Setting up an Amazon S3 target

R‑Cloud supports using an Amazon S3 target to store data in the Amazon S3 cloud storage.

Prerequisites

  • An AWS IAM role that is used for performing all operations on the target must be added to R‑Cloud. You can add this IAM role as part of setting up your Amazon S3 target, or use the one that you already added as part of doing one of the following:

    • Adding an where the target resides as a source to R‑Cloud. For details, see Adding an AWS account.

  • Only if you want the data stored on this target to be encrypted by using the customer managed key management type. The length of your AES-256 key must be 32 bytes.

Limitations

  • Storing data to a publicly available target is not supported.

  • Storing data to a target on which a lifecycle configuration is set is not supported and may result in data loss.

  • Only copies of backup data can be stored to a target with the S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive storage tier. Keep in mind that AWS can charge you additionally for premature removal of data if the retention period specified in your policy is shorter than the recommended (minimum) retention period in AWS.

  • Only if you plan to enable target encryption. The following limitations apply:

    • Target encryption is limited to the SaaS application data.

    • R‑Cloud cannot encrypt data of the SaaS applications that are related to R‑Cloud modules that use staging targets or only use snapshots to store backup data. For details, see the relevant topics for your SaaS application in Protecting SaaS applications

Considerations

  • You can set up the same target in multiple protection sets.

  • Storing data to a target that has Object Lock (WORM) enabled is supported.

  • Only if you plan to enable target encryption. Consider the following:

    • The R‑Cloud encryption is applied on top of the native cloud platform data encryption to provide an additional layer of security.

    • After you enable target encryption, the previously stored backup data remains unencrypted.

    • If you decide to disable target encryption, the backup data that was stored on the target while the target encryption was enabled remains encrypted.

    • The SaaS applications metadata is not encrypted.

Recommendation

The exclude policy is automatically assigned to the bucket that is added to R‑Cloud as a target. It is highly recommended that you do not change this default configuration.

To access the Targets panel, in the navigation pane, click Targets Targets. Alternatively, in the Dashboard panel, click the Targets widget title.

Procedure

  1. In the Targets panel, click Add Add.

  2. Select Amazon S3, and then click Next.

  3. Depending on the type of your bucket, click one of the following:

    • General purpose bucket

    • Directory bucket

  4. In the Bucket Name, enter the name of an existing bucket that will store protected data.

  5. In the Size Quota field, specify the amount of storage space that should be used for storing data (in MiB, GiB, or TiB).

    Important  The specified amount represents a soft limit, therefore actual usage may exceed it.

  6. Use the Enforce quota switch to stop running backups if this target reaches its size quota. The backups will start running again after you increase the size quota of this target or assign a different policy to the entities. Such a policy must use a target with the sufficient size quota.

  7. Use the Target encryption switch if you want the SaaS application data stored on this target to be encrypted.

    1. From the Key Management Type drop-down menu, select one of the following:

      • Select HYCU managed if you want the encryption key to be provided and managed by HYCU.

      • Select Customer managed if you want to provide and manage the encryption key by yourself.

    2. Only if you selected the customer managed key management type. In the AES-256 Encryption Key field, browse for and select your AES-256 binary key.

      Note  If you later decide to edit the target, the AES-256 Encryption Key field will remain populated.

  8. From the Storage Class drop-down, select the storage class that you want to use for storing the data.

  9. From the IAM Role drop-down menu, select the AWS IAM role that you want to be used for performing all operations on the target. If such an IAM role is not already added to R‑Cloud, you can add it as follows:

    1. In the drop-down menu, click Add Add New.

    2. Enter a display name for the IAM role that you want to add to R‑Cloud.

    3. In the Account ID field, enter the ID of the that contains the target that you are setting up.

    4. Click Create IAM Role to be automatically redirected to the AWS Management Console where you can create the IAM role. The required permissions are assigned to the IAM role during the creation procedure. For a list of the permissions, see Adding an AWS IAM role.

      Important  You must be signed in to the AWS Management Console with the that contains the target that you are setting up. If you are already signed in to the AWS Management Console with a different when you create the IAM role, the creation fails.

    5. Click Add

  10. Only if you are adding a directory bucket. In the Region field, enter the region of your bucket (for example, us-east-1).
  11. Click Save.

The target is added to the list of targets in the Targets panel. For details on managing targets, see Managing targets.