Replication in AWS S3 bucket as a data backup

4
votes

I was looking for a daily backup option for the data in my S3 bucket. I have versioning enabled on the bucket, and planning on turning on replication too to increase durability.

I am trying to address the case when say someone accidentally deleted the S3 bucket or someone turns off versioning by mistake and complete or partial data needs to be restored(versioning being turned off is unlikely as its a prerequisite for replication).

Looking at the AWS docs here, https://aws.amazon.com/about-aws/whats-new/2019/09/amazon-s3-introduces-same-region-replication/ it is suggested that replication can be used for backup also.

I am aware that deletes on the objects are not propagated to the destination bucket, however not really able to understand the case when bucket itself gets deleted, whether that gets replicated.

If replication and versioning doesn't suffice for my backup, looking at more traditional options like setting up a daily job to save to an EC2 instances local file system periodically.

Also adding MFA to the bucket is ruled out for now, as I am setting up the system using CloudFormation and don't think its supported.

2
amazon-web-servicesamazon-s3amazon-ec2

2 Answers

2
votes

you really don't need to copy the S3 files to any EC2 instance or something like that, Amazon S3 Standard has been designed for durability of 99.999999999% of objects across multiple Availability Zones, do you know what it means? Amazon by itself replicates the S3 objects in other AZ of your region to guarantee this durability.

What AWS say about S3 :

Key Features:

  • Low latency and high throughput performance
  • Designed for durability of 99.999999999% of objects across multiple Availability Zones
  • Resilient against events that impact an entire Availability Zone
  • Designed for 99.99% availability over a given year
  • Backed with the Amazon S3 Service Level Agreement for availability
  • Supports SSL for data in transit and encryption of data at rest
  • S3 Lifecycle management for automatic migration of objects to other S3 Storage Classes

Besides you already have versioning enabled ( another layer of backup ), and if you want to spend more money and replicate the bucket it's up to you, if you can afford that, you will have another layer of backup, but believe me, you don't need this, with the only S3 Standard storage will be pretty enough.

If you want to prevent object deleted accidentally and you can't enable MFA, you can create a bucket policy for avoid any type of delete action :

{
    "Id": "Policy1588185431596",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1588185426140",
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteBucketWebsite",
                "s3:DeleteObject",
                "s3:DeleteObjectTagging",
                "s3:DeleteObjectVersion",
                "s3:DeleteObjectVersionTagging"
            ],
            "Effect": "Deny",
            "Resource": [
                "arn:aws:s3:::yourbucketname/*",
                "arn:aws:s3:::yourbucketname"
            ],
            "Principal": "*"
        }
    ]
}

If you want to restrict the Delete operation to all the users except the root user you can do this :

{
  "Id": "Policy1588186664547",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1588186644754",
      "Action": [
        "s3:DeleteBucket",
        "s3:DeleteBucketPolicy",
        "s3:DeleteBucketWebsite",
        "s3:DeleteObject",
        "s3:DeleteObjectTagging",
        "s3:DeleteObjectVersion",
        "s3:DeleteObjectVersionTagging"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::yourbucketname/*",
        "arn:aws:s3:::yourbucketname"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:userid": "AWSAccountNumber"
        }
      },
      "Principal": "*"
    }
  ]
}

Also, you can check your policy with the policy simulator to make sure the policy is what you are expecting.

You can add this policy to your CloudFormation Template.

1
votes

Amazon say:

You can use AWS Multi-Factor Authentication (MFA) with versioning. When you use MFA with versioning, you must provide your AWS account’s access keys and a valid code from the account’s MFA device in order to permanently delete an object version or suspend or reactivate versioning. To use MFA with versioning, you enable MFA Delete. However, you cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API.

Try to run a script after your CloudFormation Template just finished, for activating your MFA in your S3 bucket, in that way nobody can disable your versioning without the root account and the MFA code.