Amazon Simple Storage Service Bucket Requirements and Considerations

Before you protect your Amazon services using Cohesity DataProtect as a Service, ensure you have met the prerequisites and reviewed the considerations.

For information on the supported cloud regions where you can back up this source, see Supported Workloads and Cloud Regions.

Check Firewall Ports

Ensure that the ports listed in the Amazon Web Services (AWS) section in the Firewall Ports topic are open to allow communication between the Cohesity SaaS Connector(s) and AWS environment.

Supported Amazon S3 Storage Class

Cohesity supports the data protection of the following Amazon Simple Storage Service Bucket (S3) storage class:

  • Amazon S3 Standard

  • Amazon S3 Intelligent-Tiering

  • Amazon S3 Standard-IA

  • Amazon S3 One Zone-IA

Account Requirements

To register your AWS account, run the CloudFormation Template (CFT) and add permissions to the IAM user.

The tables below list the permissions used by Cohesity in your AWS account. You do not need to add these permissions manually (except the IAM User Permissions to Execute CFT), as they are automatically added when you run the CFT provided by Cohesity during your AWS account registration with the Cohesity DataProtect as a Service and SiteContinuity services.

IAM User Permissions to Execute CFT

To register an AWS account with the Cohesity DataProtect as a Service, you need to run the CloudFormation Template on the AWS console. Ensure the IAM user you use has the following permissions to run the CloudFormation Template and to create and view the stack:

Ensure to add these permissions manually.

  • cloudformation:CreateChangeSet

  • cloudformation:CreateStack

  • cloudformation:CreateUploadBucket

  • cloudformation:DeleteStack

  • cloudformation:DescribeStackEvents

  • cloudformation:DescribeStackResources

  • cloudformation:DescribeStacks

  • cloudformation:GetTemplate

  • cloudformation:GetTemplateSummary

  • cloudformation:ListStackResources

  • cloudformation:ListStacks

  • cloudformation:UpdateStack

  • iam:AddRoleToInstanceProfile

  • iam:AttachRolePolicy

  • iam:CreateInstanceProfile

  • iam:CreateRole

  • iam:DeleteInstanceProfile

  • iam:DeleteRole

  • iam:DeleteRolePolicy

  • iam:DetachRolePolicy

  • iam:GetInstanceProfile

  • iam:GetRole

  • iam:GetRolePolicy

  • iam:PassRole

  • iam:PutRolePolicy

  • iam:RemoveRoleFromInstanceProfile

  • iam:TagRole

  • lambda:AddPermission

  • lambda:CreateFunction

  • lambda:DeleteFunction

  • lambda:InvokeFunction

  • lambda:RemovePermission

  • s3:CreateBucket

  • s3:GetObject

  • s3:ListBucket

  • s3:PutObject

  • s3: PutBucketPublicAccessBlock

Permissions for Amazon S3 Data Protection

You do not need to add these permissions manually, as they are automatically added when you run the CFT.

Resource

Permissions

 Reason

S3

s3:GetBucketLocation

s3:GetBucketNotification

s3:GetBucketOwnershipControls

s3:GetBucketTagging

s3:GetBucketVersioning

s3:GetInventoryConfiguration

s3:GetObject

s3:GetObjectAcl

s3:GetObjectTagging

s3:GetObjectVersion

s3:GetObjectVersionAcl

s3:GetObjectVersionTagging

s3:ListAllMyBuckets

s3:ListBucket

s3:PutBucketNotification

s3:PutInventoryConfiguration

s3:PutObject

s3:PutObjectAcl

s3:PutObjectTagging

s3:PutObjectVersionAcl

 These permissions are required for the backup and recovery of Amazon S3 objects.

iam

iam:SimulatePrincipalPolicy

 SimulatePricipalPolicy is needed to ensure that the required actions are allowed on the IAM role we created as part of the Cloud Formation template.

kms*

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:GenerateDataKey

 KMS permissions are needed to read data of an encrypted database at the time of backup, as well as write encrypted data to the recovered database. Describe permissions are needed so we can list & identify keys associated with database instances.
Events events:DeleteRule events:PutTargets events:RemoveTargets These permissions are required for capturing the incremental changes on the S3 buckets.
Glue

glue:DeleteJob
glue:GetJobRun
glue:StartJobRun
glue:UpdateJob

These permissions are required for sorting the inventory report. The sorted inventory report is then used to back up the Amazon S3 objects to the Cohesity DataProtect as a Service.
SQS sqs:CreateQueue
sqs:TagQueue
sqs:DeleteMessage sqs:DeleteQueue
sqs:GetQueueUrl
sqs:PurgeQueue sqs:ReceiveMessage sqs:SetQueueAttributes 		These permissions are required for capturing the incremental changes on the Amazon S3 buckets.

Permission for Amazon S3 Inventory Report

  • To write objects to the Amazon S3 bucket, you must add the S3:PutObject permission to the S3 bucket policy attached to the Amazon S3 bucket where you want to create the inventory report.

    The following is an example of an Amazon S3 bucket policy that allows s3.amazonaws.com to write (Put) objects in the Amazon S3 bucket:

    Copy 
    {
        "Version": "2012-10-17",
        "Id": "S3-Console-Auto-Gen-Policy-1698064515475",
        "Statement": [
            {
                "Sid": "InventoryAndAnalyticsExamplePolicy",
                "Effect": "Allow",
                "Principal": {
                    "Service": "s3.amazonaws.com"
                },
                "Action": [
                    "s3:PutObject"
                ],
                "Resource": "arn:aws:s3:::<s3bucketname_you_chose_for_inventory>/*",
                "Condition": {
                    "StringEquals": {
                        "aws:SourceAccount": "<account_Id>",
                        "s3:x-amz-acl": "bucket-owner-full-control"
                    }
                }
            }
        ]
    }

  • If you're using Server-Side Encryption with AWS Key Management Service (SSE-KMS) for the bucket where you want to create the inventory report, ensure that the KMS key associated with that bucket has the necessary permissions to allow Amazon S3 to access it. To do this, add the following permissions to the KMS key policy:

    Copy 
     {
                "Sid": "Allow Amazon S3 use of the KMS key",
                "Effect": "Allow",
                "Principal": {
                    "Service": "s3.amazonaws.com"
                },
                "Action": "kms:GenerateDataKey",
                "Resource": "*",
            }

Create a Lifecycle Rule on Amazon S3

To delete the older inventory reports from the Amazon S3 bucket, you must create a lifecycle rule on the Amazon S3 bucket. You can delete all the inventory reports older than 30 days. For information on creating a lifecycle rule, see Amazon documentation.

Permission for Amazon Key Management Service (KMS)

If the Amazon S3 bucket you want to protect is encrypted with Server-side encryption with AWS Key Management Service keys (SSE-KMS) or Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS), then for Cohesity to access the Amazon S3 bucket, you must perform one of the following actions:

  • Add the IAM role created by the Cloud Formation template to the AWS KMS user.

  • Add the following permission to the Key policy attached to the AWS KMS:

    • kms:Encrypt

    • kms:Decrypt

    • kms:ReEncrypt*

    • kms:GenerateDataKey*

    • kms:DescribeKey

    For example:

    Copy 
    {
        "Version": "2012-10-17",
        "Id": "AccessKeyId",
        "Statement": [
            {
                "Sid": "Allow use of the key to cohesity role",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<AWS-ACCOUNT>:role/<ROLE-NAME>"
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                ],
                "Resource": "*"
            }
        ]
    }

Considerations

  • Cohesity does not support:

    • Browse and recover an object in an Amazon S3 bucket. However, you can recover multiple objects by specifying the object prefix in the recovery task under the S3 Prefixes to Recover option.

    • The backup of older versions of the Amazon S3 versioned bucket. Only the latest version of the versioned Amazon S3 bucket is backed up.

    • Cohesity does not support cross-region backup and recovery, i.e., the backup and recovery of Amazon S3 buckets located in a different cloud region than where your data is backed up (Cohesity-managed SaaS platform).

  • The Amazon S3 buckets where you want to create the inventory report and the Amazon S3 bucket you want to protect must be in the same region.

  • If the SQS is deleted between backups, all the changes between these backups will be skipped in the next incremental backups.

  • Cohesity DataProtect as a Service will skip the backup of Amazon S3 objects that are present in the following access tiers of the Amazon S3 Intelligent Tiering during the protection:

    • Archive Access Tier

    • Deep Archive Access Tier

  • You do not need to deploy a SaaS connection to protect Amazon S3 buckets.

  • Cohesity does not support restoring only metadata. The metadata of Amazon S3 objects will be restored only if the object itself is also restored.

  • Cohesity does not remove older objects from the Amazon S3 bucket where the inventory report is created. Therefore, you must create a lifecycle rule to remove these objects from the Amazon S3 bucket to avoid storage issues.