Prior to attempting these steps, please ensure that you have a valid AWS Billing account and the permissions necessary to create or manage Users, Buckets, Policies and optionally KMS keys.
See here for more information on Cloud Storage pricing.
Bucket Setup
Create a User
In this section we will create a user using the AWS console.
- Open the AWS console and using the search box, search for the text IAM. In the search results, select the IAM Service and you will navigate to the IAM Dashboard.
- On the left hand navigation select Users.
- Click the Create User button.
- Enter the User name you require and click Next
- Do not select a User group and click Next
- Click Create user
- Locate the user in the user list and click on them to view their properties
- Click the Create access key link
- Select the option Application running outside AWS and click Next
- Optionally provide a description tag
- Click Create access key
- Note the Access key and Secret access key values for use in CloudM Backup
- Click Done
Create an Encryption Key (Optional)
In this section we will optionally create a KMS Key using the AWS console. Please note, this step is not required in order to use Amazon S3 with CloudM Backup. All S3 buckets are encrypted by default. This step just allows use of a custom key.
- Open the AWS console and using the search box, search for the text KMS. In the search results, select Key Management Service and you will navigate to the Customer managed keys page.
- Click the Create key button.
-
On the Configure key page set the following options:
- Key type = Symmetric
- Key usage = Encrypt and Decrypt
- Advanced options -> Key material origin = KMS
- Advanced options -> Regionality = Single-region key
- Click the Next button
- Add an Alias and optionally a Description
- Click the Next button
- Select any additional Key administrators you require
- Click the Next button
- Select the User added in the previous section as a Key user
- Click the Next button
- Click Finish
- Locate the new key and Note its Amazon Resource Name (ARN)
Create a Bucket
In this section we will create a bucket using the AWS console.
- Open the AWS console and using the search box, search for the text S3. In the search results, select S3 and you will navigate to the S3 list page.
- Click the Create bucket button.
- Enter a valid Bucket name. Be aware this needs to be globally unique and conform to the rules for bucket naming.
- Select the AWS Region which conforms to the list of supported regions for Backup.
- Leave the Object Ownership, Public Access and Bucket Versioning settings unchanged
-
If using your own Encryption Key from the optional section above
- Select Encryption type = SSE-KMS
- Select Choose from your AWS KMS keys
- Pick the encryption key you created in the previous section
- Otherwise leave Encryption type = SSE-S3
- Click Create bucket
- Locate the bucket you have created and Note its ARN
Create a Policy
In this section we will create a policy using the AWS console.
- Open the AWS console and using the search box, search for the text IAM. In the search results, select the IAM Service and you will navigate to the IAM Dashboard.
- On the left hand navigation select Policies.
- Click the Create policy button.
- Click the JSON button
- If you have chosen to use a custom KMS key for server side encryption replace the placeholders in the following JSON and paste into the Permissions defined in this policy text area.
- Otherwise, replace the placeholders in the following JSON and paste into the Permissions defined in this policy text area.
- Click Next
- Enter a Policy name and optionally a Description
- Click Create policy
- Locate the policy you have created. You may need to filter by type Customer managed
- Click the policy to view its properties
- Select the tab Entities attached
- In the section titled Attached as a permissions policy, click the Attach button
- Locate the user you created, select them and click the Attach policy button
CloudM Backup Amazon S3 storage bucket requirements
Your CloudM Backup storage bucket needs to be either US or Europe and it has to be in the same region as your Google Workspace Tenant. It cannot be the same bucket that you use for CloudM Archive.
Supported Amazon S3 regions
us-east-2
us-east-1
us-west-1
us-west-2
ca-central-1
eu-central-1
eu-west-1
eu-west-2
eu-south-1
eu-west-3
eu-north-1
eu-south-2
eu-central-2