Solved

AWS S3 as Cloud Library security requirement

  • 22 February 2022
  • 14 replies
  • 1512 views

Badge +8

To connect to S3 bucket as cloud library from Media Agent (on-premises) we can use below options:

1.AWS Direct Connect

2.VPN Gateway

3. Internet

My query is if we are using option 3 internet to connect to S3 bucket how can we protect/secure S3 bucket from outside attackers or any non authorized users accessing the S3 bucket over internet.

 

icon

Best answer by Jayashree 25 February 2022, 17:04

View original

If you have a question or comment, please create a topic

14 replies

Userlevel 7
Badge +23

@Rahul18081 , appreciate the post!

Are those the exact names of the selections?  I’m working with our docs team and developers on getting this updated and answered, so any clarity you can provide will help!!

Badge +8

@Mike Struening thanks Mike for the response

The 3 options a have checked from Commvault documents.

My client wants to backup there on-premises Datacenter direct onto the Amazon S3 Cloud Storage.

We nee help to provide networking how data will securely and faster travel to S3 bucket.

If we are using internet i know we will use HTTPS which is a secure connection. To access S3 bucket in AWS i am not sure as I have little knowledge on AWS do we need to make it Public or Private will work.

If we make it public will it not make S3 Bucket vulnerable to outside world and can get attacked by hackers etc. 

Need help how can we secure the S3 bucket from AWS end with out effecting the backup and restore feature at Commvault end.

Our Datacenters are at Poland, Romania, czech republic and Hungry. Were should we create our S3 bucket in Frankfurt or Ireland. As our AWS is deployed in UK.

Hope you understood my query in case of any concern we can connect please provide u r email address.

Userlevel 7
Badge +23

Appreciate the clarity!  I’ve been talking to our devs and docs team about clarifying the documentation, though in the meantime, one of our senior devs provided this for me to share with you:

https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/

This will help you keep internet access secure!

Badge +8

@Mike Struening Thanks for the update.

From Commvault what are the options to connect to S3 bucket from On-premises datacenters securely and backup data transfer is fast. 

Userlevel 7
Badge +23

I’m getting someone internally to answer best!

Badge

For security purposes, Commvault uses SSL connection to connect to the cloud. (Service Host option available during library configuration and seen in the Mount Path properties after configuration.)

If you want additional security, you can enable Software Encryption, either at the client level or storage policy level. https://documentation.commvault.com/11.26/expert/105324_configuring_software_encryption.html

 

Badge +8

@Mike Struening hope you are doing good. Any update on my request.

Userlevel 7
Badge +23

@Rahul18081 , @Jayashree was my internal resource who replied above.

Did you have any questions about their response?

Badge +8

@Mike Struening Please check the below and provide your feedback. Does below makes sense and is other option that can be used to connect to S3 Bucket from on-premises. Please suggest. 

 

 

As per the above diagram provided by Commvault regarding Backup and Archive data send to Amazon S3 services can be achieved as below:-

 

  • AWS Direct Connect
  • VPN Gateway
  • Internet

VPN Connection :- Network Traffic is routed between network segments over Public Internet, encapsulated in a secure, encrypted tunnel over the customer’s existing Internet Connection. As the connection is shared, bandwidth is limited, and regular data transfer fee applies as per the Customer’s current contract with their ISP

 

AWS Direct Connect :- A dedicated network link is provided at the customer’s edge network at an existing on-premises location that provides secure routing into an AWS VPC Network.

Typically, these links are less expensive when compared to a customer’s regular internet connection, as pricing is charged on a monthly dual-port fee, with all inbound and outbound data transfers included free of charge, with bandwidth from 10 Mbit/s to 10 Gbit/s.

 

Internet :-  SD- WAN can be used to connect Amazon S3 bucket using internet. By default, data is transferred through secured channels using HTTPS protocol. We can use below link to IAM user in your AWS Account. We can use below link to create S3 buckets. For Authentication you can choose Access & Secret Keys and enter the service host specifying the region.

For security purposes, Commvault uses SSL connection to connect to the cloud. (Service Host option available during library configuration and seen in the Mount Path properties after configuration.)

If we want additional security, we can enable Software Encryption, either at the client level or storage policy level.

Creating an IAM user in your AWS account - AWS Identity and Access Management (amazon.com)

Creating a bucket - Amazon Simple Storage Service

Integrate Commvault to write Backups to AWS S3 | by Girish G | Tensult Blogs | Medium

 

For this approach we need to make sure how to protect/secure S3 bucket from outside attackers or any non-authorized users accessing the S3 bucket over internet. This can be achieved by restricting access to Amazon S3 bucket using specific VPC endpoints or IP addresses. Below link can be used to achieve this.

 

https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/

Userlevel 7
Badge +23

@Jayashree , can you comment on this?  It looks valid to me, though your perspective would be helpful!

Badge

Mike - your summary is accurate. Just want to add the following additional point. 
We do have information on how to use  specific VPC endpoints or IP addresses from CommCell Console in:  https://documentation.commvault.com/11.26/expert/121563_amazon_s3_access_secret_access_keys.html (See the Additional Information column in the Service Host row.) 
 

Badge +8

@Mike Struening @Jayashree 

Thanks for the update my last query. This is coming from Client as we need to provide them solution from their on-premises backup solution. 

In terms of the Internet -  which is the Commvault recommended best practice?

 

Thanks in advance.

Badge +8

@Mike Struening 

Any update on the below 

Thanks for the update my last query. This is coming from Client as we need to provide them solution from their on-premises backup solution. 

In terms of the Internet -  which is the Commvault recommended best practice?

 

Userlevel 7
Badge +23

@Rahul18081 , did you read over this doc that @Jayashree shared?

https://documentation.commvault.com/11.26/expert/121563_amazon_s3_access_secret_access_keys.html (See the Additional Information column in the Service Host row.) 

If there’s any detail it omits, let us know!