Setting Up Amazon Web Services (AWS) S3 Panzura Filer

This document provides instructions on how to configure an Amazon S3 Object Store for use with Panzura Freedom Filer (filer).

About this Document

See Deploying the Panzura Freedom Filer as an Amazon Machine Instance document for information on deploying the Filer as an Amazon Machine Instance.

Panzura strongly recommends that you complete the S3 Object Store configuration in AWS before deploying your Panzura filer. By doing so you, will be prepared to provide the needed cloud storage provider information when deploying your filer.

AWS S3 Background

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. This means customers of all sizes and industries can use it to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. Amazon S3 provides easy-to-use management features so you can organize your data and configure finely tuned access controls to meet your specific business, organizational, and compliance requirements. Amazon S3 is designed for 99.999999999% (11 9's) of durability, and stores data for millions of applications for companies all around the world.

This document will walk you through setting up a storage account and a container for use for Panzura Freedom Filer.

Accessing the AWS Management Console

1. Open a browser and go to: https://aws.amazon.com/

2. Click “Sign In to the Console”.

3. Follow instructions to login or create a new account:

4. You will arrive at the AWS Management Console:

Create a Panzura S3 bucket

  1. Type “S3” into the “Find Services” search bar and press enter:
  2. Here, you will see a listing of S3 buckets that have been previously created. Click “+ Create bucket” to add a new bucket:
  3. A “Create bucket” dialogue will pop up:
    1. Name and region tab:
      1. Bucket name: The bucket name must be unique across all existing bucket names in Amazon S3.
      2. Region: Click on the drop down to select a region to deploy the S3 service.
      3. Copy settings from an existing bucket: if you have pre-existing buckets with settings you would like to apply, you can select that bucket now. iv.
      4. Click “Next”
    2. Configure options tab:
      1. Versioning. Choose whether to maintain versions of objects within your bucket. Learn more here: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-versioning.html
      2. Server access logging. Choose whether to log access requests to your bucket. Learn more here: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.htmlChoosing this option requires a target bucket to store these specific logs.
      3. Tags. You may add tags for the purposes of tracking multiple buckets: https://docs.aws.amazon.com/AmazonS3/latest/dev/CostAllocTagging.html
      4. Object-level logging. Learn about tracking object-level API activity: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtr ail-logging.html
        This service may incur additional cost. Please refer to CloudTrail pricing here: https://aws.amazon.com/cloudtrail/pricing/
      5. Default encryption. Leave this box unchecked. Panzura Freedom Filer encrypts data before sending it to AWS S3. Checking this box would may negatively impact performance without improvement in security protection of your data. Learn more here: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html
      6. Advanced Settings – Object lock. Panzura Freedom filers support the use of Object lock. However, this option may increase your usage of S3 compared to normal operation. Learn more here: https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html
      7. Management – CloudWatch request metrics. Monitor requests and other metrics for your bucket using CloudWatch. Learn more here: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudwatch-monitoring.html
        This service may incur additional cost. Please refer to CloudWatch pricing here: https://aws.amazon.com/cloudwatch/pricing/
      8. Click “Next”.
    3. Set Permissions tab.
      1. Block public access (bucket settings). Keep the “Block all public access” option CHECKED. This will ensure that access to your bucket is restricted to your Panzura CloudFS only.
      2. Manage system permissions. If this bucket is a target bucket for Server access logging, you must grant the Amazon S3 Log Delivery group write permission on this bucket. Otherwise, leave this option on its default: “Do not grant Amazon S3 Log Delivery group write access to this bucket”.
      3. Click “Next”.
    4. Review tab.
      1. Review the options selected. Here, you have an opportunity to edit your options before the final step of creating the bucket.
      2. Once you are done with the Review tab, click “Create bucket”.
  4. In the S3 buckets listing, you will find your bucket created.

User Permissions for Panzura S3 storage

Amazon S3 defines a set of permissions that you can specify in a policy. These are keywords, each of which maps to specific Amazon S3 operations. For more information, see Actions in the Amazon Simple Storage Service API Reference.

Amazon Web Services has four categories of permissions pertaining to the S3 service (https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html):

  • Object Operations
  • Bucket Operations
  • Subresource Operations
  • Account Operations

Panzura only requires some permissions relating to Object and Bucket Operations. Panzura recommends that you restrict the permissions to only what is necessary to configure and manage the bucket:

Panzura required Amazon S3 Permissions for Object Operations

Permissions Amazon S3 Operations
s3:DeleteObject

DeleteObject

s3:GetObject

GetObject, HeadObject, SelectObjectContent

When you grant this permission on a version-enabled bucket, you always get the latest version data.

s3:PutObject

PutObject, POST Object, Initiate Multipart Upload, Upload Part, Complete Multipart Upload, PUT Object - Copy

The following example bucket policy grants the s3:PutObject permission to a user (Dave). If you remove the Principal element, you can attach the policy to a user. These are object operations, and accordingly the relative-id portion of the Resource ARN identifies objects (examplebucket/*). For more information, see Specifying Resources in a Policy.

Panzura required Amazon S3 Permissions Related to Bucket Operations

Permission Keywords  Amazon S3 Operation(s) Covered
s3:ListBucket GET Bucket (List Objects), HEAD Bucket
s3:ListAllMyBuckets GET Service

The following example user policy grants the s3:ListAllMyBuckets permission to a user. Note that for all these permissions, you set the relative-id part of the Resource ARN to "*". For all other bucket actions, you must specify a bucket name. For more information, see Specifying Resources in a Policy.

If your user is going to use the console to view buckets and see the contents of any of these buckets, the user must have the s3:ListAllMyBuckets permissions. For an example, see "Policy for Console Access" at Writing IAM Policies: How to Grant Access to an S3 Bucket.

Create a Policy for use with Panzura S3 storage

1. Navigate to the IAM service:

2. Click on “Policies” on the left menu column, then click the “Create policy” button:

3. Choose the S3 service:

4. Choose the Actions specified in the “User Permissions for Panzura S3 storage”

s3:DeleteObject

s3:GetObject

s3:PutObject

s3:ListBucket

s3:ListAllMyBuckets

5. Under “Resources”, select “Specific” and click “Add ARN” under “bucket” to specify the bucket:

6. Enter your bucket name and click the “Add” button:

7. Click “Add ARN” under “Object” to specify objects:

8. Enter the same bucket name as above, click “Any” for Object name, and click the “Add” button:

9. Based on your companies’ security policies, you may want to add additional permissions to this policy. You may do so by clicking “Add additional permissions”. Otherwise, click the “Review policy” button:

10. Enter a “Name” for the policy, as well as a “Description”, and click the “Create policy” button:

11. On the IAM: Policies page, see that your policy has been created:

Create an Amazon User with Credentials for Panzura S3 storage

1. Navigate to the IAM service:

2. Click on “Users”:

3. Click “Add User”:

4. Specify “User name”, select “Programmatic access”, and click the “Next: Permissions” button:

5. Select “Attach existing policies directly” to find the correct policy, select the Panzura specific policy, and click the “Next: Tags” button.

If you have not yet created a Panzura specific policy for the AWS S3 service, refer to the “User Permissions for Panzura S3 storage” and the “Create a Policy for use with Panzura S3 storage” sections of this document.

6. You may add tags here, then click the “Review” button:

7. Review the “User details” and the “Permissions summary” sections. When you are satisfied, click the “Create user” button:

8. You can retrieve the Access key ID and the Secret access key from this screen in multiple ways:

a. Click “show” under “Secret access key” and copy the keys from the user interface.

b. Click “Download .csv”. A download of “credentials.csv” will begin. This file contains the username, Account key ID, and the Secret access key.

AWS S3 Transfer Acceleration

Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between Panzura Freedom filers and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.

 

In order to enable transfer acceleration:

1. Enable Transfer Acceleration on a bucket

2. When configuring your S3 bucket, provide the following as the hostname:

bucketname.s3-accelerate.amazonaws.com

3. Provide all other information as requested.

 

AWS Server Side Encryption – Key Management Service (SSE-KMS)

Beginning in 8.0.0.9, Panzura Freedom filers support AWS SSE-KMS for server-side encryption of S3 objects. Server-side encryption is the encryption of data at its destination by the application or service that receives it. AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Amazon S3 uses AWS KMS customer master keys (CMKs) to encrypt your Amazon S3 objects. AWS KMS encrypts only the object data.

If you use CMKs, you use AWS KMS via the AWS Management Console or AWS KMS APIs to centrally create CMKs, define the policies that control how CMKs can be used, and audit CMKs usage to prove that they are being used correctly. You can use these CMKs to protect your data in Amazon S3 buckets. When you use SSE-KMS encryption with an S3 bucket, the AWS KMS CMK must be in the same Region as the bucket.

SSE-KMS can be enabled when setting up the AWS S3 object store in the setup wizard or through the Configuration menu.

1. To configure SSE-KMS in the setup wizard, add the ARN for your KMS key when configuring AWS S3 as your Primary Cloud:

2. To configure SSE-KMS after initial setup:

a. Navigate to the Filer UI > Configuration > License Manager > Installed License Modules. Select “CSP-Amazon” and click “EDIT”:

b. Click the “SSE-KMS” slider, add the ARN for your KMS key. Include your Secret Key and click “Done”: