โ Important
This feature has limited availability. To know more about limited availability and sign up for this feature, contact your Account Manager.
You need to attach Identity and Access Management (IAM) roles to the NAS proxy (EC2 instance) that runs the NAS agent. These roles are essential for executing the AWS APIs required for operations such as listing, reading, and writing to AWS S3 objects.
Once the IAM role is attached to the EC2 instance, the necessary permissions for the AWS SDK are fetched from the EC2 instance's metadata service, allowing the NAS agent to begin backup and restore operations using the AWS S3 APIs.
Roles and Permissions
The following table provides detailed information about the permissions allowed for roles:
Category | Permission name | Permission description |
S3 bucket permissions |
| Permissions required to discover backup and restore AWS S3 buckets |
You must attach the IAM role to the EC2 machine with the below AWS S3 permissions. For more information, refer to the prerequisites section.
Refer to the below sample:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadWriteAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:ListAllMyBuckets",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:AbortMultipartUpload",
"s3:ListBucketMultipartUploads",
"s3:GetObjectRetention",
"s3:ListMultipartUploadParts",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetBucketOwnershipControls"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
},
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"*"
]
}
]
}