AWS AmazonElastiCache documentation change
Summary
Updated documentation to recommend using S3 bucket policies over ACLs for granting ElastiCache access, with revised policy examples specifying least-privilege actions and service principal.
Security assessment
The change promotes security best practices by advocating for bucket policies with granular permissions instead of ACLs, and updates the policy to restrict actions to only those necessary for snapshot export (e.g., s3:PutObject, s3:GetObject) rather than using the wildcard 's3:*'. This reduces the attack surface and follows the principle of least privilege, but there is no concrete evidence of a specific security vulnerability being addressed.
Diff
diff --git a/AmazonElastiCache/latest/dg/backups-exporting.md b/AmazonElastiCache/latest/dg/backups-exporting.md index 54101565c..f9027d366 100644 --- a//AmazonElastiCache/latest/dg/backups-exporting.md +++ b//AmazonElastiCache/latest/dg/backups-exporting.md @@ -67 +67 @@ For more information about creating an Amazon S3 bucket, see [Creating a bucket] -For ElastiCache to be able to copy a snapshot to an Amazon S3 bucket, you must update your IAM bucket policy to grant ElastiCache access to the bucket. +ElastiCache requires access to your Amazon S3 bucket to copy a snapshot to it. We recommend granting access by using an Amazon S3 bucket policy rather than access control lists (ACLs). @@ -73,32 +73 @@ Even though backups copied to an Amazon S3 bucket are encrypted, your data can b -To create the proper permissions on an Amazon S3 bucket, take the steps described following. - -###### To grant ElastiCache access to an S3 bucket - - 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). - - 2. Choose the name of the Amazon S3 bucket that you want to copy the backup to. This should be the S3 bucket that you created in Create an Amazon S3 bucket. - - 3. Choose the **Permissions** tab and under **Permissions** , choose **Access control list (ACL)** and then choose **Edit**. - - 4. Add grantee Canonical Id `540804c33a284a299d2547575ce1010f2312ef3da9b3a053c8bc45bf233e4353` with the following options: - - * **Objects: List, Write** - - * **Bucket ACL: Read, Write** - -###### Note - - * For the PDT GovCloud Region, the Canonical Id is `40fa568277ad703bd160f66ae4f83fc9dfdfd06c2f1b5060ca22442ac3ef8be6`. - - * For the OSU GovCloud Region, the Canonical Id is `c54286759d2a83da9c480405349819c993557275cf37d820d514b42da6893f5c`. - - 5. Choose **Save**. - - - - -## Export an ElastiCache backup - -Now you've created your S3 bucket and granted ElastiCache permissions to access it. Next, you can use the ElastiCache console, the AWS CLI, or the ElastiCache API to export your snapshot to it. - -The following is an example of what the updated policy might look like. +Add the following bucket policy to your Amazon S3 bucket. Replace ``amzn-s3-demo-bucket`` with the name of your Amazon S3 bucket and ``region`` with the AWS Region of your bucket (for example, `us-east-1`). @@ -115 +83,0 @@ JSON - "Id": "Policy15397346", @@ -118 +86 @@ JSON - "Sid": "Stmt15399484", + "Sid": "ElastiCacheSnapshotExport", @@ -120 +88,11 @@ JSON - "Action": "s3:*", + "Principal": { + "Service": "region.elasticache-snapshot.amazonaws.com" + }, + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketAcl", + "s3:ListMultipartUploadParts", + "s3:ListBucketMultipartUploads" + ], @@ -122,2 +100,2 @@ JSON - "arn:aws:s3:::hkg-elasticache-backup", - "arn:aws:s3:::hkg-elasticache-backup/*" + "arn:aws:s3:::amzn-s3-demo-bucket", + "arn:aws:s3:::amzn-s3-demo-bucket/*" @@ -129,0 +108 @@ JSON +###### To add the bucket policy using the Amazon S3 console @@ -131 +110 @@ JSON -For opt-in Regions, the following is an example of what the updated IAM policy for the S3 bucket might look like. (This examples uses the Asia Pacific (Hong Kong) Region.) + 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). @@ -133 +112 @@ For opt-in Regions, the following is an example of what the updated IAM policy f -JSON + 2. Choose the name of the Amazon S3 bucket that you want to copy the backup to. This should be the S3 bucket that you created in Create an Amazon S3 bucket. @@ -134,0 +114 @@ JSON + 3. Choose the **Permissions** tab. @@ -136 +116 @@ JSON -**** + 4. Under **Bucket policy** , choose **Edit**. @@ -137,0 +118,3 @@ JSON + 5. Paste the bucket policy into the policy editor. Replace the ``region`` and ``amzn-s3-demo-bucket`` placeholders with your values. + + 6. Choose **Save changes**. @@ -140,24 +122,0 @@ JSON - { - "Version":"2012-10-17", - "Id": "Policy15397346", - "Statement": [ - { - "Sid": "Stmt15399483", - "Effect": "Allow", - "Action": "s3:*", - "Resource": [ - "arn:aws:s3:::hkg-elasticache-backup", - "arn:aws:s3:::hkg-elasticache-backup/*" - ] - }, - { - "Sid": "Stmt15399484", - "Effect": "Allow", - "Action": "s3:*", - "Resource": [ - "arn:aws:s3:::hkg-elasticache-backup", - "arn:aws:s3:::hkg-elasticache-backup/*" - ] - } - ] - } @@ -165,0 +125,6 @@ JSON +For more information about migrating from ACLs to bucket policies, see [Grant Amazon ElastiCache (Redis OSS) access to your S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.html#object-ownership-elasticache-redis) in the _Amazon S3 User Guide_. + +## Export an ElastiCache backup + +Now you've created your S3 bucket and granted ElastiCache permissions to access it. Next, you can use the ElastiCache console, the AWS CLI, or the ElastiCache API to export your snapshot to it. +