Platform
- Data Security Cloud
  Data Security Cloud
  Fully managed data security across enterprise, cloud, SaaS, and end user.
- Data Protection
  Data Protection
  Modernize data protection to reduce costs and complexity
- Cyber Response & Recovery
  Cyber Response & Recovery
  Bounce back from cyber attacks with data that is always safe and ready.
- eDiscovery & Compliance
  eDiscovery & Compliance
  Secure, protect, and streamline data governance.
- Meet Dru - Your Copilot for Data Security
Solutions
- Use Cases
  Use Cases
  Learn how Druva helps you accelerate key business initiatives
- Key Technologies
  - Public Cloud
    Public Cloud
    Protect native AWS and Azure deployments with secure backups without the cost and complexity
    
    AWS
    
    Azure
  - Hybrid Workloads
    Hybrid Workloads
    Transform data center backup and disaster recovery for virtual environments
    
    VMware
    
    Hyper-V
    
    Nutanix
    
    Oracle
    
    MS SQL
    
    SAP HANA
    
    NAS/files
  - Endpoint and SaaS Apps
    Endpoint and SaaS Apps
    Enterprise Cloud Backup and data management across edge, on-premises and cloud workloads
    
    End User Protection
    
    Microsoft 365
    
    Salesforce
    
    Google Workspace
    
    Microsoft Entra ID
    
    Microsoft Dynamics 365
- Free Trial
Customers
- Explore All Customer Stories
  We are trusted by the world's leading organizations to protect their data. Explore customer success stories to see how your peers are using Druva.
- Ransomware recovery ready
  Learn why Medallia chose Druva
  
  SaaS data protection across the enterprise
  See why Regeneron partnered with Druva
Resources
- Druva vs. Veeam TCO Calculator
  Find the hidden costs of legacy backup
  
  Forrester: Total Economic Impact of Druva 2024
  Customers see 224% ROI: Find out how
Partners
- Programs
  Programs
  Learn how you can profit with Druva and a cloud-first SaaS selling motion. Explore partner programs, access resources, and discover the benefits of partnering with Druva.
- Strategic Partners
  Strategic Partners
  Learn about Druva's strategic capabilities across platform, OEM, and other partnerships. Find out how Druva accelerates and protects customers' cloud journeys.
  - Dell Technologies
  - AWS
  - VMware
  - Nutanix
- Become a Partner
Company
- - Company
  - Leadership
  - Investors
  - Careers
  - Contact Us
  - Newsroom
  - Awards
  - Events
  - Diversity, Equity & Inclusion
  - Blog
- Get in touch with us
  Contact Us
  
  News, product innovations, and more
  Blog
Get Started
Support
Login
Language
- English
- Deutsch

Innovation Series

Amazon S3 Security Part 4: Data Immutability

March 13, 2023 Aashish Aacharya (AJ), Senior Cloud Security Engineer

In the previous part of the five parts series, we discussed how we can achieve data integrity using Amazon S3 features. In this series, we will walk you through how to enable Amazon S3 cross-region/account replication to achieve data immutability to keep it remote and secure, segregate access, ensure compliance, as well as increase performance by minimizing latency to increase operational efficiency.

Amazon S3 replication

Replication enables automatic and asynchronous copying of objects across Amazon S3 buckets, owned by the same AWS region/account or by different regions/accounts, and to a single or multiple destination bucket/s. Some of the use cases for replication are for data compliance requirements, minimizing latency, or increasing operational efficiency.

To create a replication rule, go to the Amazon S3 console, and select the S3 bucket (note that replication requires versioning to be enabled for both the source and destination buckets). Under the “Properties” tab of the S3 bucket, edit the “Bucket Versioning” field.

Next, select “Enable” and save the changes.

Next, to create bucket replication rules, under the “Management” tab, go to “Replication rules” and click “Create replication rule."

Provide a replication rule name and select a status for the rule during creation. Please note that for the batch job to work (we discuss it later in this article) the status has to be enabled first.

You can choose to apply the rule to all objects or filter objects by prefix, object tags, or a combination of both. In this example, let’s apply it to all objects in the bucket.

For the destination, you can choose the same or different AWS accounts. Ideally, especially for sensitive logs, a separate AWS account is recommended — in case the owner's AWS account is compromised, you will have a backup copy in a safe location. It also allows the destination AWS account to be locked for security and compliance and is less susceptible to tampering in the same way the source account might be. It’s always a best practice to segregate AWS users or AWS IAM role access levels for the source and destination AWS accounts.

Let’s use the same account but a bucket in a different region in this example.

You will need to provide an IAM role. You can also simply select to “Create new role" automatically.

Additionally, you have options to change the destination storage class and replicate objects encrypted with AWS KMS, if needed. Let’s use default options. Let’s also enable RTC as well as replication metrics and notifications and click “Save."

You can enable a one-time batch operations job from the replication configuration to replicate objects that already exist in the bucket and synchronize the source and destination buckets. Let’s select the option for this example. If you do not select the option, only new objects will be replicated.

To do this you will have to create a batch job, like in the example below, and click “Save."

You can monitor the progress of the job under the “Batch Operations” tab in the Amazon S3 console (note that if you haven’t enabled replication from the Amazon S3 bucket’s “Management” tab yet, the job will fail).

Monitor progress under "Batch Operations"

When the batch job is ready, you will observe the status as “Awaiting your confirmation." You will need to click “Run job” for the job to trigger. The status will then change to “Ready” and then “Active” during the progress, before “Completing” and finally “Completed."

You can then download the completion report and verify all jobs:

The .csv report sample looks like this:

Summary

We can use Amazon S3 cross-region/account replication feature for achieving data immutability to meet compliance requirements, minimize latency, or increase operational efficiency. In the next and final part of the series, we will discuss some additional security measures for your Amazon S3 data.

Next Steps

Return to the intro of this series for links to each of the blogs in this series and read the final issue to learn more about additional security layers in Amazon S3. You can also learn more about the technical innovations and best practices powering cloud backup and data management. Visit the Innovation Series section of Druva’s blog archive.

About the Author

I have been in the cloud tech world since 2015, wearing multiple hats and working as a consultant to help customers architect their cloud journey. I joined Druva four years ago as a cloud engineer. Currently, I lead Druva’s cloud security initiatives, roadmap, and planning. I love to approach cloud security pragmatically because I strongly believe that the most important component of security is the humans behind the systems.

Get my hands-on style weekly cloud security newsletter. Subscribe here

Find me on LinkedIn: https://www.linkedin.com/in/aashish-aj/

Email: aashish.aacharya@druva.com

Amazon S3 Security Part 4: Data Immutability

Amazon S3 replication

Summary

Next Steps

About the Author

Druva Blog: Cloud Technology & Data Protection Articles

Druva Data Security Cloud

The Druva Platform

Data Protection

Cyber Response & Recovery

eDiscovery & Compliance

Use Cases

Key Technologies

Customers

Resources

Partners

Company