Protection groups

Protection groups combine S3 buckets, prefixes, and storage classes into a single logical group, simplifying data protection across multiple buckets. Protection groups allow you to manage protection of your buckets and prefixes across all your AWS accounts and ensure that critical data is protected per your business requirements. You can protect the entire bucket or use the following criteria to protect specific objects:

  • Version: You can choose to protect all versions or just the latest versions of the objects.
  • Storage Class: You can select the objects to back up depending on their Storage Class. For example; you can choose to backup objects in Standard and Infrequent Access only, while not protecting objects in Glacier.
  • Prefix: You can configure a protection group to include or exclude specific prefixes depending on what you want to protect. For example; DB logs may be grouped into a specific prefix that needs to be protected. You can configure /dblogs/ to protect all objects inside that prefix to be protected. Similarly, you can exclude a specific prefix to not be protected.

You can edit a protection group at any time if you need to add or remove objects, or change a backup policy. The changes will only apply to subsequent backups of those protection groups.

Protection groups and organizational units

Protection groups are created within the organizational unit (OU) that you the user are logged into when you create the protection group. When you log into Clumio for the first time, the global OU is the default organizational unit that includes all assets and provides all users full visibility of all assets and policies. All organizational units that you subsequently create are children of the global OU. You can also create additional OUs under existing OUs. Any OUs at the same level are sibling OUs. For more about OUs see Organizational Units.

Protection groups can contain assets from different AWS accounts and are not tied to an account. If a protection group is created at the Global OU level, it protects assets across all child OUs.

For example, if you are in the global OU and you create a protection group that contains three AWS accounts and then you create a child OU called OU1 and move one of those AWS accounts to OU1, there is no impact and protection group backups will continue. The OU1 Admin will be able to view all the protection group S3 assets. The OU1 Admin can recover data for only individual buckets that belong to the AWS account that was moved into OU1, by going into the buckets asset details page and recovering from each bucket one at a time.

Similarly, if you create another child OU under the global OU called OU2 and move the account from OU1 to OU2, there is no impact to the protection group. The OU2 Admin will now be able to recover data for individual buckets that belong to the AWS account that was moved into OU2 as described above.

The child OU administrator is able to create new protection groups for assets in the AWS account assigned to that OU.

Only Super Admins can make changes to a protection group at the global level, OU Admins can only view assets in a global protection group, but cannot make any changes to the global protection group settings.

If a protection group is created in a child OU, then protection is restricted to the child OU and any OUs created under that OU. Only OU Admins of the child OU and Super Admins (when they switch to the child OU context) can make changes to a protection group in the child OU.

If a child OU is deleted, then any protection groups within that child OU are automatically moved to the global OU.

Managing protection groups

Creating protection groups

  1. The UI provides several paths to create Protection Groups:
  • On the left navigation panel go to Protect > S3 protection groups and click Create Protection Group.
  • On the navigation panel go to AWS > Inventory > S3 buckets, select the buckets and click Protect buckets then follow the steps in the wizard.
  1. Type a name for the protection group. If you have already selected buckets to add to or create a protection group, proceed to step 4, otherwise type the AWS keys and values that correspond to the buckets you want to protect. All buckets that have the specified tags will be automatically added to the protection group. Click Next.
  2. You can also manually select buckets to add to the protection group. Filter the list by bucket name or AWS environment. Click Next.
  3. The Advanced options dialog lets you further refine your protection group options.
    1. Storage Class: Select the storage class from which to include objects in the protection group. The storage class you select will affect your cost. Refer to AWS documentation for more information about storage classes.
    2. Include Version(s): Select an option to protect all versions or the latest version at the time of the backup.
    3. Prefix: Type the prefix or prefixes you want to add to the protection group. If you want to include all objects under that prefix, you must include a trailing slash, for example, to protect all objects under the prefix ‘dblogs’, type dblogs/. You can exclude a specific prefix under the prefix you typed.
  4. Select a policy to apply to your protection group. Click Next.
  5. Review the selection summary and click Create.

Editing protection groups

  1. Navigate to Protect > S3 protection groups and select the buckets in the AWS account for which you want to edit protection.
  2. On the protection group list page, click the Edit icon in the Action column for the protection group you want to edit.
  3. In the Edit protection group dialog, click the edit icon next to the field that you want to edit, then make and save your changes.