search
Customer Support

Adding an AWS S3 Bucket for Storage

circle-check

hashtag
Required User Credentials

[Flosum User] - SystemAdministrator Role

hashtag
Overview

By default, Flosum Backup & Archive stores data in a Flosum-managed AWS S3 bucket. However, customers may optionally use their own AWS S3 bucket for data storage. This guide explains how to configure your Flosum tenant to use a customer-managed AWS S3 bucket instead. Be sure to follow the IAM policy and security best practices outlined in the following section to ensure safe and compliant data operations.

hashtag
Adding AWS Bucket

1

hashtag
Access Global Settings

  1. From any Flosum Cloud App, click the App Switcher icon at the top of the left sidebar menu.

  2. Click Global Settings.

  3. The Global Settings app will open in a new tab.

circle-info

Global Settings can also be accessed by directly logging in using your region's Global Settings URL. See the following article for login instructions.

2

hashtag
Create Storage

  1. Click Storages from the sidebar menu.

  2. Click Create Storage.

3

hashtag
Select Storage Type

  1. Enter a meaningful name for the storage in the Name textbox.

  2. Click the Storage type dropdown.

  3. Select AWS S3.

4

hashtag
Provide AWS Credentials

Input the following fields for connecting to your AWS S3 bucket:

circle-info

Field locations in AWS may vary from those listed in the table. Use the table as a reference to help locate the appropriate fields.

Field
AWS Field

Region

Amazon S3 > Buckets > AWS Region (Only include the Region and not the Region Name. For example, if your storage is in US East (N. Virginia) us-east-1, only enter us-east-1.)

Bucket Name

Amazon S3 > Buckets > Name

Access Key Id

The Access Key ID generated when the bucket was created.

Secret Access Key

The Secret Access Key generated when the bucket was created.

5

hashtag
Create AWS S3 Bucket

  1. Click the Create button to add the AWS S3 Bucket.

circle-info

If you receive an error when adding storage, verify you have the correct policies configured in AWS. See the following section for what APIs and Policies are needed for access by Flosum Backup & Archive.

  1. Once added successfully, the AWS S3 Bucket will appear in the list of Storages.

hashtag
AWS S3 Required APIs and Policies

The following S3 APIs are utilized for backup and restore operations:

circle-info

hashtag
Security Best Practices

  • Grant least privilege only to required APIs

  • Restrict access to a specific bucket and KMS key

  • Do not grant permissions to modify or delete the bucket itself

  • Avoid overly broad wildcard access

  • KMS actions should be limited to GenerateDataKey and Decrypt

API Category
Actions

Core Object Operations

s3:PutObject – Upload records and attachments s3:GetObject – Download objects s3:DeleteObject – Remove outdated backups s3:ListBucket – List contents of directories

Bucket Management

s3:GetBucketLocation – Identify region for operations

KMS Operations (Encrypted Buckets Only)

kms:GenerateDataKey – For encrypted uploads kms:Decrypt – To decrypt objects during restoration

These permissions are required to:

  1. Store Salesforce record backups as CSV

  2. Store files/attachments as binary objects

  3. Maintain referential integrity with MySQL

  4. Perform backup file cleanup

  5. Enable restore operations

  6. Handle KMS-based encryption/decryption

hashtag
Recommended IAM Policy Document

circle-exclamation

Replace ${BucketName} with the name of the S3 bucket.

PreviousDeleting an OrganizationNextAdding an Azure Blob for Storage

Last updated

Was this helpful?