Open in app

Sign in

Write

Sign in

QNAP S3 Plus — IAM Permissions Policy

Interested in configuring your QNAP NAS to automatically sync critical data with a S3 bucket? Concerned about the security aspects in QNAP instructions? This post is for you!

David Treves
2 min readSep 9, 2016

tl-dr

Use the below instructions to create an IAM user and policy to restrict your QNAP to access only what it needs instead of all your S3 buckets. Use the newly created user’s access/secret keys when setting up QNAP’s S3 Plus app.

Background

A few months ago I bought myself a new NAS — the QNAP TS-251+.

I’m very impressed with everything you can do with it and very quickly it turned into a central component at our home:

  • All media (TV shows / movies / photos / etc) stored on it and accessible everywhere — PCs / mobile devices / TV.
  • All backups are copied across to it.
  • Sharing digital stuff is now really easy.

I can even do some really cool and geeky stuff on it such as run Docker containers, VMs and more!

At some point I decided I’d harness my AWS knowledge (hey! 3 times AWS certified guy here!) and get all critical data loaded up to a S3 bucket. And as they say — there’s an app for it! And it also works!

There’s a Fly in the Honey

The instructions on QNAP site are irresponsible and pose a risk to anyone who uses them — QNAP instructs you to configure your S3 Plus app to use your AWS root credentials in order to access your S3 buckets.

And this is a big NO NO.

Annoyingly enough, when I contacted QNAP support they didn’t even understand what I wanted. This is not in their favour.. Not everyone is an IT guy who is aware of the implications.

Can We Fix it? Yes We Can!

OK, we will need to do a few things, everything is done using the AWS Console:

1# Create a S3 bucket that will be used for your syncs — I recommend creating a dedicated bucket for that, so you have it isolated from anything else. For the rest of these steps I will assume the bucket name is QNAP-BACKUP-BUCKET

2# Create a new IAM User (how) which will be used by your NAS to sync your backups. Make sure to save the access key and secret key — you will need those for later.

3# When viewing the new user details then under Permissions tab, add the following policy as an inline policy (how):

IAM Policy

4# Follow QNAP instructions. Instead of root access/secret keys use the keys from step 1.

That’s it!

Summary

Published instructions on QNAP website instruct customers to configure their S3 backup software using root account credentials — bad idea. The above steps will help you minimise your risk by creating a dedicated user for your NAS that has access only to the bucket is needs and nothing else.

If you liked what you read then how about recommending it by clicking on the below heart icon? This will increase the chances of more people reading it. Thanks!

AWS
Cloud Computing
Amazon S3
Nas

--

--

David Treves

Written by David Treves

38 Followers

Owner @ Kipanga - a software company https://www.kipanga.com.au/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams