Amazon AWS S3 Storage Environment

The following article deals with configuring the AWS S3 bucket as a storage environment in your Vault account. To begin with, you will need an S3 bucket created in your AWS account. 

How to create and configure AWS S3 bucket

1. Log in to the AWS Console at https://aws.amazon.com/console/
2. From the storage service, click on S3.
3. Click on Create Bucket. The Create bucket page opens. 
4. Enter the Bucket name.
   The Bucket name must:

   • Should be unique across the globe
   • Be between 3 and 63 characters long.
   • Not contain uppercase characters.
   • Start with a lowercase letter or number.
5. In Region, choose the AWS Region where you want the bucket to reside (keep a note of the AWS region chosen by you. For ex- us-east-2). This will come in handy when you configure the bucket in Vault.
6. Choose Create bucket.
7. Once you're done creating the bucket, go to the Properties tab.
8. Click on Default Encryption and choose the second option i.e., AES-256.
9. Click on the Save button.
10. Next, search for IAM from the AWS Management console homepage.
11. Click on Policies > Create policy.
12. Switch to the JSON tab and paste the below text by replacing 'bucket_name' with the name of the bucket that was created in previous steps.

    { 

        "Version": "2012-10-17", 

        "Statement": [

            { 

                "Action": [ 

                    "s3:ListAllMyBuckets" 

                ], 

                "Effect": "Allow", 

                "Resource": [ 

                    "arn:aws:s3:::*" 

                ] 

            }, 

            { 

                "Effect": "Allow", 

                "Action": "s3:*", 

                "Resource": [ 

                    "arn:aws:s3:::bucket_name", 

                    "arn:aws:s3:::bucket_name/*" 

                ] 

            }, 

            { 

                "Effect": "Deny", 

                "NotAction": "s3:*", 

                "NotResource": [ 

                    "arn:aws:s3:::bucket_name", 

                "arn:aws:s3:::bucket_name/*" 

                ] 

            } 

        ] 

    }

    
13. Click on Review policy and provide a name to the policy.
14. Click on Create policy.
15. After the policy is created, go to the Users tab, and click on Add user.
16. Enter an IAM username specific for Vault integration. 
17. Select the AWS access type as Programmatic access.
18. Click on Next: Permissions to go to the next page.
19. Click on Attach existing policies directly.
20. Search for the policy created in Steps 10-14. 
21. Select the policy and click on Next: Tags. 
22. Skip to the last screen and click on Create user. 
23. Click on Download .CSV file for downloading the credentials (access key and secret key) to be configured in Vault. 

Configuring in Vault

1. Log in to your Vault account.
2. Go to Settings > Backup Environment.
3. Select AWS S3 as the Storage Type.
4. Provide a label of your choice (Need not be the same as your S3 Bucket name).
5. Enter the name of your s3 bucket in the Bucket Name field.
6. Provide the Access key and Secret key by copying from the CSV file downloaded earlier (mentioned in Step 23).
7. Select the region to be the same as the region provided for the bucket while creating in Step 5.
8. Enable the checkbox: AES-256 Encryption
9. Click on Save Settings.