Amazon S3 Data Protection using Protection Groups

As highlighted in one of the recent posts for Clumio Protect for Amazon S3, customers face several challenges in order to successfully differentiate between critical and non-critical data and be able to only protect critical data. This data classification challenge is solved by Clumio using an innovative concept called Protection Groups. I’ll dive deeper into how Protection Groups can be used to not just help classify critical data, but also protect it while producing tremendous cost savings.

Protection Groups provides an abstraction layer to manage buckets and prefixes across all your AWS accounts. it provides a mechanism to classify data across buckets in all of your AWS accounts to help protect critical data as per the business requirement.

Configuring Protection Groups is a Simple 3-Step Process

Step 1: After giving it an intuitive name, you can decide what buckets to add inside the Protection Groups. These buckets could belong to either a specific AWS account or could be across all your AWS accounts. In the near future, you will also be able to add buckets via Tags so that they can get added into the Protection Groups automatically!

Step 2: Decide whether the entire bucket or a subset of the bucket gets added into the Protection Group. You can use 3 different criteria to select which data gets protected. They are:

• Prefix: You can configure to include specific prefixes or exclude them depending on what you want to protect. For example; several customers dump their DB logs into a specific prefix and want that data to be protected. They can configure /dblogs/ to protect all objects sitting inside that prefix to be protected. If needed, they can even exclude a prefix to not get protected.
• Storage Class: You can configure what objects to backup depending on their Storage Class. For example; you can configure to backup objects sitting in Standard and Infrequent Access only while not protecting objects in Glacier. This will reduce the time and cost significantly as objects stored in colder storage require time to unthaw and are expensive to pull out.
• Version: You can configure whether to protect all versions or just the latest versions of the objects.

Step 3: Applying a policy to the Protection Group so that data can be protected as per the business requirements.

And voila!! That’s it!! Your Amazon S3 data is protected in an air gap environment giving you protection against events like Ransomware or bad actors deleting/modifying your AWS environment.

Several customers have requirements to represent the state of their bucket at a specific point in time. They assumed that S3 Object Versioning is able to achieve the same thing, but it’s really not. We’ve created a simple table below to highlight the differences between the two:

As you can see, clumio help make it easier for customers to … but also helps make it easier to restore them.

However, any backup is only as good as its recovery and customers require flexibility to recover a specific object, or an entire prefix, or entire bucket, and even multiple buckets at the same time. With protection groups, Clumio enables you to do all of these our unique capability to perform Global Search across all of your critical data sitting in different AWS accounts. Keep an eye out for a future blog where I dive into Amazon S3 data recovery coupled with Global Search and show how Clumio can help you recover your data.