Oct 07, 2021

S3 Data Protection using Protection Groups

Authors
Chandan Agarwal
S3 Data Protection using Protection Groups

As highlighted in one of the recent posts for Clumio Protect for Amazon S3, customers face several challenges in order to successfully differentiate between critical and non-critical data and be able to only protect critical data. This data classification challenge is solved by Clumio using an innovative concept called Protection Groups. I’ll dive deeper into how Protection Groups can be used to not just help classify critical data, but also protect it while producing tremendous cost savings.

Protection Groups provides an abstraction layer to manage buckets and prefixes across all your AWS accounts. It provides a mechanism to classify data across buckets in all of your different AWS accounts to ensure that critical data is protected as per the business requirements.

Configuring Protection Groups is a Simple 3-Step Process

Step 1: After giving it an intuitive name, you can decide what buckets to add inside the Protection Groups. These buckets could belong to either a specific AWS account or could be across all your AWS accounts. In the near future, you will also be able to add buckets via Tags so that they can get added into the Protection Groups automatically!

Step 2: Decide whether the entire bucket or a subset of the bucket gets added into the Protection Group. You can use 3 different criteria to select which data gets protected. They are:

  • Prefix: You can configure to include specific prefixes or exclude them depending on what you want to protect. For example; several customers dump their DB logs into a specific prefix and want that data to be protected. They can configure /dblogs/ to protect all objects sitting inside that prefix to be protected. If needed, they can even exclude a prefix to not get protected.
  • Storage Class: You can configure what objects to backup depending on their Storage Class. For example; you can configure to backup objects sitting in Standard and Infrequent Access only while not protecting objects in Glacier. This will reduce the time and cost significantly as objects stored in colder storage require time to unthaw and are expensive to pull out.
  • Version: You can configure whether to protect all versions or just the latest versions of the objects.

Step 3: Applying a policy to the Protection Group so that data can be protected as per the business requirements.


And voila!! That’s it!! Your Amazon S3 data is protected in an air gap environment giving you protection against events like Ransomware or bad actors deleting/modifying your AWS environment.

Several customers have requirements to represent the state of their bucket at a specific point in time. They assumed that S3 Object Versioning is able to achieve the same thing, but it’s really not. We’ve created a simple table below to highlight the differences between the two:

Scope AWS S3 Versioning Clumio Protection Group
Protection Granularity Buckets Only One-to-Many Accounts
One-to-Many Buckets
One-to-Many Prefixes
Recovery Points Changes to Objects Point In Time
Daily, Monthly, Annual
Recovery Granularity Objects Only One-to-Many Buckets
One-to-Many Prefixes
One-to-Many Objects
Recovery Location Local Account Only Any Bucket in Any AWS Account
Restore To Any Prefix Existing or New

As you can see, Clumio clearly makes it easy for customers to not only backup specific objects that are critical to their business but also makes it easy to restore them at a specific point in time and it can be recovered in any bucket of their AWS accounts.

However, any backup is only as good as its recovery and customers require flexibility to recover a specific object, or an entire prefix, or entire bucket, and even multiple buckets at the same time. With Protection Groups, you can easily do all of these with our unique capability to perform Global Search across all of your critical data sitting in different AWS accounts. Keep an eye out for a future blog where I dive into Amazon S3 data recovery coupled with Global Search and show how Clumio makes it easy to recover any data of choice.

Early Access for Clumio Protect for S3

We are excited to open the Early Access Program for Clumio Protect for Amazon S3. Clumio Protect for Amazon S3 is expected to be available for early access by late October and generally available by December 2021. Qualified early access companies may be eligible to receive an iPad 10.2 upon completion of the early access program (subject to Terms and Conditions). Clumio is currently accepting early access applications at www.clumio.com/S3. Clumio Protect is already available for protection of Amazon EBS, EC2, RDS, Microsoft 365, and VMware Cloud on AWS with a 30-day free trial on AWS Marketplace.