What Amazon S3 permissions should I use for secure backups?

What settings should I use for Amazon S3, and how should I configure my Amazon S3 account?

This answer assumes that you have already created your Amazon S3 account, and have made a note of your S3 access key and secret key. If not, then go here: http://aws.amazon.com/s3/.

When you enter your Amazon S3 details in the WHMCS Firewall module S3 backup settings, complete all fields and in the use the “bucket name” in the “S3 location:” field.

What permissions do I need to set on the Amazon S3 bucket (in the Amazon S3 console)?

Do NOT use your master S3 access and secret keys.
You have set up a different user with its own access and secret keys (which can be done using the Amazon AWS console’s “IAM” service), then you will need to make sure that that user has enough permissions.

Exactly what user policy is right for your use-case depends upon what that use-case is. However, if you have a user “whmcsfirewalluser” and a bucket called “whmcsfirewallbucket”, then the following policy is sufficient to give that user all the permissions that WHMCS Firewall requires to access that bucket, and only that bucket:


{
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:ListBucket”,
“s3:GetBucketLocation”,
“s3:ListBucketMultipartUploads”
],
“Resource”: “arn:aws:s3:::whmcsfirewallbucket”,
“Condition”: {}
},
{
“Effect”: “Allow”,
“Action”: [
“s3:AbortMultipartUpload”,
“s3:DeleteObject”,
“s3:DeleteObjectVersion”,
“s3:GetObject”,
“s3:GetObjectAcl”,
“s3:GetObjectVersion”,
“s3:GetObjectVersionAcl”,
“s3:PutObject”,
“s3:PutObjectAcl”,
“s3:PutObjectAclVersion”
],
“Resource”: “arn:aws:s3:::whmcsfirewallbucket/*”,
“Condition”: {}
},
{
“Effect”: “Allow”,
“Action”: “s3:ListAllMyBuckets”,
“Resource”: “*”,
“Condition”: {}
}
]
}

What is the most secure possible setup?

Since the WHMCS Firewall module needs to store an S3 API key and secret to upload your backups to S3, there is a potential point of weakness. If a hacker breaks into your site, then he can steal that API key + secret, and use it to access your backups. Ideally, the hacker should not be able to delete or change your backups – you want to know that backups taken before hackers break-in are “clean” and can be deployed without fear.

To accomplish this with an Amazon S3 setup, implement these recommendations. They involve more complexity, but given the securest possible setup:

1. Do not use your “master” API key + secret (which can access all your S3 data). Instead, set up a separate IAM user (which will thus have its own API key and secret). (Note – this is an IAM policy, not a bucket policy. You will need to switch back and forth in the Amazon AWS console between S3 to IAM a few
times during these steps.)

2. Set up a bucket from the Amazon S3 console (https://console.aws.amazon.com/s3/) for your WHMCS Firewall backups, and only for these.

3. In the AWS console, bring up the bucket’s properties (either right-click on the bucket and choose “Properties” from the menu, or left-click and use the “Properties” button). Enable versioning. What is versioning? It means that if an attacker gains access to your bucket, and over-writes your backups (e.g. with a new, hacked version), then the previous versions still remain accessible. They are not deleted.

4. Set up a policy for that IAM user, as above, but without the two delete permissions.


Without these two lines:
“s3:DeleteObject”,
“s3:DeleteObjectVersion”,

5. Finally, since WHMCS Firewall cannot now delete historic backups, you will need to manage this another way (the “retain this many” setting in WHMCS Firewall will take no effect). The easiest way to do this is to use S3′s built-in “life-cycle” feature, in the bucket properties (See step 3 above).

That’s it. What is the total effect of those changes? It means that WHMCS Firewall is configured with Amazon S3 access credentials that can only write to the defined bucket, and no others. It cannot delete any existing backups. Its ability to write, however, still means that it can overwrite existing backups, which is effectively a way of deleting them, as well as tampering with them. Therefore, we add versioning in order to make sure that over-writing does not destroy existing backups.

The final part of this is that:

1) if restoring, you should retrieve your backup sets directly from the Amazon S3 console rather than from the WHMCS Firewall dashboard’s built-in method

2) if you press the “Test S3 Settings” button, then it will create a test file, and report that it failed to be able to delete it. This is now expected, so do not worry about it.

Don’t know what any of this means? would take you a month or never to get it all going?? Contact us by opening a support ticket so we can help! :-)

What do the different Alert levels mean?

Changes and security vulnerabilities have 3 alert levels depending on their perceived severity.

Critical – you should resolve ASAP.

Warning – not life or death but you may want to fix these soon.

Monitor – make sure you know these are. Resolve as time permits.

> You will also see a “Complete” status.

Complete – Inactive alerts that indicate your WHMCS installation is more secure and therefore increases your overall Security score.

alert-levels

How do I install the WHMCS Firewall module?

Installing WHMCS Firewall is a simple process.

1. Purchase the WHMCS Firewall module from WHMCSFirewall.com

2. Login to the client portal (https://secure.whmcsfirewall.com/clientarea.php), click on the products tab, then downloads tab and download the WHMCS Firewall zipfile.

3. unzip the contents of that zipfile on your computer and upload (SFTP or File Manager in cPanel – avoid insecure FTP) to the “modules” > “addons” folder of your WHMCS install.

4. Login to your WHMCS admin area and activate the WHMCS Firewall module.

5. Enter your license key.

6. Login to cPanel (or equivalent) and add create the required cron jobs.

Your WHMCS Firewall install is now complete and ready to be configured for your customized use.

Want us to install it for you? Select the assisted install option during checkout or Login and open a support ticket.

It’s installed, how do I access the module?

The WHMCS Firewall dashboard is considered its “home page” which contains an overview of active alerts, a visual alert graph and easy access to the security features of the WHMCS Firewall module.

Follow these steps to access the WHMCS Firewall dashboard:

Login to your WHMCS > hover over the menu tab ADDONS > click on FIREWALL MANAGEMENT

dash

What cron jobs do I need to setup?

WHMCS Firewall cron jobs perform the automated auditing, scheduled backups, reports and other features included in the security module.

There are four cron jobs required to use/automate all the features of WHMCS Firewall.

*Why more than one cron job? Simple, some automation you only want to run once a day and others features on various schedules to fit your needs. This allows the greatest flexibility. If you are a large web host then you have likely already realized the benefits of splitting the one WHMCS cron job into multiple cron jobs using the various options flags.

To make things easy the exact cron paths and settings for your specific WHMCS installation can be found in the WHMCS Firewall module.

Complete the following steps to view the 4 cron jobs you need to set:

Login to your WHMCS > hover over the menu tab ADDONS > click on FIREWALL MANAGEMENT > click SETTINGS > You will see the exact path, command and recommended time intervals for each of the 4 cron jobs that need to be created.

cron-jobs

My security score is low, how can I increase it?

The WHMCS Firewall security meter feature is a numeric score that gives you an average of how secure your WHMCS install is at any current time.

View your security score by following the steps below:

Login to your WHMCS > hover over the menu tab ADDONS > click on FIREWALL MANAGEMENT > you now see your Security Meter score on the top left of the firewall dashboard > hover over and click on your SCORE > view the list of all items required to increase your security and score.

Resolving active “Critical” and “Warning” alerts are the best way to increase your score.
security-meter

I only want specific Admin’s to receive security alerts!

By default all of your WHMCS admins will receive the alerts and Daily Security Summary emails sent by the WHMCS Firewall module.

You can use the settings page in the WHMCS Firewall module to adjust this behavior by indicating which admins or custom email addresses should receive Security notifications.

Follow the steps below to access the WHMCS Firewall settings page:

Login to your WHMCS > hover over the menu tab ADDONS > click on FIREWALL MANAGEMENT > click SETTINGS

setting-admins

I have a business to run and don’t have time to deal with this security. Can you help?

Sure, we can!

Installation services can be selected during purchase and assisted initial setup options are available.

*If you need ongoing help beyond just getting the WHMCS Firewall module installed then consider a WHMCS Support plan.

WHMCS, firewalls, upgrades, offsite secure backups, logs, etc. can definitely slow you down from concentrating on Growing your business and keeping your customers happy by perfecting the product and service you sell.

Our parent company (PropelMWS.com) has managed WHMCS plans to take the stress off and make your life a lot easier.

You can learn more about our Managed WHMCS plans by visiting http://propelmws.com/whmcs-support/