S3 backups: write-only credentials support + custom upload parameters (storage class)

Problem Two limitations make the current S3 backup integration risky and inflexible for production use:

Credentials need broad permissions. There's no clear support for write-only access (PutObject only, without Delete or List). If the EasyPanel server is compromised, the attacker can wipe or enumerate all backups using the same credentials — defeating the point of off-site backups. No control over storage class. All backups land in S3 Standard. There's no way to pass custom parameters to the upload, so storing directly in Glacier / Glacier Deep Archive isn't possible. For long-term retention this means much higher cost than necessary.

Request

Support write-only S3 credentials — make sure the backup flow only requires s3:PutObject (no Delete, no List, no GetObject required for the upload to succeed). Document the minimal IAM policy. Allow custom upload parameters — at minimum a storage class selector (STANDARD, STANDARD_IA, GLACIER, DEEP_ARCHIVE, etc.), ideally a free-form field for any extra S3 PutObject parameters.

Why Write-only credentials are a standard practice for backup targets — they ensure a compromised server can't destroy its own backups. Combined with Glacier storage, this would make EasyPanel's S3 backups both safer and significantly cheaper for teams keeping long retention windows.