Configure an Amazon S3 (Amazon Simple Storage Service) target for archive or backup

Export to Amazon S3 is not enabled by default. After you enable Amazon S3, you can configure it for archives and backup. Learn how to enable the service, and understand the configuration parameters that are used in the archive and backup pages.

Before you begin

  • An Amazon account and registration for the S3 service.
  • Amazon S3 credentials:
    • Access Key ID: identifies user as the party responsible for service requests. It needs to be included it in each request. It is not confidential and does not need to be encrypted. (20-character, alphanumeric sequence).
    • Secret Access Key: The Secret Access Key (40-character sequence) is associated with Access Key ID calculating a digital signature that is included in the request. The Secret Access Key is a secret, for use only by AWS and the user. This key is just a long string of characters (and not a file) that is used to calculate the digital signature that needs to be included in the request. The Secret Access Key is encrypted when saved into the database.
  • S3 Bucket Name: Every object that is stored in Amazon S3 is contained in a bucket. Buckets partition the namespace of objects that are stored in Amazon S3. Within a bucket, you can use any names for your objects, but bucket names must be unique across all of Amazon S3.
  • The clock time of Guardium system must be correct (within 15 minutes). Otherwise, requests are not accepted. If the Guardium system time is not correct, set the correct time by using the following CLI commands:
    show system ntp server
    store system ntp server (An example is ntp server: ntp.swg.usma.ibm.com)
    store system ntp state on

Procedure

  1. Enable Amazon S3 archive or backup from the Guardium CLI by entering one or both of these commands:
    store storage-system amazon_s3 archive on
    store storage-system amazon_s3 backup on
  2. In Manage > Data Management > System Backup or Data Archive pages, select Amazon S3.
  3. Enter the Bucket Name.
  4. Select the Authentication Type, and its parameters:
    • Security Credentials
      This is the legacy authentication type. It requires the following parameters:
      • Access Key ID
      • Secret Access Key
    • IAM Role
      This authentication type allows the assumption of an IAM Instance Profile by specifying the following parameters:
      • Access Key ID
      • Secret Access Key
      • Role ARN
      Unlike the legacy Security Credentials, IAM Role uses temporary credentials to connect to S3. To configure IAM Role authentication:
      1. Create a user in AWS IAM. Make a note of the Access Key ID and Secret Access Key.
      2. Create the following policy and associate it with the user:
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "iam:ListRoles",
                        "sts:AssumeRole"
                    ],
                    "Resource": "*"
                }
            ]
        }
      3. Create a new role and set a trust relationship for the user. For example:
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "ec2.amazonaws.com",
                "AWS": "arn:aws:iam::123456789012:user/guarduser"
              },
              "Action": "sts:AssumeRole"
            }
          ]
        }
      4. Create the following policy and associate it with the role:
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "VisualEditor0",
                    "Effect": "Allow",
                    "Action": [
                        "s3:GetObject",
                        "s3:ListAllMyBuckets",
                        "s3:ListBucket",
                        "iam:GetInstanceProfile",
                        "sts:AssumeRole"
                    ],
                    "Resource": "*"
                }
            ]
        }
      5. To authenticate with Guardium, use the Access Key ID and Secret Access Key of the user and the Role ARN of the instance profile role. Find the Role ARN by viewing the role in AWS IAM.
    • IAM instance Profile
      This authentication type only works when using a Guardium instance deployed on AWS EC2. To configure IAM instance Profile authentication, create the following AWS policy and associate it with an IAM role:
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": [
                      "s3:PutObject",
                      "s3:GetObject",
                      "s3:ListAllMyBuckets",
                      "s3:ListBucket",
                      "iam:GetInstanceProfile",
                      "iam:ListInstanceProfilesForRole",
                      "sts:AssumeRole"
                  ],
                  "Resource": "*"
              }
          ]
      }
      Authentication works once the role has been associated with the instance.
    Important: For the latest information about AWS security credentials and IAM roles for Amazon EC2, read the Amazon AWS documentation.
  5. Enter or select values for these definitions use in all types of Amazon S3 backups:
    • Region
    • Port
    • Storage class
    • Backup: Configuration or Data
  6. Optional: Schedule the backup in the lower part of the page. For more details, see Scheduling.
  7. Click Save.