Dell PowerProtect Cyber Recovery 19.15 AWS Deployment Guide

There are two PowerProtect DD Retention Lock modes:

• Retention Lock Governance—This mode trusts authorized administrators with flexibility to extend or shorten retention periods and revert a file status from locked to unlocked.
  NOTE:In this mode, the ability to shorten retention periods and change the file status to unlocked does not meet the requirements of the Sec 17a-4(f) Rule.
• Retention Lock Compliance—This mode enforces strict controls, such as:
  • Establishing restrictions on low-level access to system functions used during troubleshooting
  • Requiring a user with the Security Officer role to authorize certain commands that pertain to compliance features
  • Disallowing retention expiration dates from being shortened (extending a retention expiration date is allowed)
  • Disallowing any user from reverting a file status from locked to unlocked

For retention locking and files system controls, DDVE on AWS is the same as PowerProtect DD and on-premises PowerProtect DDVE. However, DDVE on AWS is deployed as virtual instances in the AWS compute infrastructure and uses S3 storage as its Active Tier storage instead of local storage. Unlike local hypervisors, the underlying computing infrastructure of AWS is not accessible.

The AWS Management Console is the interface that is available to manage the PowerProtect DDVE virtual instances and S3 object storage. Use the console to configure access control to restrict management actions and prevent impact to the virtual machine instances and the S3 object storage (by modifying or deleting the data stored in the S3 object storage).

The following sections provide best practices for hardening the management and S3 access controls in AWS. Enforce these best practices to operate the DDVE in AWS using Retention Lock Compliance mode. For more information about enforcing and hardening access, see the AWS documentation.

Multifactor authentication for user logins

Enable multifactor authentication for the AWS user to log in to the AWS Management Console. Multifactor authentication prevents login to the console with only username- and password- based credentials.

User Access Controls

Use the AWS Management Console to harden and control access by defining appropriate user restrictions:

• Restrict user permissions and set permission boundaries for users, such as restricting the permissions for what users can do and the permissions that they can give to other users. For example, a user designated to manage the DDVE on AWS instances does not need permissions to create users or modify their properties.
• Create roles with only the set of permissions required to manage the DDVE systems and S3 storage in AWS. Assign the roles to one or more users selectively, while adhering to the organization's security policies and restrictions. See the PowerProtect DDVE on Amazon Web Services Installation and Administration Guide for the minimum set of permissions required by DDVE.

Role-based access control (RBAC) mode

Access the S3 object storage from within the DDVE instance only using AWS's role-based access control (RBAC) mechanism. Do not configure regular long-term credentials in DDVE. RBAC for AWS can be configured by attaching appropriate policies and roles to the DDVE instances that provide it with the appropriate permissions to access the S3 object storage by fetching short-term, rotating, and temporary credentials. For information about using RBAC on DDVE, see to the PowerProtect DDVE on Amazon Web Services Installation and Administration Guide.

Deleting long-term access and secret keys for the user account

Because RBAC is the only mode of S3 access from within the DDVE instance on AWS, there is no requirement for long-term credentials, such as access and secret keys created and activated for the user. We recommend that you do not create these keys and delete any existing keys.

Least privileges

The role and policy attached to the DDVE in the AWS virtual instance must have the least privileges and permissions. They must have only the set of permissions required for PowerProtect DD to operate. Specifically, do not us wild character-based (*) assignment or any broader policies in the policy definition. For more information about permissions, the DDVE PowerProtect DDVE on Amazon Web Services Installation and Administration Guide.

S3 bucket or container access to a single instance of PowerProtect DDVE in AWS

Configure the bucket or container level access policy to restrict S3 access to only one instance of DDVE on AWS at any time. You can configure the unique ID of the DDVE virtual machine instance, the virtual machine security principle, or any equivalent identity in the bucket access policy to achieve the same result.

Public access for S3 object storage

Because all operations are in the AWS network, block public access or access from outside the AWS network for the S3 bucket or container configured in the DDVE on AWS.

Set appropriate security group or firewall rules to ensure that none of the DDVE management or control ports are exposed outside of the AWS network.

AWS S3 Object Lock

AWS supports S3 object-level immutability, also known as S3 Object Lock. Do not confuse S3 Object Lock with the Retention Lock Compliance immutability supported by DDVE on AWS. DDVE on AWS does not use the S3 Object Lock capability for the Retention Lock Compliance immutability feature.

Using object locking makes sense for nondeduplication cloud objects, where the backup images are directly stored on the AWS S3 buckets or containers, without any kind of deduplication, that is, no object is shared among multiple backup files and images. Also, there is a one-to-one mapping between each object and backup file, and the retention duration is also specific for each object.

For deduplication objects in S3, this scenario is more complex. Numerous different backup files can share segments inside each deduplicated object, each having their own retention duration and policy requirements. It is not practical to lock objects for a long duration as it incurs additional cloud costs.

Any solution that uses the native S3 object locking feature incurs a drastic reduction or trade-off in the deduplication factor. Therefore, you incur more cost for cloud capacity.

Do not enable native S3 object locking on the buckets that are attached to DDVE instances as undesirable and unsupported behavior occurs.

Dell Support

The Retention Lock Compliance feature, functionality, and implementation are same in terms of file system controls for all the variants, that is, PowerProtect DD, on-premises PowerProtect DDVE, and PowerProtect DDVE on AWS. Contact Dell Support for issues and queries about Retention Lock Compliance on DDVE ion AWS.