Configuring the Amazon S3 cloud storage repository and enabling immutability

Amazon Simple Storage Service (S3) is an object storage service offered by Amazon Web Services (AWS). Amazon S3 provides IT teams with cloud storage to store and retrieve any amount of data from anywhere. One of Amazon S3's standout features is the ability to configure data immutability, ensuring that stored data cannot be altered or deleted for a defined period, making it ideal for compliance and disaster recovery scenarios.

Immutability in Amazon S3

Amazon S3 Object Lock offers immutability to protect your backups from accidental deletion or modification. Object Lock can be configured in two modes:

• Governance mode: This mode allows users with specific IAM permissions to bypass object lock restrictions. It is suitable for scenarios where some level of administrative oversight is required.
• Compliance mode: This mode is used to lock an object to prevent any deletion or modification, even by administrators, until the retention period expires. It is specifically for regulatory compliance.

Understanding the retention period in AWS and RecoveryManager Plus

With Object Lock enabled in Amazon S3, you can define a retention period to specify how long an object must be retained. Setting clear retention policies is essential when enabling immutability, as it cannot be modified once the immutability period starts.

For example, if a retention period is set to six months in RecoveryManager Plus and the backup immutability period is set to one year in Amazon S3, backups stored in Amazon S3 are protected for one year based on the immutability period set. After six months (the retention period set in the product), RecoveryManager Plus will attempt to delete backups that are older than six months. However, because of the one-year immutability set on the repository, AWS will not process any deletion requests until the one-year time period has elapsed.

To avoid data being deleted earlier than intended or stored longer than necessary, ensure that the retention period configured in both RecoveryManager Plus and Amazon S3 is the same.

Creating a bucket in Amazon S3 and enabling immutability

An Amazon S3 bucket is a container used to store objects, such as files and metadata, within the Amazon S3 service. It serves as a scalable and secure repository for organizing and managing data in the cloud.

To create a bucket and enable immutability, follow the steps listed below:

1. Log in to the AWS Management Console.
2. Search for S3 in the search bar and select S3 under Services.
3. Click Create bucket.
4. Configure the bucket settings:
   • Select the AWS Region where you want to store your data.
   • Select the Bucket type.
   • Enter a unique Bucket name.
   • Choose the appropriate Object Ownership setting.
   • Check the Block Public Access settings for this bucket box to block public access to this bucket and its objects.
   • Enable Bucket Versioning. This is essential for Object Lock.
   • Select the Encryption type.
     Note: By default, server-side encryption is applied to objects stored in the bucket.
   • Enable the Bucket Key option if needed.
   • In Advanced settings, enable Object Lock for the bucket.
   • This will permanently allow objects in this bucket to be locked.
5. Click Create bucket to complete the process.

To modify the retention period in AWS, follow the steps listed below:

1. Log in to the AWS Management Console.
Search for S3 in the search bar and select S3 under Services.
2. Select General purpose buckets from the left pane.
3. Search for the bucket name in the search bar.
4. Select Properties, scroll to the Object Lock section, and click Edit.
5. Enable Default retention.
6. In the Default retention mode field, select either Governance or Compliance mode.
   Note: To override or remove Governance mode retention settings, you must have the s3:BypassGovernanceRetention permission set, and the x-amz-bypass-governance-retention:true header in the modify or delete request.
7. In the Default retention period field, set the desired retention period.
8. Click Save changes to complete the process.

Adding Amazon S3 as a repository in RecoveryManager Plus

To add Amazon S3 storage as a repository:

1. Navigate to the Admin tab > Administration > Backup Repository > Cloud.
2. Click the Add Repository button in the top-right corner.
3. Select AWS S3 from the Repository Type drop-down.
4. Enter a name in the Repository Name field.
5. Enter the Access Key and Secret Access Key. To learn how to find your AWS access key and secret access key, click here.
6. Enter the Bucket Name.
   Note: Metadata for Microsoft 365, on-premises Exchange, Google Workspace, and Zoho WorkDrive backups will be stored in the default Elasticsearch node.
7. Click Save.

The integration of Amazon S3 with RecoveryManager Plus, along with the immutability feature through Object Lock, enhances your data protection strategy by preventing accidental or unauthorized modifications to critical backups.

Finding your access key and secret access key in AWS

1. Open the AWS Management Console in your web browser.
2. Enter IAM in the search bar and select IAM under Services.
3. Select Users under Access management in the left pane.
4. Click Create user to create a new user. If a user has already been created, skip to step five.
   • Enter a name for the user in the User name field and click Next.
   • Click Attach policies directly and select AmazonS3FullAccess. Click Next.
   • Review the details and click Create user.
5. Once you have created the user, enter the username in the search bar.
6. Select Security credentials, scroll to the Access keys section, and click Create access key.
   • Select Third-party service and click Next.
   • Add a description if needed and click Create access key.
7. Copy the access key and secret access key to configure your Amazon S3 storage account in RecoveryManager Plus.