Preparing AWS S3 bucket before installing the app

Steps to prepare the AWS S3 bucket before using it in Revyz Data Manager for Confluence (BYOS) app.

Creating a S3 bucket

Follow the steps as mentioned in → https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html

Important notes:

Bucket name character limit is between 3 to 63 characters long. Review https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html?icmpid=docs_amazons3_console#general-purpose-bucket-names document to know more details.
Ensure to block public access
Enable versioning if required
Under ‘Encryption Type’ select the default option i.e. 'Amazon S3 managed key (SSE-S3)'.
- This ensures that the data is always encrypted at rest and the encryption key is managed by AWS resulting in secure & cost efficient solution
- We do not support other encryption methods at this point in time, please reach out to us (https://support.revyz.io/) if you need support for other options.

Selecting encryption option

Ensure that the ‘Encryption Type’ of the bucket is set to the default option i.e. 'Amazon S3 managed key (SSE-S3)'.
- This ensures that the data is always encrypted at rest and the encryption key is managed by AWS resulting in secure & cost efficient solution → https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
- We do not support other encryption methods at this point in time, please reach out to us (https://support.revyz.io/) if you need support for other options.

Updating Bucket's Access Policy

Revyz app needs access to your S3 bucket to Read-Write data. For this purpose, Revyz has it’s own AWS IAM user created in Revyz AWS account which needs specific permissions to accomplish it’s Backup & Restore related tasks.
After installing the Revyz app and while going through the initial Welcome wizard, Revyz will provide the exact access policy which should be copied and added to your respective S3 bucket.
- Welcome wizard steps are documented in https://support.revyz.io/revyz-data-manager-for-confluence-bring-your-own-storage/installing-the-app
- How to add the policy once copied from Revyz’s Welcome wizard → https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html

Sample Policy

Note: The Policy, specific to your environment will be shown to you on the Revyz app’s Welcome wizard. Below is the sample policy for reference.

CODE

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ActionsInCustomerBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<revyz-iam-user-arn>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::<your-bucket-name>",
                "arn:aws:s3:::<your-bucket-name>/*"
            ]
        }
    ]
}

Breakdown of the S3 Access Policy contents

Principal
- It is the Revyz IAM User from Revyz’s AWS account, which will be used by Revyz app to perform the Read-Write operations during backup, restore and other tasks that the app supports.
Action
- Revyz app will need 4 permissions for your S3 bucket
  - ListBucket
    - To list and access the bucket
  - PutObjects
    - To write the objects during backup job
  - GetObject
    - To retrieve the objects during restore / clone job
  - PutObjectTagging
    - To add the Tag to the objects which can later be used for lifecycle management of the objects
- Note: Revyz user will not have any delete permission for the given S3 bucket
Resource
- Your S3 bucket on which the permissions are to be implemented