Article written by Mike Preston, Technical Marketing Engineer, Rubrik. 

Data is at the heart of nearly every business operation, and it's critical to ensure the security and integrity of that data. Amazon Simple Storage Service (S3) has long been a popular choice for organizations seeking a scalable, cost-effective, and resilient storage solution for their data needs. 

In fact, nearly one million organizations around the world rely on Amazon S3 to store hundreds of exabytes of unstructured, business-critical data. On top of this, cyberattacks are on the rise, and the cloud is becoming a key target for bad actors. It's of the utmost importance that organizations take measures to ensure it's both secure and protected.

That said, achieving cyber resiliency and recovery for S3 is not an easy task. While most organizations rely on versioning to recover individual objects, the data remains within the confines of the source AWS account, leaving it accessible to infiltrators and vulnerable to authenticated internal threats.

Organizations face many challenges with protecting their S3 data, including:

Inconsistent Data Protection: Often organizations leverage multiple AWS accounts to provide data segregation and security perimeters. Treating each account as a separate entity often results in the need to maintain backup plans in each account—a management nightmare. Furthermore, if these accounts are all part of the same AWS organization, businesses run the risk of bad actors gaining access to AWS Control Tower and wreaking havoc on all their accounts.

Shadow S3 Buckets: With hundreds of buckets deployed across hundreds of accounts, organizations lack the visibility and awareness of data residing within S3, resulting in unprotected critical organizational data.

Slow Recovery: Organizations need to efficiently search for data and objects across their entire S3 landscape. Full bucket restoration can be time-consuming and becomes even more challenging when data is distributed across multiple buckets within the environment.

Expensive Backup: Deployed backup solutions need to be able to leverage tiered storage within AWS to keep costs lower than the costs associated with storing the production data in the first place.

To achieve cyber resilience of their data, organizations need a data protection solution that provides visibility into all their S3 data across all their accounts, delivers efficient search and restore processes, and supports tiered storage within the cloud.
 

Announcing Rubrik Security Cloud support for AWS S3

We are very excited to announce that Rubrik Security Cloud is expanding its AWS coverage to now protect Amazon S3 as a supported workload. Utilizing Rubrik Security Cloud's unified interface, customers can automatically discover and inventory S3 buckets across all their AWS accounts. From there, Rubrik's powerful and intelligent Service Level Agreement (SLA) Domain policy-based protection delivers cyber resilience for your S3 objects, providing key table-stakes security features, such as immutable, air-gapped backups, role-based access control (RBAC), and of course, fast and efficient object-level search and recovery. 

Imagine being able to say your S3 data is fully protected with complete visibility — all while minimizing your total cost of ownership. Rubrik's S3 protection delivers just that!
 

img

Rubrik S3 protection: How it works

Rubrik's protection for Amazon S3 is delivered through 4 main categories:

  • Automatic Discovery and Onboarding
  • Global Policy-Driven Protection
  • Efficient Backups
  • Rapid Restore 

Let's take a look at each in detail.

Automatic Discovery and Onboarding
 

img


Onboarding Amazon S3 to Rubrik Security Cloud is achieved by simply providing Rubrik Security Cloud with your AWS account ID and name. Once authenticated into the account, Rubrik will deploy an AWS CloudFormation stack that is responsible for provisioning all the resources needed to allow Rubrik Security Cloud to perform backup and recovery processes against S3. After onboarding, subsequent authentication is handled by a newly deployed cross-account role, allowing customers to securely grant Rubrik access to their account while maintaining the ability to control and audit activity within their organization. 

In addition to the cross-account role, a short-lived compute instance (Rubrik Exocompute) is also configured to support the indexing of the S3 buckets and their respective objects. For customers looking to onboard multiple accounts, a CSV file containing their account information can also be uploaded to Rubrik Security Cloud, enabling them to configure multiple AWS accounts at once.

After Amazon S3 has been onboarded, Rubrik Security Cloud automatically discovers and inventories all of the S3 buckets within the AWS account, delivering a single interface to manage your data protection needs.

Global Policy-Driven Protection
 

img


Like other protected workloads within Rubrik Security Cloud, Amazon S3 buckets are protected utilizing Rubrik's Global SLA Domains. An SLA domain eliminates the legacy approach to data protection by replacing "jobs" with a single policy that is simply applied to your S3 buckets. 

For instance, an SLA Domain takes data protection constructs, such as RPO (how often you want to back up) and Retention (how long to keep those backups), and converges them into a single data protection policy. There is no need to create jobs for backup, jobs for indexing, jobs for archiving, etc. 

Once configured, SLAs are simply assigned to our Amazon S3 buckets, either on:

Account Level: Assigning an SLA to the entire AWS account ensures that any existing buckets, as well as any newly created buckets within the account, automatically inherit the policy and are automatically protected by Rubrik.

Bucket Level: SLA domains can also be assigned to individual buckets. Any SLAs assigned on the bucket level override any account-level assignment. This allows organizations to deliver blanket-level protection across their entire account yet still assign an SLA with a more aggressive RPO on their most mission-critical buckets.

Tag-Based Assignments: SLA domains can be automatically assigned to buckets based on their AWS tag key-value pairs. Many organizations leverage multiple AWS accounts, managed by various departments and people, but still employ a common tagging strategy across them. Assigning an SLA domain based on specific key-value pairs allows cloud administrators to manage and organize their Amazon S3 environment the way they always have, while still implementing data protection across all their AWS accounts by simply adding and modifying tags on the buckets.

Any bucket running within S3 Standard or S3 Infrequently Accessed can be protected by Rubrik Security Cloud through the usage of global SLA Domains.

Efficient Backup

Rubrik employs an Incremental Forever approach as it pertains to Amazon S3 protection, meaning the first backup is a full backup, which processes the entire dataset within the bucket, while subsequent backups are processed in increments, backing up only changed data since the last backup point. This not only provides an efficient way to ensure S3 is backed up in a timely manner but also lowers the overall cost of storing the data within the backups themselves.

Rubrik Exompute, a short-lived compute instance, is utilized to perform the backup and restore processes, along with indexing and sending metadata to Rubrik Security Cloud after each backup event. The need for Exocompute is only valid during backup, restore, and indexing tasks and is promptly powered down when not in use.

The backups themselves are stored within S3, either Standard, Infrequently Accessed, or Glacier, and air-gapping is provided by allowing organizations to place backups within different regions, or even different accounts than that of their source data. And as we know, simply storing backups doesn't necessarily guarantee cyber recovery—to achieve complete cyber recovery, we need to ensure backups are immutable and protected from bad actors. To ensure immutability, Rubrik can leverage Amazon S3 Object Lock to protect backups from accidental or malicious deletion or encryption.

Rapid Restore

Rubrik's S3 protection enables restoration on both the bucket- and object-level hierarchy. For bucket-level restoration, customers simply select the bucket they would like to recover within the Rubrik Security Cloud UI and specify the target to restore to, be it the source S3 bucket or an entirely different S3 bucket.

In terms of object-level restore, customers can search for objects based on their names on the snapshot level, select the desired objects to recover, and restore to either the original bucket (in-place) or a different bucket (export).

Both entire buckets and individual objects can be restored to any region within any account, no matter where the original backups exist, providing complete flexibility to maintain business continuity.

Rubrik Now Protects Critical S3 Data

Safeguarding data stored within Amazon S3 is crucial in ensuring the availability, confidentiality, and integrity of an organization's critical information. Rubrik Security Cloud brings cyber resilience to your S3 data, ensuring backups are not only available but also immutable and air-gapped, safely tucked away from accidental or malicious activity. Whether you are a large enterprise with thousands of buckets across hundreds of AWS accounts, or a small business leveraging a single bucket, Rubrik Security Cloud has you covered. 

Learn more about Cloud Security & Rubrik Contact a WWT Expert 

Technologies