Steps to prepare the AWS S3 bucket before using it in Command Center for Confluence app.
Creating a S3 bucket
Follow the steps as mentioned in → https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html
Important notes:
-
Bucket name character limit is between 3 to 63 characters long. Review https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html?icmpid=docs_amazons3_console#general-purpose-bucket-names document to know more details.
-
Ensure to block public access
-
Enable versioning if required
-
Under ‘Encryption Type’ select the default option i.e. 'Amazon S3 managed key (SSE-S3)'.
-
This ensures that the data is always encrypted at rest and the encryption key is managed by AWS resulting in secure & cost efficient solution
-
We do not support other encryption methods at this point in time, please reach out to us (https://support.revyz.io/) if you need support for other options.
-
Selecting encryption option
-
Ensure that the ‘Encryption Type’ of the bucket is set to the default option i.e. 'Amazon S3 managed key (SSE-S3)'.
-
This ensures that the data is always encrypted at rest and the encryption key is managed by AWS resulting in secure & cost efficient solution → https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
-
We do not support other encryption methods at this point in time, please reach out to us (https://support.revyz.io/) if you need support for other options.
-
Updating Bucket's Access Policy
-
Revyz app needs access to your S3 bucket to Read-Write data. For this purpose, Revyz has it’s own AWS IAM user created in Revyz AWS account which needs specific permissions to accomplish it’s Backup & Restore related tasks.
-
After installing the Revyz app and while going through the initial Welcome wizard, Revyz will provide the exact access policy which should be copied and added to your respective S3 bucket.
-
Welcome wizard steps are documented in https://support.revyz.io/revyz-data-manager-for-jira-bring-your-own-storage/installing-the-app
-
How to add the policy once copied from Revyz’s Welcome wizard → https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html
-
Sample Policy
-
Note: The Policy, specific to your environment will be shown to you on the Revyz app’s Welcome wizard. Below is the sample policy for reference.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ActionsInCustomerBucket",
"Effect": "Allow",
"Principal": {
"AWS": "<revyz-iam-user-arn>"
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::<your-bucket-name>",
"arn:aws:s3:::<your-bucket-name>/*"
]
}
]
}
Breakdown of the S3 Access Policy contents
-
Principal
-
It is the Revyz IAM User from Revyz’s AWS account, which will be used by Revyz app to perform the Read-Write operations during backup, restore and other tasks that the app supports.
-
-
Action
-
Revyz app will need 4 permissions for your S3 bucket
-
ListBucket
-
To list and access the bucket
-
-
PutObjects
-
To write the objects during backup job
-
-
GetObject
-
To retrieve the objects during restore / clone job
-
-
PutObjectTagging
-
To add the Tag to the objects which can later be used for lifecycle management of the objects
-
-
-
Note: Revyz user will not have any delete permission for the given S3 bucket
-
-
Resource
-
Your S3 bucket on which the permissions are to be implemented
-