pingcap · wildpcww · Dec 19, 2025 · Dec 19, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/tidb-cloud/configure-external-storage-access.md b/tidb-cloud/configure-external-storage-access.md
@@ -179,12 +179,56 @@ It is recommended that you use an IAM user (instead of the AWS account root user
 
 Take the following steps to configure an access key:
 
-1. Create an IAM user. For more information, see [creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).
-
-2. Use your AWS account ID or account alias, and your IAM user name and password to sign in to [the IAM console](https://console.aws.amazon.com/iam).
+1. **Create an IAM user and access key.**
+    - Create an IAM user. For more information, see [creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).
+    - Use your AWS account ID or account alias, and your IAM user name and password to sign in to [the IAM console](https://console.aws.amazon.com/iam).
+    - Create an access key. For more information, see [creating an access key for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey).
+
+2. **Grant permissions to the IAM user.**
+    Create a policy and attach it to the IAM user. Ensure the policy includes the required permissions based on your task:
+    - **To import data** into a TiDB Cloud <CustomContent plan="starter,essential">cluster</CustomContent><CustomContent plan="premium">instance</CustomContent>, grant `s3:GetObject`, `s3:GetObjectVersion`, and `s3:ListBucket` permissions.
+    - **To export data** from a TiDB Cloud <CustomContent plan="starter,essential">cluster</CustomContent><CustomContent plan="premium">instance</CustomContent>, grant `s3:PutObject` and `s3:ListBucket` permissions.
+    <CustomContent plan="premium">
+    - **To restore data** to a TiDB Cloud instance, grant `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions.
+
+    The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. 
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowGetBucketLocation",
+                "Effect": "Allow",
+                "Action": "s3:GetBucketLocation",
+                "Resource": "arn:aws:s3:::<Your S3 bucket name>"
+            },
+            {
+                "Sid": "AllowListPrefix",
+                "Effect": "Allow",
+                "Action": "s3:ListBucket",
+                "Resource": "arn:aws:s3:::<Your S3 bucket name>",
+                "Condition": {
+                    "StringLike": {
+                        "s3:prefix": "<Your backup folder>/*"
+                    }
+                }
+                },
+            {
+                "Sid": "AllowReadObjectsInPrefix",
+                "Effect": "Allow",
+                "Action": "s3:GetObject",
+                "Resource": "arn:aws:s3:::<Your S3 bucket name>/<Your backup folder>/*"
+            }
+        ]
+    }
+    ```
 
-3. Create an access key. For more information, see [creating an access key for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey).
+    > **Tip:**
+    >
+    > In the policy above, replace `<Your S3 bucket name>` and `<Your backup folder>` with your actual bucket name and backup directory. This configuration follows the principle of least privilege by restricting access to only the necessary backup files.
 
+</CustomContent>
 > **Note:**
 >
 > TiDB Cloud does not store your access keys. It is recommended that you [delete the access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) after the import or export is complete.
@@ -304,10 +348,16 @@ Take the following steps to configure an AccessKey pair:
     - In the **Service** section, select **Object Storage Service**.
     - In the **Action** section, select the permissions as needed.
 
-        To import data into a TiDB Cloud <CustomContent plan="starter,essential">cluster</CustomContent><CustomContent plan="premium">instance</CustomContent>, grant **oss:GetObject**, **oss:GetBucketInfo**, and **oss:ListObjects** permissions.
+        To import data into a TiDB Cloud <CustomContent plan="starter,essential">cluster</CustomContent><CustomContent plan="premium">instance</CustomContent>, grant `oss:GetObject`, `oss:GetBucketInfo`, and `oss:ListObjects` permissions.
 
         To export data from a TiDB Cloud <CustomContent plan="starter,essential">cluster</CustomContent><CustomContent plan="premium">instance</CustomContent>, grant `oss:PutObject` and `oss:GetBucketInfo` permissions.
 
+        <CustomContent plan="premium"> To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions.</CustomContent>
+
     - In the **Resource** section, select the bucket and the objects in the bucket.
 
+    > **Tip**
+    >
+    > For restore operations, you can enhance security by restricting access to only the specific folder (prefix) where your backup files are stored, rather than granting access to the entire bucket.
+
 3. Attach the custom policies to the RAM user. For more information, see [Grant permissions to a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/grant-permissions-to-the-ram-user).