Help CenterClumio Terraform ProviderClumio Python SDKClumio GO SDK
User Guide
BlogChangelogLogin

S3 protection groups

Suggest Edits

Protection groups combine S3 buckets, prefixes, and storage classes into a single logical group, simplifying data protection across multiple buckets. Protection groups allow you to manage protection of your buckets and prefixes across all your AWS accounts and ensure that critical data is protected per your business requirements. You can protect the entire bucket or use the following criteria to protect specific objects:

  • Version: You can choose to protect all versions or just the latest versions of the objects.
  • Storage Class: You can select the objects to back up depending on their Storage Class. For example; you can choose to backup objects in Standard and Infrequent Access only, while not protecting objects in Glacier.
  • Prefix: You can configure a protection group to include or exclude specific prefixes depending on what you want to protect. For example; DB logs may be grouped into a specific prefix that needs to be protected. You can configure /dblogs/ to protect all objects inside that prefix to be protected. Similarly, you can exclude a specific prefix to not be protected.

You can edit a protection group at any time if you need to add or remove objects, or change a backup policy. The changes will only apply to subsequent backups of those protection groups.

Protection groups and organizational units

Protection groups are created within the organizational unit (OU) that you the user are logged into when you create the protection group. When you log into Clumio for the first time, the global OU is the default organizational unit that includes all assets and provides all users full visibility of all assets and policies. All organizational units that you subsequently create are children of the global OU. You can also create additional OUs under existing OUs. Any OUs at the same level are sibling OUs. For more about OUs see Organizational units.

Protection groups can contain assets from different AWS accounts and are not tied to an account. If a protection group is created at the Global OU level, it protects assets across all child OUs.

For example, if you are in the global OU and you create a protection group that contains three AWS accounts and then you create a child OU called OU1 and move one of those AWS accounts to OU1, there is no impact and protection group backups will continue. The OU1 Admin will be able to view all the protection group S3 assets. The OU1 Admin can recover data for only individual buckets that belong to the AWS account that was moved into OU1, by going into the buckets asset details page and recovering from each bucket one at a time.

Similarly, if you create another child OU under the global OU called OU2 and move the account from OU1 to OU2, there is no impact to the protection group. The OU2 Admin will now be able to recover data for individual buckets that belong to the AWS account that was moved into OU2 as described above.

The child OU administrator is able to create new protection groups for assets in the AWS account assigned to that OU.

Only Super Admins can make changes to a protection group at the global level, OU Admins can only view assets in a global protection group, but cannot make any changes to the global protection group settings.

If a protection group is created in a child OU, then protection is restricted to the child OU and any OUs created under that OU. Only OU Admins of the child OU and Super Admins (when they switch to the child OU context) can make changes to a protection group in the child OU.

If a child OU is deleted, then any protection groups within that child OU are automatically moved to the global OU.

Updated 3 months ago