Securing your AWS S3 bucket

If you want to store one-time or recurring backups to your own Amazon S3 bucket at Amazon Web Services (AWS), you must secure your container using AWS Identity and Access Management (IAM).

Below we provide step-by-step instructions on how you can use IAM to create an account user specifically for MongoLab that can only access a single bucket in your S3 account. Steps

  1. Log in to the AWS Management Console
  2. Click “IAM” or visit this URL after logging in
  3. Create a new group (e.g. “MongoLabGroup”)
  4. Create a custom policy (e.g “MongoLabS3BackupsPolicy”)
    • Copy and paste the policy below but replace “youraccountname” (where it says youraccountname-mongolab-backups) with something that will make your bucket name unique
  5. Create a user for your MongoLab backups (e.g. “MongoLabUser”)
  6. Make note of the user’s credentials (Access Key ID and Secret Access Key) since they will be required when scheduling backups in the MongoLab management portal
  7. Add the user you created in Step 5 to the group that you created in Step 3
  8. Going back to the S3 home in the AWS console, create a new bucket for your MongoLab backups using the value that you updated in step 4 (i.e., your edited value for youraccountname-mongolab-backups)
    • Bucket names need to be unique across all AWS accounts
    • Bucket names cannot include underscores or upper case characters; otherwise, backups will fail

Policy to cut and paste

{
  "Statement": [
        {
          "Effect": "Allow",
          "Action": [ "s3:ListBucket" ],
          "Resource": "arn:aws:s3:::youraccountname-mongolab-backups"
		},
		{
          "Effect": "Allow",
          "Action": [
              "s3:GetObject",
              "s3:GetObjectAcl",
              "s3:PutObject",
              "s3:PutObjectAcl",
              "s3:DeleteObject",
              "s3:DeleteObjectAcl"
          ],
          "Resource": [ "arn:aws:s3:::youraccountname-mongolab-backups/*" ]
        }
    ]
}