Protect Your Amazon S3 Buckets
Cohesity utilizes the Amazon S3 inventory report to protect the Amazon S3 bucket. When you register the AWS account, you can specify the Amazon S3 bucket where you want to create the inventory report. The S3 bucket you specify must be within the same AWS account and cloud region as the Amazon S3 bucket selected for protection.
When you initiate the Amazon S3 bucket protection, AWS will create an inventory report. It may take up to 48 to 72 hours for AWS to create an inventory report. This inventory report will contain the list of all the objects available on the Amazon S3 bucket you selected for protection. Cohesity uses this inventory report to perform the first full backup of the Amazon S3 bucket. Once Cohesity performs the first full backup, Cohesity utilizes AWS EventBridge and SQS queues to perform incremental backups of the Amazon S3 bucket.
With this protection approach, Cohesity can back up multi-billion S3 objects at a faster rate.
-
If you have already registered your AWS account to protect AWS RDS or AWS EC2 workloads, then you must Update the Existing CloudFormation Template to update the Cohesity permissions in your AWS account.
-
You do not need to deploy a SaaS connection to protect Amazon S3 buckets.
Add Protection to Your Registered Amazon S3 Buckets
Before protecting your Amazon S3 bucket, ensure you have met the prerequisites and understood the considerations.
To protect your Amazon S3 buckets:
-
In DataProtect as a Service, navigate to Sources.
-
Find the registered AWS account and click into it.
-
Click the S3 tab.
-
Use the checkboxes to select the objects for protection. To protect the whole source, click the checkbox above the column.
-
Click the Protect icon above the checkboxes.
-
Choose a policy to specify backup frequency and retention. If you don't have a policy, you can easily create one. Ensure that the backup frequency set in the policy for S3 bucket is at most weekly. Backups may fail if the frequency is set for more than a week.
-
If you wish to change or configure any of the additional settings , select More Options and perform the below steps or else, click Protect.
-
Under Settings, edit the following options if necessary:
-
Start time: Indicates what time the protection run should start. Enter the Start Time and select AM or PM. The default time zone is the browser's time zone. You can change the time zone of the protection run by selecting a different time zone here.
-
SLA: Defines how long the administrator expects a protection run to take. Enter:
-
Full. The number of minutes you expect a full protection run, which captures all the blocks in an object, to take.
-
Incremental. The number of minutes you expect an incremental protection run, which captures only the changed blocks in an object, to take.
-
-
-
Under Additional Settings, configure the following option:
-
Skip File on Errors: Enable this option to continue the protection run even if any error is encountered when backing an S3 object. By default, this option is enabled. By disabling this option, the protection run will fail if one of the objects in S3 encounters an error.
-
Enable ACL Backups: Enable this option to backup ACL. You can backup ACLs only if ACLs are configured in the S3 bucket you chose to protect. By default, this option is disabled.
-
-
Click Protect.
Cohesity starts backing up the Amazon S3 buckets you selected. You can monitor the status of the backup in the Activity page.
Protect an S3 Bucket Located in a Different AWS Region
If you want to protect an Amazon S3 bucket located in a different AWS region from where the inventory report's S3 bucket is located, perform the following steps:
-
Add the region of the Amazon S3 bucket you want to protect as a new region to store your backup. For more information, see Select Regions and Encryption Key Management System.
-
Re-register the AWS Account with the following details:
-
Specify the region of the Amazon S3 bucket you want to protect as the Destination cloud region.
-
The S3 bucket you specify for creating the inventory report must be in the same region as the S3 bucket you want to protect.
-
Next > When the first protection run completes, you will be ready to recover your protected Amazon S3 buckets if and when you need to.