<p>restic doesn't work unless you give it s3:DeleteObject permission on at least a subset of the backup bucket because it needs to delete locks</p><p>obviously the example policy just gives the backup account a blanket permission to delete anything</p>