Repository Access Controls
Keep permissions as small as possible on both storage and server sides.
Goal
Make it hard to accidentally access the wrong backups, and limit damage if a key leaks.
If you already use rclone, this is similar to giving a remote only access to a specific bucket/prefix.
What to Protect Against
| Risk | Example |
|---|---|
| Wrong repository | staging job writes into prod repo |
| Overbroad credentials | one key can read/write every backup |
| Accidental deletes | a script bug removes too much |
| Host compromise | attacker can access backup storage |
Access Model
| Layer | Control |
|---|---|
| Backend IAM | Limit to one backup folder path |
| Host account | Dedicated service user for jobs |
| Network | Allow only required backup endpoints |
Practical Guidance
- Use a dedicated storage path per environment and host
- Use separate credentials for prod vs staging
- If possible, prevent delete outside of retention workflows
Concrete Examples
S3 bucket: my-company-backups
Allow prod/app-01 backup job access to:
restic/prod/app-01/*
Do not allow it access to:
restic/prod/db-01/*
restic/staging/*
Practical Pattern
prod/app-01 repository -> credentials only for prod/app-01 path
prod/db-01 repository -> separate credentials and policy
Verification
restic snapshots
restic check --read-data-subset=5%
tip
After changing credentials or policies, run one backup and one small restore drill.