Search <book_title>...

Using Amazon Simple Storage Service (S3) as a primary storage for Enterprise Vault

Last Published: 2021-04-13

Product(s): Enterprise Vault (14.1, 14.0)

Adding a new Amazon S3 partition that uses STS Assume Role authentication

Before configuring the Amazon S3 for primary partition with AWS STS Assume Role authentication, complete the following steps:

Ensure that the AWS S3 bucket that needs to be configured with the primary partition has been created with AWS, and that you know the names of your bucket.
Ensure that the IAM roles and their managed policies have been defined for your AWS S3 buckets, and that you know the roles' Amazon Resource Name (ARN).

For more information on Amazon STS (Security Token Service), see AWS Documentation.

Using the AWS Management Console, create a role that an IAM user can assume

In the IAM role pane of the console, click Users, and then click Add User. This user will be used to assume roles in your on-premise environment.

Create an IAM Role User policy which will be attached to the user added in the above step.

It allows the IAM user to list and assume roles. The following JSON document describes the IAM policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles",
                "sts:AssumeRole"
            ],
            "Resource": "*"
        }
    ]
}

Attach the policy to the IAM user.
The IAM user who is allowed to assume role has been created. Before you create the role, create an IAM policy which will be attached to the role.

Create AWS IAM Role policy for Amazon S3 with the following access levels permissions on the S3:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetBucketObjectLockConfiguration"
            ],
            "Resource": "*"
        }
    ]
}

By default, the partition is created in non-WORM mode and you can use the above policy.

If you choose to create the partition in WORM mode, you need to set additional permissions for the STS Assume Role authentication method. In this case, create and attach the AWS IAM Role policy for Amazon S3 with the following access level permission:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:PutObjectRetention",
"s3:GetBucketObjectLockConfiguration",
"s3:GetObjectVersion",
"s3:ListBucketVersions",
"s3:DeleteObjectVersion",
"s3:GetObjectRetention"
],
"Resource": "*"
}
]
}

To create the IAM role, in the IAM role pane of the console, click Roles, and then choose Create role.
Select the Another AWS account role type of trusted identity.
Provide the Account ID of the IAM user created in step a.
Associate the policy created in step e.
For Role name, type a name for your role.
Review the role, and then click Create role.

To add a new Amazon S3 partition that uses Access Keys authentication

In the left pane of the Administration Console, expand the Vault Store Groups container to view the existing vault store groups.
Expand the vault store group that contains the vault store for which you want to create the partition.
Expand the vault store in which you want to create the partition.
Right-click the Partitions container, and then click New > Partition. The New Partition wizard starts.
Click Next.
Enter all the details for new Vault Store Partition and then click Next.
In the Storage type list, select Amazon Simple Storage Service.
Select the Store data in WORM mode using S3 Object Lock if you want to store data in WORM mode. By default, this option is cleared so that data is stored in non-WORM mode.
Note:
Ensure that the retention mode of S3 Object Lock for the AWS S3 bucket is configured in Compliance mode.
Test functionality for the partition created for AWS S3 in WORM mode fails if the clock on the Enterprise Vault server is behind the universal clock in the same time zone. The test functionality sometimes fails to upload the objects due to Retain Until Date must be in future error from AWS S3 service. You must synchronize the clock on your Enterprise Vault server with the universal clock. Alternatively, you can configure the RetentionPeriodForTestInSecs registry to an appropriate value. Refer to the Enterprise Vault™ Registry Values Guide.
Select the STS Assume Role option to authenticate with Amazon S3.

Provide the Amazon S3 connection settings:

Setting	Description
Access key ID	Specify the access key ID that is provided by Amazon.
Secret access key	Specify the secret access key that is provided by Amazon.
ARN of IAM Role	Specify the Amazon Resource Name for the IAM role to be assumed for the specified IAM user.
STS Endpoint	Select the STS endpoint of the same region where the AWS S3 bucket also resides. Note: Enterprise Vault recommends using the STS endpoint of the region where the AWS S3 bucket exists to reduce latency and improve response time.
Bucket name	Specify the name of the AWS S3 bucket. Note: The bucket name cannot be modified once the partition is created. You must not delete the bucket after creating the partition. In case you need to delete the bucket for some reason, you must create a new partition.
Storage class	Specify the storage class for storing objects into the AWS S3 bucket. S3 Standard - to store frequently accessed data. S3 Standard-IA - to store infrequently accessed data that requires rapid access when needed. Data is stored in a minimum of three Availability Zones (AZs). S3 One Zone-IA - to store infrequently accessed data in a single Availability Zone. S3 Intelligent-Tiering - to move data across most cost-effective access tier. For more information, see https://aws.amazon.com/s3/storage-classes.
Encryption	Specify encryption setting whether to encrypt archived files stored in bucket or not. Select SSE-S3 to encrypt the archived files by using server-side encryption with Amazon S3-Managed Encryption Keys. By default, None is selected that does not use encryption.
Log level	Specify the logging level for AWS SDK logs. No logging - Enterprise Vault does not log any AWS SDK logs. Fatal - Logs only fatal errors. Error - Logs all errors. Warn - Logs warning and errors. Info - Logs every information, including warnings and errors. Debug - Logs debug messages, including info, warnings, and errors. Everything - Logs everything. Note: DTrace logs will include the AWS SDK log statements, which can be easily found prefixed with AwsSdk:.
Write buffer size (MB)	Specify the write buffer size, in the range of 5 MB to 200 MB, to upload data in chunks.
Read buffer size (MB)	Specify the read buffer size, in the range of 1 MB to 1024 MB, to download data in chunks.

Click Next.
On the Replication page, select the appropriate option as When archived files exist on the cloud storage or When archived files are replicated on the cloud storage.
Please see the Administration Console Help pages for more information.
Choose the scan interval for checking if files exist on the cloud. The supported scan interval is from 0 minute to 1440 minutes. By default, every 60 minutes, Enterprise Vault checks whether archived data is replicated or exists on cloud based on the above options. If required, you can change the scan interval. If you set the scan interval to 0 minutes, partitions are checked only when the backup mode is cleared from the vault store, and when the storage service starts.
Click Next.
The summary page provides the information for the newly created Amazon S3 partition.