To use BackupEDGE with the Amazon Web Services S3 Cloud, a working knowledge of
Amazon and Amazon S3 is expected. There are initial setup steps required on both the Amazon
web site and via the EDGEMENU BackupEDGE user interface. The following information is required to create an s3cloud Resource...
• S3 Bucket name. • S3 Access Key ID. • S3 Secret Access Key. • S3 Cloud Endpoint.
For EDGEMENU, please see “Create a BackupEDGE S3CLOUD Resource” on page 115. On initial setup, the users logs into the Amazon S3 Console and:
• creates a storage container, called a Bucket, through the S3 control panel menu. The Bucket must be created in one of eight supported Amazon Regions1 throughout the world.
• creates a User through the AWS Identity and Access Management (IAM) control panel menu. This creates two credentials called an Access Key ID and a Secret Access Key which MUST be copied down and saved.
• creates a custom S3 Policy to restrict access to the Bucket. Amazon S3 Regions and Endpoints
Amazon has storage clouds on multiple continents; you can store data locally at your choice of multiple locations in the United States, the European Union, the Asia Pacific Region, and South America.
Amazon tracks and bills the user for this service, not Microlite Corporation. Rates vary by
Region. Pricing can be found at: https://aws.amazon.com/s3/pricing.
Here is a list of the available Regions where Buckets may be created. The Endpoint is essentially the access address of the servers in the Region.
1. The Amazon S3 Frankfort (Germany) Region is not currently supported. Use the Ireland Region to store data on Amazon S3 in the Eurppean Union.
Amazon S3 Region Amazon S3 Endpoint
US Standard (This is the default Region) s3.amazonaws.com US Standard (Only Northern Virginia)a
a. This is the same billing Region as US Standard, but with this Endpoint selected access is forced through Amazon serv- ers in Northern Virginia.
s3-external-1-amazonaws.com
US West (Oregon) s3-us-west-2.amazonaws.com
US West (Northern California) s3-us-west-1.amazonaws.com European Union West (Ireland) s3-eu-west-1-amazonaws.com
Asia Pacific SE (Singapore) s3-ap-southeast-1.amazonaws.com
Asia Pacific SE (Sydney) s3-ap-southeast-2.amazonaws.com
Asia Pacific NE (Tokyo s3-ap-northeast-1.amazonaws.com
South America (Sao Paulo) s3-sa-east-1.amazonaws.com
Amazon S3 Initial Setup
1To have BackupEDGE back up to Amazon S3, you must: 1 Create an account on http://www.amazon.com.
2 Make sure you add Amazon Web Services to the Amazon Account. 3 Sign in to the Amazon AWS Management Console by browsing to:
https://aws.amazon.com/console
4 At the Management Console, choose S3 (Scalable Storage in the Cloud) to create a bucket.
5 At the S3 Console, choose Create Bucket.
6 Provide a Bucket Name and select the appropriate Region. Write down the Bucket Name. You may want to use a Bucket Name format similar to the one below, i.e. backupedge dash
company/schedule dash region.
1. Amazon may change the functionality of their web-based management system without notice. The exact steps described here may also change in this instance.
NOTE: Bucket Names are unique for all of Amazon S3. You may not use a Bucket Name that is
currently in use by anyone else. For consistency, Microlite recommends basing the Bucket Name on the server you’ll be backing up and the Region you’ll be using.
The example above is backupedge-acme-uss. Write down the bucket name, select one of the regions shown in the drop down list (based on your physical location), and click on Create.
7 Click the Menu Icon in the upper left corner of the screen (see icon symbol at right). At the management Console, choose Identity and Access Management (Access Control and Key Management) to create a User and establish a security Policy.
8 You’ll get the Identity and Access Management screen.
NOTE: BackupEDGE does not currently support the Frankfurt (Germany) Region). Do not
9 Create a User by clicking on Users on the left, then the Create New Users button.
10 Type the name of a user, make sure “Generate an access key for each user is checked, and click Create. When the user has been created (acme in the examples shown here), you may click Show User Security Credentials and /or Download Credentials.
The resulting Access Key ID and Secret Key ID are shown and / or saved as a CSV file. You MUST secure these keys. The Secret Key ID will never be displayed again. If you need it again and don’t have a copy, you must create a new key and replace it in all currently configured servers.
11 Apply the Default Security Policy by clicking on Users to the left, and then single clicking on one of the Users in the list. Note that this means click on the user name, not the check box.
12 Under Permissions, then Managed Policies, click Attach Policy.
13 Scroll down and check AmazonS3FullAccess (careful, there are some similarly named, but
incorrect, policies), then click Attach Policy, at the bottom of the screen.
With the Default Security Policy in place, all programs and applications given the Access Keys may access all Buckets in the Account.
This is all the setup necessary to use Amazon S3 with BackupEDGE.
USING ADDITIONAL SECURITY POLICIES.
Instead of using the Default Security Policy, you may wish to restrict individual Users to individual Buckets under the Account.
• Select a User as in Step 11 above.
• Delete (Detach) the AmazonS3FullAccess Managed Policy.
• Open Inline Policy, then click on “click here”, then Custom Policy and press Select.
• Users, then Permissions, then Here you may attach any valid Amazon S3 security policy that give access to the proper Buckets. Three working policies are provided.
• Create a Custom Policy using one of the templates below, or use the Amazon documentation to be more specific.
The first policy and below restricts access to any user to a single Bucket. Typically this is used when more than one server is using the same Amazon Account, and individual Bucket security is required.
The second is for access to a second Bucket with the same credentials. One possible use would be to create a second Bucket, possibly even in another Region, accessible via a second Resource using the same credentials but a different Bucket Name.
The third adds IP Range security to the first policy. Access will only be allowed to a bucket from a single IP address or IP address range. This provides the additional security of requiring the proper credentials AND coming from a specific location in order to have access to the Amazon
Buckets.
NOTE: The Version line and date referenced in the Policies defined below identify a specific
SECURITY POLICY WITH SINGLE ACCESSIBLE BUCKET
Please note that you must replace your_bucket_name below with the actual bucket name you
created at the beginning of this section (our example was backupedge-acme-uss). This is done
in two places.
Please note that you must replace your_bucket_name above with the actual bucket name you
created at the beginning of this section (our example was backupedge-acme-uss). This is done
in two places. BackupEDGE_Default_Access_Policy { "Version":"2012-10-17", "Id":"BackupEDGE-Default-Access-Policy", "Statement": [ { "Effect": "Allow", "Action":[ "s3:ListAllMyBuckets", "s3:DeleteBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action":[ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::your_bucket_name"] }, { "Effect": "Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::your_bucket_name/*"] } ] }
SECURITY POLICY WITH TWO ACCESSIBLE BUCKETS
Please note that you must replace your_bucket_name and your_other_bucket_name below
with the actual Bucket Names you created at the beginning of this section (our example was
backupedge-acme-uss). This is done in two places for each Bucket. BackupEDGE_Default_Access_Policy_Two_Bucket { "Version":"2012-10-17", "Id":"BackupEDGE-Default-Access-Policy-Two-Bucket", "Statement": [ { "Effect": "Allow", "Action":[ "s3:ListAllMyBuckets", "s3:DeleteBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action":[ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::your_bucket_name", "arn:aws:s3:::your_other_bucket_name" ] }, { "Effect": "Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::your_bucket_name/*", "arn:aws:s3:::your_other_bucket_name/*" ] } ] }
SECURITY POLICY WITH IP ADDRESS / RANGE LIMITATION
This Policy allows access to one Bucket only from a specific IP address or sub-net range.
Replace your_bucket_name in the example above the actual bucket name you created, and
replace XXX.XXX.XXX.0/24 with either a full subnet like 192.174.123.0/24 or a single address
like 192.174.123.123 as appropriate. This occurs in three places in the Policy.
Either give Policies your own name in the Policy Name field, or cut and paste one from the manual above. Cut and paste one of the three security policies, then change Bucket Names and IP addresses as appropriate.
An unlimited number of Policies may be created within Amazon S3, but one of the three above are sufficient for many users.
BackupEDGE_Default_Access_Policy_IP_Range { "Version":"2012-10-17", "Id":"BackupEDGE-Default-Access-Policy-IP-Range", "Statement": [ { "Effect": "Allow", "Action":[ "s3:ListAllMyBuckets", "s3:DeleteBucket" ], "Condition": { "IpAddress": { "aws:SourceIp": "XXX.XXX.XXX.0/24" } }, "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action":[ "s3:ListBucket" ], "Condition": { "IpAddress": { "aws:SourceIp": "XXX.XXX.XXX.0/24" } }, "Resource": [ "arn:aws:s3:::your_bucket_name"] }, { "Effect": "Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Condition": { "IpAddress": { "aws:SourceIp": "XXX.XXX.XXX.0/24" } }, "Resource": [ "arn:aws:s3:::your_bucket_name/*"] } ] }
11.14 - Using dinCloud D3 Storage Services
To use BackupEDGE with the dinCloud D3 Cloud Storage (www.dincloud.com), a working knowledge of dinCLoud and dinCloud D3 is expected. There are initial setup steps required on both the dinCLoud D3 web site and via the EDGEMENU BackupEDGE user interface.
The following information is required to create an S3CLOUD Resource... • S3 Bucket name.
• S3 Access Key ID. • S3 Secret Access Key. • S3 Cloud Endpoint.
For EDGEMENU, please see “Create a BackupEDGE S3CLOUD Resource” on page 115.
On initial setup, the users logs into the dinCloud Console using multi-factor authentication and: • Tabs to “My D3 Storage”.
• Clicks “New D3 Storage Account”, enters a Label for the Storage Account, and selects a Datacenter.
• When “Create Account” is clicked, a D3 Storage Account is created, and an email is sent to the designated email account. This email contains the S3 Cloud Endpoint (identified as “URL”, The S3 Access Key ID (identified as “Access Key”) and the S3 Secret Access Key (identified as “Secret Key”). These should be stored and saved.
Next, you will need to create a Bucket. dinCloud does not have a web-based Bucket creation tool. Microlite Corporation has successfully used the S3 Browser and the Cloudberry Explorer for Amazon S3 to manage Buckets on dinCloud. Other products are available.
dinCloud D3 Regions and Endpoints
dinCloud has storage Regions and Endpoints the Midwest and Southwest areas of the United
States.
dinCloud tracks and bills the user for this service, not Microlite Corporation. Pricing can be
found at: https://www.dincloud.com/cloud-storage.
Here is a list of the available Regions where Buckets may be created. The Endpoint is essentially the access address of the servers in the Region.
This information will be sent to you
automatically when you create a new D3 Storage Account.
dinCloud D3 Region dinCloud D3 Endpoint
US - Southwest d3-lax.dincloud.com