AWS user permissions to create the cloud immutable volume
MSDP follows the principle of a least privilege to provision and use S3 immutable storage.
You protect the data with the immutable storage by doing the resource management and using the resources. The resource management tasks such as creating or deleting buckets, enabling Object Lock on buckets are system-level tasks. Using the resource tasks such as running backup or restore jobs, which transfer the data to and from S3 immutable storage are user-level tasks.
These two tasks need different sets of permissions. The principal who has the first set of permissions is a cloud administrator, and the principal who has the second set of permissions is a backup administrator.
Amazon cloud users need the permissions to manage and use the cloud immutable volumes.
Cloud administrator needs the permissions to run msdpcldutil to manage cloud volumes.
"s3:GetBucketPolicyStatus", "s3:GetObjectRetention", "s3:DeleteObjectVersion", "s3:ListBucketVersions", "s3:CreateBucket", "s3:ListBucket", "s3:GetBucketVersioning", "s3:BypassGovernanceRetention", "s3:GetBucketPolicy", "s3:GetBucketObjectLockConfiguration", "s3:PutObject", "s3:GetObject", "s3:ListAllMyBuckets", "s3:PutObjectRetention", "s3:PutBucketPolicy", "s3:PutBucketObjectLockConfiguration", "s3:DeleteObject", "s3:GetBucketLocation", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:PutBucketVersioning", "s3:GetObjectVersion"
Backup administrator needs the following permissions to configure immutable cloud LSU from Web UI and run data protection jobs such as backup, restore, duplication, replication, and so on.
"s3:GetObjectRetention", "s3:DeleteObjectVersion", "s3:ListBucketVersions", "s3:ListBucket", "s3:GetBucketVersioning", "s3:GetBucketObjectLockConfiguration", "s3:PutObject", "s3:GetObject", "s3:ListAllMyBuckets", "s3:PutObjectRetention", "s3:DeleteObject", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:BypassGovernanceRetention",