Using Amazon Simple Storage Service (S3) as a primary storage for Enterprise Vault

Last Published:
Product(s): Enterprise Vault (14.5)

Adding a new Amazon S3 partition that uses IAM Role authentication

Before configuring the Amazon S3 for primary partition with AWS IAM Role authentication, complete the following steps:

  • Ensure that the AWS S3 bucket that needs to be configured with the primary partition have been created with AWS, and that you know the name of your bucket.

  • Ensure that the IAM roles and their managed policies have been defined for your AWS S3 buckets.

To create the AWS IAM Role with the policy using the IAM console, see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html.

Using the AWS Management Console, create the IAM Role with the policy that must have the following permissions:

  1. In the IAM role pane of the console, click Roles, and then click Create role.
  2. Select the AWS service type of the trusted entity.
  3. Click Amazon EC2 Full Access.

    Create and attach the AWS IAM Role policy for Amazon S3 with the following access level permission:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
               "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetBucketObjectLockConfiguration"                                   
                ],
            "Resource": "*"
       }
    ]
}

    By default, the partition is created in non-WORM mode and you can use the above policy.

    If you choose to create the partition in WORM mode, you need to set additional permissions for the IAM Role authentication method. In this case, create and attach the AWS IAM Role policy for Amazon S3 with the following access level permission:

    {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:PutObjectRetention",
"s3:GetBucketObjectLockConfiguration",
"s3:GetObjectVersion",
"s3:ListBucketVersions",
"s3:DeleteObjectVersion",
"s3:GetObjectRetention"
],
"Resource": "*"
}
]
}
  4. For Role name, type a name for your role.
  5. Review the role, and then click Create role.

To add a new Amazon S3 partition that uses Access Keys authentication

  1. In the left pane of the Administration Console, expand the Vault Store Groups container to view the existing vault store groups.
  2. Expand the vault store group that contains the vault store for which you want to create the partition.
  3. Expand the vault store in which you want to create the partition.
  4. Right-click the Partitions container, and then click New > Partition. The New Partition wizard starts.
  5. Click Next.
  6. Enter all the details for new Vault Store Partition and then click Next.
  7. In the Storage type list, select Amazon Simple Storage Service.
  8. Select the Store data in WORM mode using S3 Object Lock if you want to store data in WORM mode. By default, this option is cleared so that data is stored in non-WORM mode.

    Note:

    Ensure that the retention mode of S3 Object Lock for the AWS S3 bucket is configured in Compliance mode.

    Test functionality for the partition created for AWS S3 in WORM mode fails if the clock on the Enterprise Vault server is behind the universal clock in the same time zone. The test functionality sometimes fails to upload the objects due to Retain Until Date must be in future error from AWS S3 service. You must synchronize the clock on your Enterprise Vault server with the universal clock. Alternatively, you can configure the RetentionPeriodForTestInSecs registry to an appropriate value. Refer to the Enterprise Vault™ Registry Values Guide.

  9. Select the IAM Role option to authenticate with Amazon S3.
  10. Provide the Amazon S3 connection settings:

    Setting

    Description

    AWS PrivateLink

    Select Yes to use the private interface S3 endpoint, or No to use the public S3 endpoint.

    By default, the public S3 endpoint is used to communicate with S3 and store archived files in the specified bucket. If you select Yes, ensure that you have provided the private interface S3 endpoint in the S3 Endpoint setting.

    Note:

    This setting is available in Enterprise Vault 14.3 and later.

    S3 Endpoint

    Specify the URL of the AWS S3 endpoint.

    By default, the public AWS S3 endpoint URL - https://s3.amazonaws.com - is used. If you have selected Yes for the AWS PrivateLink setting, specify the private interface S3 endpoint.

    Note:

    This setting is available in Enterprise Vault 14.3 and later.

    Bucket name

    Specify the name of the Amazon S3 bucket.

    Note:

    The bucket name cannot be modified once the partition is created.

    You must not delete the bucket after creating the partition. In case you need to delete the bucket for some reason, you must create a new partition.

    Bucket Region

    Enter the code of the region where the S3 bucket (specified in the Bucket name setting) '' resides. For more information about the region codes, see https://docs.aws.amazon.com/general/latest/gr/rande.html. Ensure that you have specified the correct region code to create the partition.

    Note:

    This setting is available in Enterprise Vault 14.3 and later.

    Storage class

    Specify the storage class for storing objects into the AWS S3 bucket.

    • S3 Standard - to store frequently accessed data.

    • S3 Standard-IA - to store infrequently accessed data that requires rapid access when needed. Data is stored in a minimum of three Availability Zones (AZs).

    • S3 One Zone-IA - to store infrequently accessed data in a single Availability Zone.

    • S3 Intelligent-Tiering - to move data across most cost-effective access tier.

    • S3 Glacier Instant Retrieval - to store long-retention data that is rarely accessed and requires retrieval in milliseconds at the lowest cost.

    For more information, see https://aws.amazon.com/s3/storage-classes.

    Encryption

    Specify encryption setting whether to encrypt archived files stored in bucket or not.

    Select SSE-S3 to encrypt the archived files by using server-side encryption with Amazon S3-Managed Encryption Keys.

    By default, None is selected that does not use encryption.

    Log level

    Specify the logging level for AWS SDK logs.

    • No logging - Enterprise Vault does not log any AWS SDK logs.

    • Fatal - Logs only fatal errors.

    • Error - Logs all errors.

    • Warn - Logs warning and errors.

    • Info - Logs every information, including warnings and errors.

    • Debug - Logs debug messages, including info, warnings, and errors.

    • Everything - Logs everything.

    Note:

    DTrace logs will include the AWS SDK log statements, which can be easily found prefixed with AwsSdk:.

    Write buffer size (MB)

    Specify the write buffer size, in the range of 5 MB to 200 MB, to upload data in chunks.

    Read buffer size (MB)

    Specify the read buffer size, in the range of 1 MB to 1024 MB, to download data in chunks.

  11. Click Next.
  12. On the Replication page, select the appropriate option as When archived files exist on the cloud storage or When archived files are replicated on the cloud storage.

    Please see the Administration Console Help pages for more information.

  13. Choose the scan interval for checking if files exist on the cloud. The supported scan interval is from 0 minute to 1440 minutes. By default, every 60 minutes, Enterprise Vault checks whether archived data is replicated or exists on cloud based on the above options. If required, you can change the scan interval. If you set the scan interval to 0 minutes, partitions are checked only when the backup mode is cleared from the vault store, and when the storage service starts.
  14. Click Next.
  15. The summary page provides the information for the newly created Amazon S3 partition.