How to set up Cloud Sync for AWS S3
If you have already created a S3 bucket you can skip to step 2.
- In the AWS console, navigate to S3 and click Create Bucket, which will open a dialog that looks like:
- We recommend avoiding dots (.) in bucket names as this may cause compatibility issues. Please refer to the AWS S3 bucket naming rules for best practices and general guidelines.
- We recommend enabling Bucket Versioning if you wish to preserve more than one copy of each item. If versioning is not enabled, your synced backups will only contain the latest versions of items.
- We recommend leaving ACLs disabled.
- We recommend leaving Block all public access to the default (public access blocked).
- Lastly, once your bucket is created, we recommend adding a lifecycle rule to delete incomplete multipart uploads in your bucket to reduce costs as per this official AWS guide. Rewind may occasionally encounter network issues when uploading files to your S3 bucket and as such it may happen that some multipart uploads become incomplete.
- In the Rewind Backups app (https://app.rewind.com), select the account for which you want to configure Cloud Sync and click on the cog () icon in the top right and then click on Manage Cloud Sync:
- In the dialog that opens, click on Download CloudFormation Template:
This will download a template to use in the next steps. We strongly advise against modifying this template or using a custom template as doing so may cause errors when configuring Cloud Sync.- If you must use a custom template, here are a few guidelines to follow:
- The policy must allow sts:AssumeRole with the Rewind AWS Account ID displayed in the dialog in step 3.
- The Rewind AWS Account ID must be set to the Principal and there must be a condition that the sts:ExternalId equals the provided External ID from the dialog.
- The policy must, at minimum, allow s3:PutObject, s3:GetObject, and s3:PutObjectAcl on both the bucket and resources inside of the bucket.
- The RoleName must match the pattern: “RewindSync-*”.
-
*Note* Rewind validates that it can access your bucket by creating small and temporary test files under the prefix “<bucket_name>/rewind-test-*”. As such, the template allows s3:DeleteObject and s3:DeleteObjectVersion for the sole purpose of cleaning up these test files. It is not required to have these delete permissions, but removing them from the policy will cause these test files to stay in your bucket and not get cleaned-up by Rewind.
- If you must use a custom template, here are a few guidelines to follow:
- In your AWS console, go to CloudFormation and click on Create Stack, and then click on With new resources (standard):
In the next page, click on Upload a template file and then finally click on Choose file to select the file that was downloaded to your local system in step 3:
- In the next page, specify a unique Stack name for this new CloudFormation stack (e.g. “rewind-sync-backup-account-1”) and enter the name of the bucket created in step 1 (or a valid S3 bucket name that exists in your AWS account):
- In the next page (Configure stack options), leave all of the settings to their default values and click on Next.
- In the Review and create page, click on the acknowledgement button at the bottom of the page and click Submit to create the required resources (IAM role + policies).
- Wait for the CloudFormation stack to be created and then go to the Outputs and grab the RewindSyncRoleArn that was just generated:
Highlight and copy everything outlined in red in the below screenshot:
- Finally, go back to the Rewind Backups app and click Next in the Cloud Sync dialog. Using the Role ARN you just copied in step 8, paste it into the Role ARN field. Enter your bucket name (created in step 1 and specified in step 5) into the Bucket Name field:
Please ensure that the Role ARN, Bucket Name, Storage Key Prefix, and Region are all filled-in correctly. Note that the Storage Key Prefix is optional, but setting a unique one for each of your back-up accounts is recommended to ensure that back-up data does not collide with data from your other back-up accounts if you reuse the same S3 bucket for multiple Rewind Backups accounts.
- You are now ready to test your configuration (Test Connection) and Save it provided there are no connection errors.