Right now the guide for setting up Amazon S3 backup instructs the user to grant the application the “AmazonS3FullAccess” permission policy which is BONKERS - that allows 100% free reign across all buckets the user has, including just deleting everything they have stored everywhere. If a server got compromised those would be devastating permissions.
I instead suggest including this policy below that the user can copy and paste, which restricts the access to a single specified bucket and the minimum required permissions as far as I can tell.
Specifically the policy allows listing all buckets (which is seemingly necessary), but only acting upon the one that the user chooses by replacing the bucket name where it says “YOUR-BUCKET-NAME-HERE” in the two places. The user could also choose to even remove the ability for the app to delete any objects from the bucket by simply deleting the line that says "s3:DeleteObject"
Specifically to use it, after creating a new user specifically to use for the backing up, go to the user page (In IAM > Users > WhateverUserName). Then in the section that says “Permission Policies”, you’d click the dropdown that says “Add Permissions” > “Create Inline Policy”. Then on the page that shows up, there should be a toggle on the right between “Visual” and “JSON” editor, so just click JSON, then delete anything there and replace it with the policy below. Then just hit next and continue on to save it.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME-HERE",
"arn:aws:s3:::YOUR-BUCKET-NAME-HERE/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}