To discover and back up Amazon S3 buckets, AWS Workloads (CloudRanger) utilizes the IAM role created during initial account onboarding. While these buckets are private by default, users typically enable S3 Block Public Access for an added layer of security.
This article explains how to grant AWS Workloads the required access in two common scenarios:
Buckets without any bucket policy
Buckets with restrictive bucket policies
These procedures align with AWS best practices and reflect the native behavior of the AWS console.
Considerations for S3 Block Public Access
Before configuring your backups, it is important to understand how Block Public Access interacts with your environment:
Block Public Access does NOT block IAM roles
It only prevents public or wildcard (Principal: "*") access
AWS may block saving a bucket policy if:
Block Public Access is enabled
The policy contains a Principal: "*" element
This is the expected AWS behavior and is addressed in the following procedures.
Scenario 1: Buckets with no existing policy (most common)
This is the most common setup and requires no additional configuration beyond standard IAM permissions.
How it is configured
No bucket policy is attached to the S3 bucket
Block Public Access is turned on
The bucket remains fully private
How access is managed
Since there is no bucket policy in place, all access to the bucket is governed solely through IAM permissions, meaning only users and roles explicitly granted access via IAM can interact with the bucket. Therefore:
No need to create or attach a bucket policy
Block Public Access can stay enabled as-is
No changes to public access settings are required
Steps to allow CloudRanger access
Step 1: Verify the CloudRanger IAM role
Log in to the AWS Console.
Go to IAM > Roles
Search using the CloudRanger / AWS Workloads account ID
Open the role and confirm it has the following S3 permissions:
s3:ListBucket
s3:GetObject
s3:PutObject
s3:DeleteObject
These permissions are included by default in the CloudRanger onboarding role.
Step 2: Verify the bucket configuration
Go to S3 > Buckets
Select the bucket.
Open Permissions.
In the Bucket Policy section, confirm that no policy is attached.
In the Block public access section, confirm that it is enabled.
If these conditions are met, no further action is required within the S3 console.
Step 3: Validate external restrictions (if applicable)
Ensure there are no additional restrictions:
VPC endpoint policies
AWS Organizations SCPs
KMS key policies (for SSE-KMS buckets)
Result
Once verified, AWS Workloads (CloudRanger) will be able to perform the following operations successfully:
Discover the bucket
List objects
Perform backups
Scenario 2: Bucket with restrictive bucket policy
Use this scenario when your S3 bucket already has a restrictive policy, and AWS Workloads (CloudRanger) is failing to discover or back up the bucket.
Configuration
The bucket uses a locked-down policy, for example:
Restrictions based on the VPC endpoint (
aws:SourceVpce)Restrictions based on source IP (
aws:SourceIp)Other principal-based conditions that control who can access the bucket
Block Public Access is enabled
Why discovery fails
With a restrictive bucket policy in place, S3 will deny access by default unless the CloudRanger IAM role is explicitly allowed.
AWS-recommended solution
Perform the following:
Explicitly add the CloudRanger IAM role to the bucket policy.
Do not use
Principal: "*"in the policy.Keep Block Public Access enabled after you finish updating the policy.
Example: Correct bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessFromSpecificVPCEndpoint",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:role/ExistingRole",
"arn:aws:iam::123456789012:role/CloudRangerRole"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket-name",
"arn:aws:s3:::my-bucket-name/*"
],
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-0123456789abcdef0"
}
}
}
]
}
Steps to update a restrictive bucket policy
Use these steps when your S3 bucket already has a restrictive bucket policy, and you need to safely add CloudRanger access without accidentally making the bucket public.
Step 1: Retrieve the CloudRanger IAM role ARN
In the AWS Console, go to IAM > Roles.
Locate the CloudRanger / AWS Workloads role.
Copy the role ARN.
Step 2: Check if Block Public Access is blocking policy edits
If the existing bucket policy includes Principal: "*", AWS may prevent you from saving changes while Block Public Access is enabled.
Step 3: Temporarily relax Block Public Access (if required)
Perform this step only if AWS does not allow you to save the updated policy.
Go to S3 > Bucket > Permissions.
In the Block public access section, click Edit.
Uncheck the Block public access granted through bucket policies checkbox.
Save and confirm the change.
⚠️ Warning
This does not make the bucket public unless a public policy already exists.
Step 4: Update the bucket policy
Open Permissions > Bucket policy.
Edit the policy.
Explicitly add the CloudRanger IAM role:
{"Version": "2012-10-17","Statement": [{"Sid": "AllowAccessFromSpecificVPCEndpoint","Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::111111111111:role/ExistingRole","arn:aws:iam::123456789012:role/CloudRangerRole"]},"Action": "s3:*","Resource": ["arn:aws:s3:::my-bucket-name","arn:aws:s3:::my-bucket-name/*"],"Condition": {"StringEquals": {"aws:SourceVpce": "vpce-0123456789abcdef0"}}}]}Save the changes.
Step 5: Re-enable Block Public Access (mandatory)
Go back to the Block public access settings for the bucket.
Re-enable all Block Public Access options.
Save the changes.