Data Domain: Integrating Data Domain Cloud Tier with Amazon AWS S3

Summary: This article provides step-by-step instructions to configure Data Domain Cloud Tier with Amazon AWS S3, including IAM setup, certificate configuration, cloud unit creation, and bucket naming. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

This procedure outlines the required steps to integrate a Data Domain system with AWS S3 for Cloud Tier functionality. The process consists of four key stages:

  1. Configure AWS Identity and Access Management (IAM) credentials
  2. Import the required CA certificate
  3. Add the AWS S3 cloud unit in Data Domain
  4. Understand cloud unit naming conventions

1. Configure AWS IAM Credentials.

Create an AWS IAM user with appropriate permissions for S3 access.

Required Permissions

At minimum, the IAM user must have permissions to:

    • Create and delete buckets
    • List and manage bucket contents

Recommended policy:

    • AmazonS3FullAccess

Minimum required permissions:

    • CreateBucket
    • ListBucket
    • DeleteBucket
    • ListAllMyBuckets
    • GetObject
    • PutObject
    • DeleteObject

Procedure

    1. Log in to the AWS Console:
      https://aws.amazon.com/
    2. Navigate to Services → IAM
      • Select Services 
    3. Select Users → Add user
       
      Select users
    4. Configure:
      • Username (for example, DD_S3_cloudtier)
      • Access type: Programmatic access
      • Then click 'Next Permissions'
       User Selections 
    5. Assign permissions:
      • Create a group (for example, S3FullAccess_DD_cloudtier)
      • Attach AmazonS3FullAccess
      Add Group 

       Give a unique name for the group. For example: "S3FullAccess_DD_cloudtier" and then search for "AmazonS3FullAccess" - When the option appears in the result menu select it and then click Create group: 
      Group Selections 

      You are prompted back to the previous menu. Select the group we created "S3FullAccess_DD_cloudtier" then click Next Tags: 
      Group selection next tags 

      On the Review menu, double check that the details entered are correct then click "Create user": 
      Confirm selection and create user 

    6. Complete the user creation process

      Download the Access key ID and Secret access key

      ✅ These credentials are required when configuring the Data Domain cloud unit.


      Download CSV 

       

2. Import CA Certificate for AWS S3 Connectivity

Prerequisite

To establish secure HTTPS communication with AWS S3, import the correct root CA certificate into the Data Domain system.

Important Update

    • The Baltimore CyberTrust Root certificate is no longer valid and must not be used
    • AWS S3 now uses certificates issued by Amazon Trust Services (ATS)

Required Certificate

Download and import:

    • Amazon Root CA 1

Download Location.

https://www.amazontrust.com/repository/AmazonRootCA1.pem - External Link

Optional (Recommended)

For broader compatibility, import all ATS root certificates:

    • Amazon Root CA 1
    • Amazon Root CA 2
    • Amazon Root CA 3
    • Amazon Root CA 4

Import Procedure

    1. In Data Domain UI:
      • Navigate to Data Management → File System → Cloud Units
    2. Click Manage Certificates
    3. Click Add
    4. Choose one of the following:
      • Upload .pem file
      • Paste certificate contents directly
    5. Click Add

add certificate 
We are done with adding the CA certificate. Next we are going to add our S3 cloud unit from Data Domain UI. 

3. Add AWS S3 Cloud Unit to DD

Procedure

    1. In the DD Web UI, navigate to:
      • Data Management → File System → Cloud Units
    2. Click Add
    3. Configure:
    4. Enter credentials:
      • Access Key ID
      • Secret Access Key
    5. Confirm:
      • Port 443 (HTTPS) is open
      • Use the 'Verify' button to confirm the settings are GOOD
    6. (Optional) Configure HTTP proxy if required
    7. Click Add

✅ The cloud unit is created in the system.

Note: Credentials can be updated later if required.

Add cloud credientials 

    4. Cloud Unit Naming Convention

    After creation, Data Domain automatically creates three S3 buckets.

    Naming Format

    Each bucket follows this structure:

    <16-char hex>-<16-char hex>-<suffix>

    Bucket Types

      • -d0 → Data segments
      • -c0 → Configuration data
      • -m0 → Metadata

    Each bucket name is unique to the cloud unit.

    Completion

    Cloud Tier integration is complete. You can now:

    • Configure data movement policies
    • Migrate data from MTrees to the cloud tier

    Additional Information

      References: 

      Affected Products

      Data Domain
      Article Properties
      Article Number: 000158432
      Article Type: How To
      Last Modified: 23 مايو 2026
      Version:  7
      Find answers to your questions from other Dell users
      Support Services
      Check if your device is covered by Support Services.