AWS S3 Storage Setup
This step-by-step tutorial guides you through setting up Amazon S3 as a storage destination for your FireBackup backups. By the end, you'll have a secure, properly configured S3 bucket ready to store your encrypted Firebase backups.
What You'll Learn
- Create and configure an S3 bucket with proper security settings
- Set up IAM policies with least-privilege access
- Configure lifecycle rules for cost optimization
- Enable cross-region replication for disaster recovery
- Connect S3 to FireBackup
Prerequisites
Before starting, ensure you have:
- An AWS account with administrative access
- AWS CLI installed and configured (optional but recommended)
- Access to FireBackup dashboard as an organization admin
Time Required
Approximately 20-30 minutes
Step 1: Create an S3 Bucket
Using AWS Console
-
Navigate to the S3 Console
-
Click Create bucket
-
Configure bucket settings:
Setting Value Bucket name your-company-firebackup-prodAWS Region Select closest to your users Object Ownership ACLs disabled (recommended)
-
Block Public Access settings:
- ✅ Block all public access (keep enabled)
-
Bucket Versioning:
- Enable versioning (recommended for backup recovery)
-
Default encryption:
- Server-side encryption: Enable
- Encryption type: SSE-S3 or SSE-KMS
- If using SSE-KMS, select or create a KMS key
-
Click Create bucket
Using AWS CLI
# Create the bucket
aws s3api create-bucket \
--bucket your-company-firebackup-prod \
--region us-east-1
# For regions other than us-east-1, add location constraint
aws s3api create-bucket \
--bucket your-company-firebackup-prod \
--region eu-west-1 \
--create-bucket-configuration LocationConstraint=eu-west-1
# Enable versioning
aws s3api put-bucket-versioning \
--bucket your-company-firebackup-prod \
--versioning-configuration Status=Enabled
# Enable default encryption
aws s3api put-bucket-encryption \
--bucket your-company-firebackup-prod \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
},
"BucketKeyEnabled": true
}]
}'
# Block public access
aws s3api put-public-access-block \
--bucket your-company-firebackup-prod \
--public-access-block-configuration '{
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
}'
Step 2: Create IAM Policy
Create a least-privilege policy that grants only the permissions FireBackup needs.
Create the Policy
-
Navigate to IAM Console → Policies → Create policy
-
Switch to the JSON tab and paste:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FireBackupListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::your-company-firebackup-prod"
},
{
"Sid": "FireBackupObjectOperations",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::your-company-firebackup-prod/*"
},
{
"Sid": "FireBackupMultipartUpload",
"Effect": "Allow",
"Action": [
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::your-company-firebackup-prod/*"
}
]
}
- Click Next, name the policy
FireBackupS3Access, and create it
Optional: Restrict by Path Prefix
To limit access to a specific folder within the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FireBackupListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::your-company-firebackup-prod",
"Condition": {
"StringLike": {
"s3:prefix": ["backups/*"]
}
}
},
{
"Sid": "FireBackupObjectOperations",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::your-company-firebackup-prod/backups/*"
}
]
}
Step 3: Create IAM User
Create a dedicated IAM user for FireBackup.
Using AWS Console
-
Navigate to IAM → Users → Create user
-
Enter username:
firebackup-service -
Do NOT select "Provide user access to the AWS Management Console"
-
Click Next
-
Set permissions:
- Select "Attach policies directly"
- Search for and select
FireBackupS3Access
-
Click Next, then Create user
Generate Access Keys
-
Click on the newly created user
-
Go to Security credentials tab
-
Under Access keys, click Create access key
-
Select "Application running outside AWS"
-
Click Create access key
-
Save the credentials securely!
- Access key ID:
AKIA... - Secret access key: Will only be shown once
- Access key ID:
# Alternatively, using CLI:
aws iam create-user --user-name firebackup-service
aws iam attach-user-policy \
--user-name firebackup-service \
--policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/FireBackupS3Access
aws iam create-access-key --user-name firebackup-service
Store your secret access key securely. It cannot be retrieved after initial creation.
Step 4: Configure Lifecycle Rules
Set up lifecycle rules to optimize storage costs by automatically transitioning older backups to cheaper storage classes.
Using AWS Console
-
Go to your bucket → Management → Create lifecycle rule
-
Rule name:
firebackup-lifecycle -
Choose rule scope: Apply to all objects in the bucket
-
Lifecycle rule actions:
| Transition | Days | Storage Class |
|---|---|---|
| Current versions | 30 | S3 Standard-IA |
| Current versions | 90 | S3 Glacier Instant Retrieval |
| Current versions | 365 | S3 Glacier Deep Archive |
- Expiration (optional):
- Delete expired object delete markers
- Delete incomplete multipart uploads after 7 days
Using AWS CLI
aws s3api put-bucket-lifecycle-configuration \
--bucket your-company-firebackup-prod \
--lifecycle-configuration '{
"Rules": [
{
"ID": "firebackup-lifecycle",
"Status": "Enabled",
"Filter": {},
"Transitions": [
{
"Days": 30,
"StorageClass": "STANDARD_IA"
},
{
"Days": 90,
"StorageClass": "GLACIER_IR"
},
{
"Days": 365,
"StorageClass": "DEEP_ARCHIVE"
}
],
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 7
}
}
]
}'
Cost Optimization Example
For 100GB of monthly backups:
| Storage Class | Monthly Cost |
|---|---|
| S3 Standard (< 30 days) | ~$2.30 |
| S3 Standard-IA (30-90 days) | ~$1.25 |
| Glacier IR (90-365 days) | ~$0.40 |
| Deep Archive (> 365 days) | ~$0.10 |
Step 5: Enable Cross-Region Replication (Optional)
For disaster recovery, replicate backups to another AWS region.
Create Destination Bucket
-
Create a bucket in a different region (e.g.,
your-company-firebackup-drineu-west-1) -
Enable versioning on the destination bucket
Create Replication IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::your-company-firebackup-prod"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging"
],
"Resource": "arn:aws:s3:::your-company-firebackup-prod/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Resource": "arn:aws:s3:::your-company-firebackup-dr/*"
}
]
}
Configure Replication
aws s3api put-bucket-replication \
--bucket your-company-firebackup-prod \
--replication-configuration '{
"Role": "arn:aws:iam::YOUR_ACCOUNT_ID:role/S3ReplicationRole",
"Rules": [
{
"ID": "ReplicateAllBackups",
"Status": "Enabled",
"Priority": 1,
"Filter": {},
"Destination": {
"Bucket": "arn:aws:s3:::your-company-firebackup-dr",
"StorageClass": "STANDARD_IA"
},
"DeleteMarkerReplication": {
"Status": "Disabled"
}
}
]
}'
Step 6: Connect to FireBackup
Now connect your S3 bucket to FireBackup.
Using the Dashboard
-
Log in to FireBackup
-
Navigate to Settings → Storage
-
Click Add Storage Destination
-
Select Amazon S3
-
Enter your configuration:
Field Value Name Production S3 Bucket your-company-firebackup-prod Region us-east-1 Access Key ID AKIA... Secret Access Key Your secret key Path Prefix backups/ (optional) -
Click Test Connection to verify
-
Click Save
Using the API
curl -X POST https://api.firebackup.io/api/v1/storage \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Production S3",
"type": "s3",
"config": {
"bucket": "your-company-firebackup-prod",
"region": "us-east-1",
"accessKeyId": "AKIA...",
"secretAccessKey": "your-secret-key",
"prefix": "backups/"
}
}'
Step 7: Verify the Setup
Run a test backup to verify everything is working.
-
Go to Projects → Select a project
-
Click Run Backup Now
-
Select your S3 storage destination
-
Monitor the backup progress
-
Once complete, verify the backup in S3:
aws s3 ls s3://your-company-firebackup-prod/backups/ --recursive
Expected output:
2024-01-15 10:30:45 1048576 backups/proj_abc123/2024-01-15/backup_full_1705312245.enc
Troubleshooting
Common Issues
"Access Denied" Error
Cause: IAM policy doesn't have required permissions
Solution:
- Verify the IAM policy is attached to the user
- Check the bucket name in the policy matches exactly
- Ensure no S3 bucket policy is blocking access
# Check user's attached policies
aws iam list-attached-user-policies --user-name firebackup-service
# Verify bucket policy isn't blocking
aws s3api get-bucket-policy --bucket your-company-firebackup-prod
"Bucket Not Found" Error
Cause: Incorrect bucket name or region mismatch
Solution:
- Verify bucket exists in the specified region
- Check for typos in bucket name
aws s3api head-bucket --bucket your-company-firebackup-prod --region us-east-1
"InvalidAccessKeyId" Error
Cause: Access key is incorrect or has been deactivated
Solution:
- Verify the access key in IAM console
- Generate new access keys if needed
- Update credentials in FireBackup
Large Backup Failures
Cause: Multipart upload timeout or incomplete parts
Solution:
- Increase timeout settings
- Check for incomplete multipart uploads:
aws s3api list-multipart-uploads --bucket your-company-firebackup-prod
- Clean up incomplete uploads:
aws s3api abort-multipart-upload \
--bucket your-company-firebackup-prod \
--key "path/to/object" \
--upload-id "upload-id"
Security Best Practices
Enable CloudTrail Logging
Monitor all S3 API calls:
aws cloudtrail create-trail \
--name firebackup-s3-trail \
--s3-bucket-name your-cloudtrail-bucket \
--include-global-service-events
Enable S3 Access Logging
aws s3api put-bucket-logging \
--bucket your-company-firebackup-prod \
--bucket-logging-status '{
"LoggingEnabled": {
"TargetBucket": "your-logs-bucket",
"TargetPrefix": "s3-access-logs/"
}
}'
Use VPC Endpoints (Enterprise)
For enhanced security, access S3 through a VPC endpoint:
aws ec2 create-vpc-endpoint \
--vpc-id vpc-xxx \
--service-name com.amazonaws.us-east-1.s3 \
--route-table-ids rtb-xxx
Next Steps
- Configure backup schedules for automatic backups
- Set up webhooks for backup notifications
- Enable PITR for point-in-time recovery
Related
- GCS Setup - Alternative cloud storage
- DO Spaces Setup - DigitalOcean storage
- Storage API Reference - API documentation