AWS Security ChangesHomeSearch

AWS prescriptive-guidance medium security documentation change

Service: prescriptive-guidance · 2025-03-02 · Security-related medium

File: prescriptive-guidance/latest/patterns/back-up-and-archive-data-to-amazon-s3-with-veeam-backup-replication.md

Summary

Updated documentation for Veeam Backup & Replication with Amazon S3, including author attribution corrections, URL updates, minor text clarifications, and added a note about Veeam v12.2's Direct to S3 Glacier feature. Also expanded IAM policy examples with more specific resource restrictions and added a policy to prevent unintended encryption of S3 objects.

Security assessment

The change includes the addition of a specific IAM policy to prevent unintended encryption of S3 objects, which is a security-related feature. The policy explicitly denies PutObject actions that don't use server-side encryption, addressing a potential security vulnerability where objects might be stored without encryption.

Diff

diff --git a/prescriptive-guidance/latest/patterns/back-up-and-archive-data-to-amazon-s3-with-veeam-backup-replication.md
index 1904385f2..36e99a556 100644
--- a/prescriptive-guidance/latest/patterns/back-up-and-archive-data-to-amazon-s3-with-veeam-backup-replication.md
+++ b/prescriptive-guidance/latest/patterns/back-up-and-archive-data-to-amazon-s3-with-veeam-backup-replication.md
@@ -9 +9 @@ SummaryPrerequisites and limitationsArchitectureToolsBest practicesEpicsRelated
- _Created by Jeanna James, Anthony Fiore (AWS) (AWS), and William Quigley_
+ _Created by Jeanna James (AWS), Anthony Fiore (AWS) (AWS), and William Quigley (AWS)_
@@ -15 +15 @@ This pattern details the process for sending backups created by Veeam Backup & R
-Veeam supports multiple Amazon S3 storage classes to best fit your specific needs. You can choose the type of storage based on the data access, resiliency, and cost requirements of your backup or archive data. For example, you can store data that you don’t plan to use for 30 days or longer in Amazon S3 infrequent access (IA) for lower cost. If you’re planning to archive data for 90 days or longer, you can use Amazon Simple Storage Service Glacier (Amazon S3 Glacier) Flexible Retrieval or S3 Glacier Deep Archive with Veeam’s archive tier. You can also use S3 Object Lock to make backups immutable within Amazon S3.
+Veeam supports multiple Amazon S3 storage classes to best fit your specific needs. You can choose the type of storage based on the data access, resiliency, and cost requirements of your backup or archive data. For example, you can store data that you don’t plan to use for 30 days or longer in Amazon S3 infrequent access (IA) for lower cost. If you’re planning to archive data for 90 days or longer, you can use Amazon Simple Storage Service Glacier (Amazon S3 Glacier) Flexible Retrieval or S3 Glacier Deep Archive with Veeam’s archive tier. You can also use S3 Object Lock to make backups that are immutable within Amazon S3.
@@ -17 +17 @@ Veeam supports multiple Amazon S3 storage classes to best fit your specific need
-This pattern doesn’t cover how to set up Veeam Backup & Replication with a tape gateway in AWS Storage Gateway. For information about that topic, see [Veeam Backup & Replication using AWS VTL Gateway - Deployment Guide](https://www.veeam.com/wp-using-aws-vtl-gateway-deployment-guide.html) on the Veeam website.
+This pattern doesn’t cover how to set up Veeam Backup & Replication with a tape gateway in AWS Storage Gateway. For information about that topic, see [Veeam Backup & Replication using AWS VTL Gateway - Deployment Guide](https://www.veeam.com/resources/wp-using-aws-vtl-gateway-deployment-guide.html) on the Veeam website.
@@ -21 +21 @@ This pattern doesn’t cover how to set up Veeam Backup & Replication with a tap
-This scenario requires IAM users with programmatic access and long-term credentials, which present a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed. Access keys can be updated if necessary. For more information, see [Updating access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey) in the _IAM User Guide_.  
+This scenario requires AWS Identity and Access Management (IAM) users with programmatic access and long-term credentials, which present a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed. Access keys can be updated if necessary. For more information, see [Updating access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey) in the _IAM User Guide_.  
@@ -32 +32 @@ This scenario requires IAM users with programmatic access and long-term credenti
-  * An active AWS Identity and Access Management (IAM) user with access to an Amazon S3 bucket
+  * An active IAM user with access to an Amazon S3 bucket
@@ -34 +34 @@ This scenario requires IAM users with programmatic access and long-term credenti
-  * An active IAM user with access to Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Virtual Private Cloud (Amazon VPC) (if utilizing archive tier)
+  * An active IAM user with access to Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Virtual Private Cloud (Amazon VPC), if using archive tier
@@ -42 +42 @@ This scenario requires IAM users with programmatic access and long-term credenti
-    * Amazon S3 storage – cloud endpoints – *.amazonaws.com for AWS Regions and the AWS GovCloud (US) Regions, or *.amazonaws.com.cn for China Regions: Used to communicate with Amazon S3 storage. For a complete list of connection endpoints, see [Amazon S3 endpoints](https://docs.aws.amazon.com/general/latest/gr/s3.html#s3_region) in the AWS documentation.
+    * Amazon S3 storage – cloud endpoints – `*.amazonaws.com` for AWS Regions and the AWS GovCloud (US) Regions, or `*.amazonaws.com.cn` for China Regions: Used to communicate with Amazon S3 storage. For a complete list of connection endpoints, see [Amazon S3 endpoints](https://docs.aws.amazon.com/general/latest/gr/s3.html#s3_region) in the AWS documentation.
@@ -46 +46 @@ This scenario requires IAM users with programmatic access and long-term credenti
-    * Amazon S3 storage – certificate verification endpoints – *.amazontrust.com: Used to verify certificate status. Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.
+    * Amazon S3 storage – certificate verification endpoints – `*.amazontrust.com`: Used to verify certificate status. Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.
@@ -116,0 +117,4 @@ The workflow consists of three primary components that are required for tiering
+###### Note
+
+Starting with Veeam Backup & Replication v12.2, the Direct to S3 Glacier feature makes the S3 capacity tier optional. A SOBR can be configured with a performance tier and a S3 Glacier archive tier. This configuration is useful for users who have significant investments in local (on-premises) storage for the capacity tier and who require only long-term archive retention in the cloud. For more information, see the [Veeam Backup & Replication documentation](https://helpcenter.veeam.com/docs/backup/vsphere/archive_tier.html?ver=120).
+
@@ -142 +146 @@ You can automate the creation of IAM resources and S3 buckets by using the AWS C
-  * [Amazon Elastic Compute Cloud (Amazon EC2)](https://docs.aws.amazon.com/ec2/?id=docs_gateway) provides scalable computing capacity in the AWS Cloud. You can use Amazon EC2 to launch as many or as few virtual servers as you need, and you can scale out or scale in.
+  * [Amazon Elastic Compute Cloud (Amazon EC2)](https://docs.aws.amazon.com/ec2/) provides scalable computing capacity in the AWS Cloud. You can use Amazon EC2 to launch as many or as few virtual servers as you need, and you can scale out or scale in.
@@ -177 +181 @@ Create an S3 bucket.|
-  1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 
+  1. Sign in to the AWS Management Console and open the [Amazon S3 console](https://console.aws.amazon.com/s3/). 
@@ -186 +190 @@ Task| Description| Skills required
-Launch the New Object Repository wizard.| Before you set up the object storage and scale-out backup repositories in Veeam, you must add the Amazon S3 and Amazon S3 Glacier storage repositories that you want to use for the capacity and archive tiers. In the next epic, you’ll connect these storage repositories to your scale-out backup repository.
+Launch the New Object Repository wizard.| Before you set up the object storage and scale-out backup repositories in Veeam, you must add the Amazon S3 and S3 Glacier storage repositories that you want to use for the capacity and archive tiers. In the next epic, you’ll connect these storage repositories to your scale-out backup repository.
@@ -199 +203 @@ Add Amazon S3 storage for the capacity tier.|
-     * For **AWS region** , choose the AWS Region where the Amazon S3 bucket is located.
+     * For **AWS region** , choose the AWS Region where the S3 bucket is located.
@@ -201 +205 @@ Add Amazon S3 storage for the capacity tier.|
-     * For **Data center region** , choose the AWS Region where the Amazon S3 bucket is located.
+     * For **Data center region** , choose the AWS Region where the S3 bucket is located.
@@ -214,2 +218,2 @@ Add S3 Glacier storage for the archive tier.| If you want to create an archive t
-     * For **Credentials** , choose the IAM user that you created in the first epic to access your Amazon S3 Glacier object storage. 
-     * For **AWS region** , choose the AWS Region where the Amazon S3 bucket is located.
+     * For **Credentials** , choose the IAM user that you created in the first epic to access your S3 Glacier object storage. 
+     * For **AWS region** , choose the AWS Region where the S3 bucket is located.
@@ -222 +226 @@ Add S3 Glacier storage for the archive tier.| If you want to create an archive t
-  6. At the **Proxy Appliance** step of the wizard, configure the auxiliary instance that is used to transfer the data from Amazon S3 to Amazon S3 Glacier. You can use the default settings or configure each setting manually. To configure the settings manually:
+  6. At the **Proxy Appliance** step of the wizard, configure the auxiliary instance that is used to transfer the data from Amazon S3 to S3 Glacier. You can use the default settings or configure each setting manually. To configure the settings manually:
@@ -293 +297 @@ The following sections provide sample IAM policies you can use when you create a
-Change the name of the S3 buckets in the example policy from `<yourbucketname>` to the name of the S3 bucket that you want to use for Veeam capacity tier backups.
+Change the name of the S3 buckets in the example policy from `<yourbucketname>` to the name of the S3 bucket that you want to use for Veeam capacity tier backups. Also note that the policy should be restricted to the specific resources used for Veeam (indicated by the `Resource` specification in the following policy), and that the first part of the policy disables client-side encryption, as discussed in the AWS blog post [Preventing unintended encryption of Amazon S3 objects](https://aws.amazon.com/blogs/security/preventing-unintended-encryption-of-amazon-s3-objects/).
@@ -299,0 +304,11 @@ Change the name of the S3 buckets in the example policy from `<yourbucketname>`
+                "Sid": "RestrictSSECObjectUploads",
+                "Effect": "Deny",
+                "Principal": "*",
+                "Action": "s3:PutObject",
+                "Resource": "arn:aws:s3:::<your-bucket-name>/*",
+                "Condition": {
+                    "Null": {
+                        "s3:x-amz-server-side-encryption-customer-algorithm": "false"
+                    }
+                }
+            },
@@ -321,2 +336,2 @@ Change the name of the S3 buckets in the example policy from `<yourbucketname>`
-                    "arn:aws:s3:::/*",
-                    "arn:aws:s3:::"
+                    "arn:aws:s3:::<yourbucketname>",
+                    "arn:aws:s3:::<yourbucketname>/*"
@@ -332 +347 @@ Change the name of the S3 buckets in the example policy from `<yourbucketname>`
-                "Resource": "*"
+                "Resource": "arn:aws:s3:::*"
@@ -350 +365 @@ Change the name of the S3 buckets in the example policy from `<yourbucketname>`
-            "Sid": "VisualEditor0",
+                "Sid": "S3Permissions",
@@ -368 +383,17 @@ Change the name of the S3 buckets in the example policy from `<yourbucketname>`
-              "s3:ListBucketVersions",
+                    "s3:ListBucketVersions"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::<bucket-name>",
+                    "arn:aws:s3:::<bucket-name>/*"
+                ]
+            }
+        ]
+    }
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "EC2Permissions",
+                "Effect": "Allow",
+                "Action": [
@@ -382 +413 @@ Change the name of the S3 buckets in the example policy from `<yourbucketname>`
-            "Resource": "*"
+                "Resource": "arn:aws:ec2:<region>:<account-id>:*"
@@ -394 +425 @@ Change the name of the S3 buckets in the example policy from `<yourbucketname>`
-            "Sid": "VisualEditor0",
+                "Sid": "S3Permissions",
@@ -412 +443,17 @@ Change the name of the S3 buckets in the example policy from `<yourbucketname>`
-              "s3:ListBucketVersions",
+                    "s3:ListBucketVersions"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::<bucket-name>",
+                    "arn:aws:s3:::<bucket-name>/*"
+                ]
+            }
+        ]
+    }
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "EC2Permissions",
+                "Effect": "Allow",
+                "Action": [