Adding an AWS S3 Bucket for Storage

Required User Credentials

[Flosum User] - SystemAdministrator Role

Overview

By default, Flosum Backup & Archive stores data in a Flosum-managed AWS S3 bucket. However, customers may optionally use their own AWS S3 bucket for data storage. This guide explains how to configure your Flosum tenant to use a customer-managed AWS S3 bucket instead. Be sure to follow the IAM policy and security best practices outlined in the following section to ensure safe and compliant data operations.

AWS S3 Required APIs and Policies

Adding AWS Bucket

Access Global Settings

From any Flosum Cloud App, click the App Switcher icon in the dropdown menu from the sidebar menu.
Click Global Settings.
The Global Settings app will open in a new tab.

Global Settings can also be accessed by directly logging in using your region's Global Settings URL. See the following article for login instructions.

Create Storage

Click Storages from the sidebar menu.
Click Create Storage.

Select Storage Type

Enter a meaningful name for the storage in the Name textbox.
Click the Storage type dropdown.
Select AWS S3.

Provide AWS Credentials

Input the following fields for connecting to your AWS S3 bucket:

Field locations in AWS may vary from those listed in the table. Use the table as a reference to help locate the appropriate fields.

Field

AWS Field

Region

Amazon S3 > Buckets > AWS Region (Only include the Region and not the Region Name. For example, if your storage is in US East (N. Virginia) us-east-1, only enter us-east-1.)

Bucket Name

Amazon S3 > Buckets > Name

Access Key Id

The Access Key ID generated when the bucket was created.

Secret Access Key

The Secret Access Key generated when the bucket was created.

Create AWS S3 Bucket

Click the Create button to add the AWS S3 Bucket.

If you receive an error when adding storage, verify you have the correct policies configured in AWS. See the following section for what APIs and Policies are needed for access by Flosum Backup & Archive.

AWS S3 Required APIs and Policies

Once added successfully, the AWS S3 Bucket will appear in the list of Storages.

AWS S3 Required APIs and Policies

The following S3 APIs are utilized for backup and restore operations:

Security Best Practices

Grant least privilege only to required APIs
Restrict access to a specific bucket and KMS key
Do not grant permissions to modify or delete the bucket itself
Avoid overly broad wildcard access
KMS actions should be limited to GenerateDataKey and Decrypt

API Category

Actions

Core Object Operations

s3:PutObject – Upload records and attachments s3:GetObject – Download objects s3:DeleteObject – Remove outdated backups s3:ListBucket – List contents of directories

Bucket Management

s3:GetBucketLocation – Identify region for operations

KMS Operations (Encrypted Buckets Only)

kms:GenerateDataKey – For encrypted uploads kms:Decrypt – To decrypt objects during restoration

These permissions are required to:

Store Salesforce record backups as CSV
Store files/attachments as binary objects
Maintain referential integrity with MySQL
Perform backup file cleanup
Enable restore operations
Handle KMS-based encryption/decryption

Recommended IAM Policy Document

Replace ${BucketName} with the name of the S3 bucket.

Recommended IAM Policy (JSON)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FlosumBackupRestoreOperations",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
	      "arn:aws:s3:::${BucketName}", 
	      "arn:aws:s3:::${BucketName}/*"
	    ]
    },
    {
      "Sid": "FlosumKMSOperations",
      "Effect": "Allow",
      "Action": [
		    "kms:GenerateDataKey", 
		    "kms:Decrypt"
		  ],
      "Resource": [
        "arn:aws:kms:us-east-2:148761667479:key/bdcb7f8c-afe1-4973-8714-08ea2355ea03"
      ]
    }
  ]
}

PreviousDeleting a Salesforce Connection NextAdding an Azure Blob for Storage

Last updated 13 days ago

Was this helpful?