If you are hosting your own server productivity suite or file storage, you should know about Nextcloud, an open source platform to store, share and manage files over the web. However, when running Nextcloud, you will eventually be restricted by the limits of your server’s disk, or when a team using Nextcloud for coordination starts a new project and rapidly accumulates documentation.

While it is always possible to get more space by adding a new disk, or purchasing a business plan on your favorite file-sharing host, using Nextcloud’s external storage to outsource files securely to Amazon Simple Storage Service (Amazon S3) offers a simple solution. Once set up, you do not have to worry about paying for unused space, because you only pay for what you need.

Amazon S3 also opens the door to a lot of integrations with AWS, which enables the use of AWS advanced functionalities, such as starting entire cloud workflows when files are uploaded. In this blog post, we will present how to setup, secure and make the most of using external storage for Nextcloud on Amazon S3.

Introduction

With its many extensions, it is a comprehensive cloud backbone for your collaboration needs. For example, it can synchronize calendars, take notes, and provide integrations for collaborating on documents.

What is Nextcloud and what does it do?

Nextcloud differentiates itself from other cloud collaboration platforms by being self-hosted and open-source. This gives the user full control over every aspect of the setup. This also makes Nextcloud stand out for its security and privacy, as well as flexible integrations with other platforms.

Furthermore, being free and open-source software, anyone is allowed to install and operate it on their own server, which has led to a wide range of setups for all scales. For instance, you can explore pre-created images to install Nextcloud on a Raspberry Pi for home networks, tutorials for running on a managed server, such as AWS Lightsail, or commercial managed setups for enterprises.

The features and controls provided by Nextcloud will enrich anyone’s webserver setup while putting privacy and control first.

Why is AWS the perfect extension for your Nextcloud?

While Nextcloud provides the controls to manage your files and collaborate, it is a server application. This means Nextcloud is running on hardware with pre-defined storage and specifications. Hence, storage and capabilities are limited to the functionalities that the underlying host system offers or supports.

Using Nextcloud as an entry point and extending storage into the cloud is a strong combination to overcome the limitations of the Nextcloud server. Three key benefits stand out in particular:

1. Right-sizing storage and cost efficiency: While estimating the server needs for Nextcloud in terms of computation or a database is straightforward, right-sizing disk space is a challenge. Provision too much, and you will have to pay for unused capacity. Provision too little, and you will not be able to store all the files and content you want to work on. Adding a cloud provider storage extension, such as with Amazon S3, makes it possible to flexibly scale resources and avoid high fixed costs when space is no longer used.
2. Security and control: In the spirit of Nextcloud, AWS in particular provides you with the means and tools to secure your data and stay in control. Using encryption, either with AWS-managed or your own encryption keys, and other security features, such as access controls, you stay in full control of who can access your data.
3. Integration with AWS services: The integration of Nextcloud with AWS puts many of the features offered by AWS at your fingertips. For instance, you can use AWS Lambda to process files managed by Nextcloud or initiate workflows, Amazon Cloudwatch to monitor files and access, or Amazon S3 tools to manage your storage lifecycle or optimize cost efficiency.

Securely connect Nextcloud with Amazon S3

Getting the benefits of AWS for your Nextcloud setup is straightforward. More precisely, you can use the external storage connector provided by Nextcloud. With this, you will only see the familiar interface, while Nextcloud handles interactions with AWS. Since storing or updating files on AWS can be used to initiate actions on AWS, we can furthermore use this interaction as the entry for any other AWS services.

The Nextcloud manual has a good description of the required steps from the Nextcloud client side to use Amazon S3 for storage. Here, we will use this as a starting point but focus on the AWS side instead. We will show how to set up the AWS access right from the start and how to use AWS controls to secure and expand on this setup.

Prerequisites

• You should have access to the AWS account where you want to store the data. If not, you can register one here: https://portal.aws.amazon.com/billing/signup
• You should have a Nextcloud server running that you have access to.

Set up dedicated AWS Credentials

For access to AWS, we will use a technical AWS Identity and Access Management (AWS IAM) user. More specifically, we will use an AWS IAM access key attached to that user. As is good practice, we will not use the administrator user of our account for access to Amazon S3 from Nextcloud, but instead will set up a new dedicated user that has only the access permissions required.

To set this up,  log in to the AWS Console and navigate to the AWS IAM service.

Next, select “Add User” and give that user a name of your choice. Then, select “Access Key” as the only way this user can be used to access AWS. This is shown in the image below.

Finally, on the next page, select the access rights this user should have. Select the policy “AmazonS3FullAccess” and attach it.

Note that the  policy “AmazonS3FullAccess” contains a very extensive set of permissions. These are needed only at the beginning for Nextcloud to create and configure your S3 storage, and we will remove and restrict the role once the storage is created.

After reviewing your settings, you will receive your credentials, your Access Key ID and secret access key, that we will use for Nextcloud.

Configure Nextcloud

Since we have the required credentials, we can now configure Nextcloud. More precisely, we need to activate the “external storage” module that allows us to use Amazon S3 as a data storage. For this, log in to the administrative account on your Nextcloud and  find the App Settings. Make sure that the app “External storage support” is enabled.

Set up the storage

With external storage support turned on and AWS credentials at hand, we are ready to set up the Amazon S3 storage. Nextcloud will do this for us with the AWS user we created above when we configure the external storage.

For this, go to your “Settings,” browse to “External storage,” and select “Add Storage” of type “S3.”

Here, you need to configure the following entries as shown in the screenshot below:

1. A bucket name for the Amazon S3 bucket you want to use. This must be unique to all of AWS and contain only lowercase letters, numbers, and dashes.
2. A region in which the bucket should be created. You should select one that is close to your server’s location. Refer to for a list of available regions.
3. Select SSL to protect the communication between your server and AWS.
4. The access key ID and access key from step 1.
5. Which users or groups of users should be able to see this storage. The storage is shared across all that are selected.
6. A name for the external storage you just created.

The remaining fields can stay empty; they are meant for different S3-like storage providers or legacy functionalities.

Once you accept the configuration, Nextcloud will try to create a bucket for you in your AWS account. Also, all selected users will now be able to access this storage by selecting “external storage” and then the folder name in their accounts.

This folder directly maps to the corresponding bucket setup in Amazon S3 in the selected region as you can see when you go to Amazon S3 in your AWS Console.

Secure the setup

The setup is now complete and should work as expected. However, there are a few improvements we can make to  fully benefit from the security controls AWS provides. We specifically use two key features. The first is the principle of least privilege, which means the user we created for Nextcloud to access AWS should have only the rights to do what it needs to do to limit the damage from unintentional use. Second, we want to limit the use of the access key to requests made by the Nextcloud server.

Minimize permissions and filter IPs

To secure the access to our Amazon setup, we need to replace the current broad permission policy (S3FullAccess) with a granular permissions policy that limits the user to perform necessary actions only, such as modifying content of the relevant bucket(s), and also limits the IP addresses from which those modifications can be done to those of our Nextcloud instance.

To implement these features, return to AWS IAM in the AWS Console and select the user we created above under Users. Click on “Add Permissions.” Then, create a new policy according to the picture below.

For the Actions, select ListBucket, GetBucketVersioning, GetObject, GetObjectAttributes, PutObject, and DeleteObject. This allows Nextcloud to list the content of its storage and perform required actions on the stored objects.

For the Resources, enter the name of the bucket that Nextcloud uses. This will limit the Actions to adding and removing objects from this one bucket only.

For the Source IP, enter the IP of your Nextcloud server, followed by “/32” (if you have multiple IP addresses, you need to adjust this CIDR notation). This limits the use of the policy to requests that are made by our Nextcloud server, such that even when your access key is leaked, an attacker cannot directly use it to access your files from his own address. If you do not know the IP of your Nextcloud instance, it can be found by navigating to the “Systems Information” in Nextcloud when logged in as the administrator.

Note: You can achieve the same by using the following JSON policy instead of visually creating the policy. For this, click on “JSON” in the policy creation stage and add:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [

                "s3:PutObject",

                "s3:GetObject",

                "s3:GetObjectAttributes",

                "s3:ListBucket",

                "s3:GetBucketVersioning",

                "s3:DeleteObject"

            ],

            "Resource": [

                "arn:aws:s3:::<BUCKETNAME>/*",

                "arn:aws:s3:::<BUCKETNAME>"

            ],

            "Condition": {

                "IpAddress": {

                    "aws:SourceIp": "<NEXTCLOUD_IP>/32"

                }

            }

        }

    ]

}

,

You will need to replace <BUCKETNAME> and <NEXTCLOUD_IP> with their respective values.

After reviewing and confirming the new policy, the user now has two policies: the new restricted one, and the original S3UserFull accessible by everyone. After detaching the S3FullAccess policy we used to create the original bucket, the final output should look as follows:

Secure the Amazon S3 bucket

In addition to securing the access to AWS, you should also use AWS controls to harden the Amazon S3 storage using AWS standard controls.

Specifically, we need to turn on “Block public access,” an additional security control to prevent sharing a bucket online as one would do for a website. We also need to configure standard server-side encryption to encrypt data on S3.

For this, go to Amazon S3, select your bucket, and click “Edit” under the Encryption settings for the Properties tab.

Select an Amazon-S3-managed key for encryption.

If you need a dedicated encryption key in addition to the encryption that Nextcloud provides, you can also use your own customer-managed key instead of the Amazon-managed key. In this case, the only change to the description is that you also need to modify the user permissions policy we created above to include the corresponding actions (kms:Encrypt, kms:Decrypt, kms:GenerateDataKey) for that key.

In addition to encryption, we also want to protect the bucket against unauthorized access. For this, go to the “Permissions” tab and edit the “Block public Access” block. This will prevent accidentally publishing objects inside the bucket on the internet.

With these steps, you have secured your setup by granting minimal privileges to the access used by Nextcloud to your AWS account, and by hardening the Amazon S3 bucket through encryption and public access blocking. You are now set to use Amazon S3 as your extended Nextcloud storage.

Cleanup

In case you decide to remove your data and access to AWS again, cleanup is straightforward.

In the AWS console,

1. Go to Amazon S3, select your bucket and choose “Empty Bucket,” then delete it.
2. Go to AWS IAM, navigate to the user you created, and delete it. After that, select the policy created and also delete it.

That’s it.

Summary

In this blog, we described how to use Amazon S3 as external storage to flexibly scale your Nextcloud setup while staying in control. If you are using AWS, this creates the link between your Nextcloud and the services AWS provides. If you are not using AWS yet, it allowed you to get a first impression of the possibilities this could open up. You can get started with the AWS Free Tier today.