Protection groups

Protection groups combine S3 buckets, prefixes, and storage classes into a single logical group, simplifying data protection across multiple buckets. Protection groups allow you to manage protection of your buckets and prefixes across all your AWS accounts and ensure that critical data is protected per your business requirements. You can protect the entire bucket or use the following criteria to protect specific objects:

  • Version: You can choose to protect all versions or just the latest versions of the objects.
  • Storage Class: You can select the objects to back up depending on their Storage Class. For example; you can choose to backup objects in Standard and Infrequent Access only, while not protecting objects in Glacier.
  • Prefix: You can configure a protection group to include or exclude specific prefixes depending on what you want to protect. For example; DB logs may be grouped into a specific prefix that needs to be protected. You can configure /dblogs/ to protect all objects inside that prefix to be protected. Similarly, you can exclude a specific prefix to not be protected.

You can edit a protection group at any time if you need to add or remove objects, or change a backup policy. The changes will only apply to subsequent backups of those protection groups.

Protection groups and organizational units

Protection groups are created within the organizational unit (OU) that you the user are logged into when you create the protection group. When you log into Clumio for the first time, the global OU is the default organizational unit that includes all assets and provides all users full visibility of all assets and policies. All organizational units that you subsequently create are children of the global OU. You can also create additional OUs under existing OUs. Any OUs at the same level are sibling OUs. For more about OUs see Organizational Units.

Protection groups can contain assets from different AWS accounts and are not tied to an account. If a protection group is created at the Global OU level, it protects assets across all child OUs.

For example, if you are in the global OU and you create a protection group that contains three AWS accounts and then you create a child OU called OU1 and move one of those AWS accounts to OU1, there is no impact and protection group backups will continue. The OU1 Admin will be able to view all the protection group S3 assets. The OU1 Admin can recover data for only individual buckets that belong to the AWS account that was moved into OU1, by going into the buckets asset details page and recovering from each bucket one at a time.

Similarly, if you create another child OU under the global OU called OU2 and move the account from OU1 to OU2, there is no impact to the protection group. The OU2 Admin will now be able to recover data for individual buckets that belong to the AWS account that was moved into OU2 as described above.

The child OU administrator is able to create new protection groups for assets in the AWS account assigned to that OU.

Only Super Admins can make changes to a protection group at the global level, OU Admins can only view assets in a global protection group, but cannot make any changes to the global protection group settings.

If a protection group is created in a child OU, then protection is restricted to the child OU and any OUs created under that OU. Only OU Admins of the child OU and Super Admins (when they switch to the child OU context) can make changes to a protection group in the child OU.

If a child OU is deleted, then any protection groups within that child OU are automatically moved to the global OU.

Managing protection groups

Creating protection groups

  1. The UI provides several paths to create Protection Groups:
  • From AWS > Protect > [AWS Account] > S3, the Protection Group list page displays by default, click Create Protection Group.
  • From AWS > Protect > [AWS Account] > Tags, select a tag to enable the Protect button. Click Protect and select Create protection group. If you select multiple tags the option is disabled. You can also select the Create Protection Group option from the Action column for a particular tag.
  • From AWS > Protect > [AWS Account] > S3, click the Buckets tab and select the buckets you want to protect and click Protect buckets. Click the Create protection group from selected buckets link to launch the Create protection group dialog with those buckets pre-selected.
  • From AWS > Discover >Inventory, click View details on the S3 Inventory Summary panel. Select the buckets you want to protect from the Buckets data table and click Protect buckets. Click Create protection group from selected buckets link to launch the Create protection group dialog with those buckets pre-selected.
  1. Type a name for the protection group. If you have already selected buckets to add to or create a protection group, proceed to step 4, otherwise type the AWS keys and values that correspond to the buckets you want to protect. All buckets that have the specified tags will be automatically added to the protection group. Click Next.
  2. You can also manually select buckets to add to the protection group. Filter the list by bucket name or AWS environment. Click Next.
  3. The Advanced options dialog lets you further refine your protection group options.
    1. Storage Class: Select the storage class from which to include objects in the protection group. The storage class you select will affect your cost. Refer to AWS documentation for more information about storage classes.
    2. Include Version(s): Select an option to protect all versions or the latest version at the time of the backup.
    3. Prefix: Type the prefix or prefixes you want to add to the protection group. If you want to include all objects under that prefix, you must include a trailing slash, for example, to protect all objects under the prefix ‘dblogs’, type dblogs/. You can exclude a specific prefix under the prefix you typed.
  4. Select a policy to apply to your protection group. Click Next.
  5. Review the selection summary and click Create.

Editing protection groups

  1. Navigate to AWS > Protect and select the AWS environment that contains the S3 buckets for which you want to edit protection.
  2. Click S3 on the AWS environment dashboard.
  3. On the protection group list page, click the Edit icon in the Action column for the protection group you want to edit. The Edit Protection Group dialog displays.
  4. Click the edit icon next to the field that you want to edit, then make and save your changes.