• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 642
  • Last Modified:

Secure access to Amazon Glacier files

Goal is to ensure that our database and image files that are stored on Amazon Glacier remain secure.

Is it possible to have Glacier set up so that multiple people can have access to the our Amazon Services group (including Glacier), but once files have been uploaded, they become secure so that only those designated to access those files are able to do so?

Presently, we have developers that update our program files and then manually back up our database and image files to Amazon Glacier.  The issue is that if one of these developers decided to delete everything, all of our backups could also be eliminated.  The developers have full access to everything.  

The simplest solution seems to be a secure location within Glacier where files could be uploaded by anyone, but accessed by only a few.  Can this be accomplished?

If not, any alternative secure solutions are welcome.

1 Solution
btanExec ConsultantCommented:
Glacier support API-level permissions through AWS Identity and Access Management (IAM) service integration. AWS IAM enforces ACL such that each user is allowed to do only what they need to do as part of the user's job. e.g. Permissions based on organizational groups—
@ @ http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html

You can restrict users' AWS access based on their job duties (for example, admin, developer, etc.) or departments. When users move inside the organization, you can easily update their AWS access to reflect the change in their role

Specifically, you can see this quick run through to have some feel
@ http://www.newvem.com/how-to-set-access-control-iam-for-a-glacier-vault/
The various access control field for IAM are available
@ http://docs.aws.amazon.com/amazonglacier/latest/dev/using-iam-with-amazon-glacier.html

More info
IAM Best Practices @ http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html

Lock away your AWS account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
Use roles for applications that run on Amazon EC2 instances
Delegate by using roles instead of by sharing credentials
Rotate credentials regularly
Use policy conditions for extra security

Getting started, check this out to create the admin group
@ http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMGettingStarted.html

Role based (with specific permissions granted) assignment based on job role by delegation and differenting from admin and developer. Can also modify a role
@ http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html
@ http://docs.aws.amazon.com/IAM/latest/UserGuide/modifying-role.html
zerogravityAuthor Commented:
B instead of A because the specific solution "select deleteArchive effect Deny" was not mentioned.  

I found that from a different source.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now