SPECIAL OFFER: Only $59 for access to everything in OSTraining for 1 year! You save $85!  1
Join today and get access to 1,000's of books and videos. Learn WordPress, Drupal, Magento, Joomla and more! Sign up today!

Best Practice for Amazon 3 Buckets

3 years 9 months ago - 3 years 9 months ago #118379 by efocus
Best Practice for Amazon 3 Buckets was created by efocus
Your blog post on Akeeba Backup and Amazon Web Services was very helpful. I find Amazon's Web Services very intimidating — they're definitely not written for anyone who isn't a heavy duty tech geek! Some things have changed a bit since the screenshots in your post but I would have never figured S3 out on my own. Thank you.

Anyway, I was hoping you could advise me on best practices using Akeeba to back up all my clients' websites to S3. What wasn't in your tutorial, but Amazon highly recommends, is to use the IAM app with groups and users (I don't need roles). So I set up a 'Websites' Group with each client being a separate User so that they would have their own access keys. I did not create passwords for any of these User accounts since they weren't necessary for my purposes.

Then I created a separate bucket for each website so that they wouldn't all be mixed up in the same one. Then I set up an Akeeba profile in each Joomla website with all the credentials and everything works great.

My question is whether I did it the most efficient way or not. I want to keep this simple and being new to S3, I suspect I made things more complicated than necessary. Note that when I refer to an 'account' below, I am including the combination of AWS and Akeeba for each client website. That said, Akeeba works great as is — it's Amazon S3 and IAM that are complicated.

Akeeba Backup to Amazon S3 Criteria:
  1. Ease of setting up new website backup accounts. I see no way of simplifying this unless I use the same User and same Bucket for all accounts. I did notice that if I used the same Bucket, I could create separate folders for each website. However, I would still need to log into my AWS account to create the folder first because Akeeba can't create them on the fly so I don't know if that would be much of an advantage. Amazon does say there is a limit of 100 buckets per AWS account. If that's not per user, maybe I should user folders inside of one bucket.
  2. Ease of managing accounts. The main issue I see here is whether or not I follow Amazon's advice to change the access keys often for security reasons. In this case, it would be an advantage to have only one User for all site accounts so that I'd only be generating one new set of access keys instead of a set for every site. I'd still have to update every Akeeba profile but at least it would be the same access keys for each instead of a bazillion of them to copy and paste into Akeeba. My original concern was that if I used the same User, I would need to change the access keys in IAM and update every single Akeeba profile when a client leaves my services. But in that rare event, that's sounding like less work than updating all those keys for security reasons on a regular basis.
  3. Ease of backups and backup management. I don't any difference here as far as Amazon Users and Buckets are concerned — Akeeba is handling that well.
  4. Future interactivity with other AWS Services. Since I am a newbie using AWS, I have no way of knowing if my User/Bucket setup will affect integrating with Glacier or CloudFront. I may use these or other AWS services in the future and it would be nice to not have to reinvent the wheel when I do.

I appreciate any insight you may have regarding my criteria above or best practices that would be helpful that I have not touched on. I'd rather revise my strategy now before I have a bunch more website accounts set up. I'm thinking into the future with 100s of websites — I don't want it to get unwieldy.

Please Log in to join the conversation.

3 years 9 months ago #118385 by Nick
Replied by Nick on topic Best Practice for Amazon 3 Buckets
Hi and welcome, efocus!

Great job!

To be honest, we've never had the need to set up buckets or folders on Amazon S3 for clients before, so we haven't worked with S3's permissions. Therefore, please take the below information with a grain of salt.

It sounds like you've isolated the access well so that each person only has access to their own bucket and no anyone else's. It also doesn't sound like you've over-complicated it. I think what you did was the minimum necessary in S3, apart from using folders (see below).

You might also consider going through the following walkthrough of using only one bucket with folders to control permission:
docs.aws.amazon.com/AmazonS3/latest/dev/walkthrough1.html

I'm not sure it's necessary to change the access keys often. If someone has hacked into your site or Amazon account to get the access keys, the damage has likely already been done. Changing the access keys a few months later is unlikely to provide much benefit, unless you also do a complete security cleanup.

As to future interactivity with other AWS Services, either setup should work well with Glacier, though it will require more setup work in Glacier too. It also won't affect CloudFront, since the two services are independent of each other.

Hope this helps! Let us know if you have any questions and we'll be glad to answer.

Kind regards,
Nick

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

3 years 9 months ago - 3 years 9 months ago #118398 by efocus
Replied by efocus on topic Best Practice for Amazon 3 Buckets
Thanks for the feedback, Nick. Actually, I am the only person accessing all this at present, no clients will ever have access. I will add a user for a team member's access so I don't have to do the work myself in the future, but that's all.

The separate 'Users' in IAM were only created so I could generate separate access keys for each website's Akeeba Backup profile. That's the main part I thought was overkill. But now that I think of it, if one site was hacked, then the hackers would have access to backups of all the sites, not just the one. Hmm... so I guess it's not overkill.

I reviewed Amazon's example walkthrough that you noted about using permissions on folders. OMG! That really looks complicated. However, since I don't need to grant clients any permissions, I don't need to do any of that. So it probably doesn't matter whether I use buckets or folders — I've got to create one or the other to keep the individual site backups separate. I'll try both to see which I like better. The Amazon example did give me some more insight as to how S3 works so it was very worthwhile.

What you said about not needing to change the access keys often made sense. You're right, if they're compromised, it's because the site was hacked. (I'm betting that's more likely than Amazon getting hacked anyway.)

Thanks!

P.S. After writing the above, I think I need to review permissions yet again. Even though each website 'user' has separate access keys, they all have access permission-wise to any bucket or folder in S3 if I don't set it up otherwise. Just because I used certain credentials for the Akeeba profile doesn't mean a hacker is going to abide by those credentials if they know how to circumvent them.

Please Log in to join the conversation.

3 years 9 months ago #118412 by Nick
Replied by Nick on topic Best Practice for Amazon 3 Buckets
Hi efocus,

Yes, you're on the right track! Double check and make sure they can't access everything using the singular keys.

Sounds good on everything else.

Kind regards,
Nick

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

Join today and get access to 1,000's of books and videos. Learn WordPress, Drupal, Magento, Joomla and more! Sign up today!