# Permissions
This article outlines the minimum permissions needed to use an **AWS S3** bucket as backup storage for **GitProtect**. The policies below enable you to integrate your **AWS S3** storage with **GitProtect**.
***
## AWS bucket policy
The bucket that will be used to store the data must have the following policy (JSON) assigned:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{account}:user/backup-user"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
```
***
## Support for immutable storage
{% hint style="warning" %}
Remember that immutable storage configuration is available only when creating a new bucket — there is no option to enable it for an existing bucket.
{% endhint %}
{% hint style="danger" %}
Enabling retention and/or versioning for the bucket may result in additional data being stored — it is recommended that the retention period in **GitProtect** be longer than the one set for the storage. Otherwise, this may lead to storage overload.
{% endhint %}
If you want to use immutable storage, the following permissions are required:
{% code title="Required to read Object Lock configuration" overflow="wrap" %}
```json
s3:GetBucketObjectLockConfiguration
```
{% endcode %}
{% code title="Required to read the versioning configuration" overflow="wrap" %}
```json
s3:GetBucketVersioning
```
{% endcode %}
It must be added to the **Action** section, and after the changes, the section should look as shown below:
```json
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration"
],
```
***
## Useful links and items
{% embed url="" %}
{% embed url="" %}