Classes