eazyBackup Knowledge Base
HomeLoginSupportContact
  • eazyBackup Knowledge Base
  • Guides
    • Getting Started Guide
    • Creating Protected Items
    • How to Backup Windows Network Shares and UNC Paths
    • How to Restore Files and Folders
    • Disk Image Backup Guide
    • Disk Image Backup Restore Guide
    • How to backup to a local storage vault (External or Internal Hard Drive)
    • Microsoft 365 Cloud Backup Guide
    • Microsoft 365 Cloud Backup Restore
    • Seed Load Walkthrough
    • eazyBackup Control Panel
    • Delete backup snapshots to reduce Storage Vault size
    • Kroll Pharmacy Management Database Backup
    • How to Backup Dentrix Database to the Cloud
    • How to Backup Patterson Eaglesoft Dental Software
    • Hyper-V Virtual Machine Backup Walkthrough
    • Storage Vault Usage Report
    • Linux Installation Guide (Debian, Ubuntu)
    • Two-Factor Authentication for Backup Accounts
    • Securing your Backup against Ransomware
    • How to move a backup to a new computer
  • Documentation
    • Add and Rename Storage Vaults
    • Available Storage Locations
    • How to Run Manual Backup
    • Backing up Windows Network Shares and UNC Paths
    • Browse Job History
    • Cancel a Running Backup Job
    • Commands
    • Backup Report Email Address
    • Custom Email Reports
    • Deleting a Protected Item
    • Disk Image Backup
    • eazyBackup Software Structure
    • Error “Access to the cloud file is denied” backing up OneDrive
    • Retention Concept
    • Confirm EFS keys are Exported (Windows EFS)
    • Data Encryption – Understanding Our AES-256 Encryption & Key Management
    • eazyBackup Chunking Overview
    • eazyBackup Chunking and Deduplication
    • Storage Vaults
    • Re-scan Unchanged Files
    • Required URLs and Ports for eazyBackup
    • Setting up a New Backup Account (license) in My Dashboard
    • Before and After Commands
    • eazyBackup Hotfix Install
    • Default File / Folder Exclusions From Backup
    • Restore from Deleted Protected Item
    • Random Job Delay – Protected Item Schedule
    • Copy a Protected Item Configuration to New Device
    • Manage Vaults on Protected Items – Add/Remove/Update
    • How to Remove a Registered Device
    • Retention Configuration and Cleanup
    • macOS Installation
    • Windows Installation
    • Linux (Other Distribution)
    • Linux (Red Hat Enterprise Linux (RHEL), CentOS)
    • Linux NAS (Synology, QNAP)
    • “Application-Aware Writer” Backups
    • “Microsoft Exchange Server” Backup
    • “Microsoft Hyper-V” Backup
    • “Microsoft SQL Server” Backup
    • “MySQL” Backup
    • “Program Output” items
    • “Windows Server System State” Backup
    • “Windows System Backup”
    • Silent installation for RMM (Windows advanced)
    • Microsoft 365 Backup
    • VMware vSphere Backup
  • Troubleshooting
    • Cannot proceed – another task needs to finish using the Storage Vault first
    • Change of hardware causes registration dialog to appear
    • Diagnosing Slow Backup Jobs
    • Error “EFS-encrypted files may be unusable once restored”
    • Error “Media is write protected” backing up OneDrive with VSS
    • Error “operation not permitted” macOS
    • Error “The target path ‘X:\WindowsImageBackup’ already exists – please safely remove this direct...
    • Error backing up item exit status 3 Couldn’t create virtual device set: Unknown error 0x80770005
    • Found packs in index but not appearing on disk. Reindex needed
    • Inactive / Abandoned “Running” Jobs
    • Lost connection to local service
    • Lstat: CreateFile \\?\UNC\ backup: Access is denied.
    • Mount path conflict: Can’t mount path inside real directory
    • OneDrive error “The tag present in the reparse point buffer is invalid”
    • Out of memory
    • Shared Memory Provider: Could not open a connection to SQL Server
    • VSS Error: Device is not ready
    • VSS Error: Couldn’t take snapshot. The shadow copy provider had an unexpected error while trying ...
    • Windows Backup encountered an error when writing data to the backup target.
    • Error “Access is denied” when backing up files and folders on Windows
    • Error “local error: tls: record overflow”
    • Microsoft SQL Server backup encountered a VDI error
    • Network Connectivity Errors
    • How to Locate All EFS Encrypted Files for Windows 10 and Server
    • Couldn’t save folder details: fs.TempFile: Access is denied
    • Couldn’t save Office 365 data for account – The requested user is invalid
    • WARNING Data error (cyclic redundancy check) occurred inside byte range
    • Set-Disk : Access Denied During Disk Image Backup
    • The System State encountered a problem: exit status 0xfffffffc
    • Runtime: VirtualAlloc of xx bytes failed with errno=1455 fatal error: out of memory
    • Disk Image Backup – Checking if device is ready: DeviceIoControl: The request could not be performed
    • Checking if device xx is ready: DeviceIoControl: The request failed due to a fatal device hardware..
    • x509 Certificate has expired or is not yet valid
    • Couldn’t load tree/xyz for subdirectory: tree/xyz not present in any index
    • Optimizing snapshot: not present in any index
    • Reading subdirectories of – Open: /Files/Documents/ operation not permitted
    • file truncated (expected xxxx bytes, got 0)
    • WARNING: Node (xxxx) filename.ext’ collision at position xxxx
    • How to easily find disks with read / write errors in Windows
    • Multiple connections to a server or shared resource error
    • Application failed to start because no Qt platform plugin could be initialized
    • OneDrive The cloud operation is not supported on a read-only volume
    • Hyper-V Error: Backing up exit status 1 (skipping)
  • FAQs
    • Account Devices and Billing
    • How can I restore my files to a new computer?
    • How to reset a backup account password
    • Can’t login to eazyBackup – Login information doesn’t work
    • Cloud Storage and Online Backup Service for Protected Health Information
    • How to cancel your eazyBackup subscription
  • eazyBackup Rebranding
    • Backup Client and Control Panel Branding
    • White Label Email Configuration
  • e3 Object Storage
    • e3 Object Storage Pricing FAQs
    • Manage Billing
    • Delete Account
    • How to configure QNAP Hybrid Backup Sync to S3 Compatible Object Storage
    • How to Use Arq Backup with eazyBackup e3 Object Storage
    • How to use Synology Hyper Backup with eazyBackup e3 Object Storage
    • How to use Duplicati with eazyBackup e3 Object Storage
    • How to use rclone with eazyBackup e3 S3 Compatible Object Storage
    • Understanding and Creating a Basic e3 Bucket Policy
    • Creating an e3 Bucket Policy to Allow Specific File Extensions
    • e3 Bucket Lifecycle Rules (Automatic Object Expiration)
Powered by GitBook
On this page

Was this helpful?

  1. e3 Object Storage

Creating an e3 Bucket Policy to Allow Specific File Extensions

PreviousUnderstanding and Creating a Basic e3 Bucket PolicyNexte3 Bucket Lifecycle Rules (Automatic Object Expiration)

Last updated 5 days ago

Was this helpful?

In this guide we will explain how to create an e3 bucket policy that restricts uploads to only allow files with specific extensions (e.g., only .zip files) for a particular user. All other file types will be denied.

Basic Policy Structure

This policy uses the same JSON structure as described in "." Ensure you are familiar with Version, Statement, Sid, Effect, Principal, Action, and Resource.

You will also need your Tenant ID and Username from the eazyBackup e3 Cloud Storage Dashboard (Access Keys page) to construct the Principal ARN: arn:aws:iam::TENANT_ID:user/USERNAME.

The Logic: Deny if NOT the Allowed Type

To allow only specific file extensions, we use a Deny rule. The logic is: "Deny the upload action if the file being uploaded is NOT one of the allowed types." This is achieved using the NotResource element.

Example Policy: Allow Only .zip File Uploads

This policy will deny the user from uploading any file to your-bucket-name unless the file has a .zip extension.

  1. You will need to replace the placeholders:

    • your-tenant-id with your actual Tenant ID.

    • your-username with your actual Username.

    • your-bucket-name with the name of the bucket.

  2. Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOnlyZipUploads",
      "Effect": "Deny",
      "Principal": {
        "AWS": [
          "arn:aws:iam::your-tenant-id:user/your-username"
        ]
      },
      "Action": [
        "s3:PutObject"
      ],
      "NotResource": [
        "arn:aws:s3:::your-bucket-name/*.zip"
      ]
    }
  ]
}

Explanation of the Example Policy:

  • "Sid": "AllowOnlyZipUploads": A descriptive name for this rule.

  • "Effect": "Deny": This rule will prevent uploads if the condition (defined by NotResource) is met.

  • "Principal": { "AWS": ["arn:aws:iam::your-tenant-id:user/your-username"] }: Identifies the specific e3 user this rule applies to.

  • "Action": ["s3:PutObject"]: Specifies that the action being controlled is uploading objects.

  • "NotResource": ["arn:aws:s3:::your-bucket-name/*.zip"]: This means the Deny effect applies if the object being uploaded does NOT match the pattern arn:aws:s3:::your-bucket-name/*.zip.

    • If a user tries to upload archive.zip, its resource name matches the pattern in NotResource. Therefore, this Deny rule does not apply, and the upload is effectively allowed (assuming no other Deny rules prevent it).

    • If a user tries to upload document.txt, its resource name does not match *.zip. Thus, the Deny rule will apply, and the upload is blocked.

  • Make sure to note the use of arrays [] for Principal.AWS, Action, and NotResource values.

Adapt this for Other or Multiple File Extensions:

  • Different Single Extension: To allow only .jpg files, change *.zip to *.jpg in the NotResource ARN: "arn:aws:s3:::your-bucket-name/*.jpg"

  • Multiple Allowed Extensions: If you want to allow multiple extensions (e.g., .jpg and .png), add each pattern as a separate string in the NotResource array:

"NotResource": [
  "arn:aws:s3:::your-bucket-name/*.jpg",
  "arn:aws:s3:::your-bucket-name/*.png"
]
  • In this example, the Deny will apply if the file is not a .jpg AND not a .png.

Applying the Policy

Save your policy to a JSON file and apply it using an S3-compatible tool like the AWS CLI, that is set up with the e3 service endpoint. Example: aws s3api put-bucket-policy --bucket your-bucket-name --policy file://allow-zips-policy.json --endpoint-url <e3_endpoint_url>

Important:

  • Testing is Important: After applying the policy, test by trying to upload allowed file types (which should succeed) and disallowed file types (which should be denied).

  • This policy specifically controls the s3:PutObject action. If users need other permissions (like deleting specific file types), you would need additional or different policy statements. Please feel free to ask our team for assistance creating a policy that meets your requirements.

Understanding and Creating a Basic e3 Bucket Policy