Protect Your Amazon S3 Buckets

Cloud Protection Service utilizes the Amazon S3 inventory report to protect the Amazon S3 bucket. When you register the AWS account, you can specify the Amazon S3 bucket where you want to create the inventory report. The Amazon S3 bucket you specify must be within the same AWS account and cloud region as the Amazon S3 bucket selected for protection.

When you initiate the Amazon S3 bucket protection, AWS will create an inventory report. It may take up to 48 to 72 hours for AWS to create an inventory report. This inventory report will contain the list of all the objects available on the Amazon S3 bucket you selected for protection. Cloud Protection Service uses this inventory report to perform the first full backup of the Amazon S3 bucket. Once Cloud Protection Service performs the first full backup, Cloud Protection Service utilizes Amazon EventBridge and SQS queues to perform incremental backups of the Amazon S3 bucket.

With this protection approach, Cloud Protection Service can back up multi-billion Amazon S3 objects at a faster rate.

If you have already registered your AWS account to protect Amazon RDS or Amazon EC2 workloads, then you must Update the Existing CloudFormation Template to update the Cloud Protection Service permissions in your AWS account. For more information, see Protect S3 Buckets for an Already Registered AWS Source.
You do not need to deploy a SaaS connection to protect Amazon S3 buckets.

Before you Begin

Before protecting your Amazon S3 Buckets, ensure you have met the prerequisites and understood the considerations.

Add Protection to Your Registered Amazon S3 Buckets

Before protecting your Amazon S3 bucket, ensure you have met the prerequisites and understood the considerations.

To protect your Amazon S3 buckets:

In Cloud Protection Service, navigate to Sources.
Find the registered AWS account and click into it.
Click the S3 tab.
Use the checkboxes to select the Amazon S3 buckets for protection.

Optionally, you can configure auto-protect at the region level. When this option is enabled, all the Amazon S3 buckets that are added to that level in the future are automatically protected from the next protection run. Additionally, you can also perform tag-based auto-protection of Amazon S3 buckets.
- To auto-protect the Amazon S3 buckets based on the hierarchy level, click the Hierarchy View icon located at the right corner of the page. Select the checkbox of the region, and then select Auto Protect This Region.
  
  To protect all the Amazon S3 buckets in a region, select the checkbox of the region, and then Select All Child Objects.
- To auto-protect the Amazon S3 buckets based on tag, click the Tag icon at the right corner of the page. Select the checkbox of a tag and then select Auto Protect This to auto-protect the Amazon S3 buckets with this tag.
  
  To protect all Amazon S3 buckets with the tag, select the checkbox of the region, and then Select All Child Objects.
Click the Protect icon above the checkboxes.
Choose a policy to specify backup frequency and retention. If you don't have a policy, you can easily create one. Ensure that the backup frequency set in the policy for Amazon S3 bucket is at most weekly. Backups may fail if the frequency is set for more than a week.
If you wish to change or configure any of the additional settings, select More Options and perform the below steps or else, click Protect.
Under Settings, edit the following options if necessary:
- Start time: Indicates what time the protection run should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time zone. You can change the time zone of the protection run by selecting a different time zone here.
- SLA: Defines how long the administrator expects a protection run to take. Enter:
  - Full. The number of minutes you expect a full protection run, which captures all the blocks in an object, to take.
  - Incremental. The number of minutes you expect an incremental protection run, which captures only the changed blocks in an object, to take.
Under Additional Settings, configure the following option:
- Skip File on Errors: Enable this option to continue the protection run even if any error is encountered when backing an Amazon S3 object. By default, this option is enabled. By disabling this option, the protection run will fail if one of the objects in Amazon S3 encounters an error.
- Enable ACL Backups: Enable this option to backup ACL. You can backup ACLs only if ACLs are configured in the Amazon S3 bucket you chose to protect. By default, this option is disabled.
Click Protect.

Cohesity starts backing up the Amazon S3 buckets you selected. You can monitor the status of the backup in the Activity page.

Re-register AWS to Protect S3 Located in a Different Region

If you want to protect an Amazon S3 bucket located in a different AWS region from where the inventory report's Amazon S3 bucket is located, perform the following steps:

Add the region of the Amazon S3 bucket you want to protect as a new region to store your backup. For more information, see Select Regions and Encryption Key Management System.
Re-register the AWS Account with the following details:
1. Specify the region of the Amazon S3 bucket you want to protect as the Destination cloud region.
2. The Amazon S3 bucket you specify for creating the inventory report must be in the same region as the Amazon S3 bucket you want to protect.

Next > When the first protection run completes, you will be ready to recover your protected Amazon S3 buckets if and when you need to.

Baas Documentation