Replicate Backup Files to AWS S3
In additional to having the backup snapshot files stored locally at /opt/logichub/backups
, it is very important that you replicate the backup files to another location. If the disk of the deployment is somehow unrecoverable, having backup files in another location will enable Devo SOAR to resume your deployment in the shortest amount of time.
There are two ways to do it. You can configure the system to upload the backup files (encrypted) to an AWS S3 bucket. Or, you can run a script provided by us on another Linux machine to sync the files.
In this page, we describe how to configure S3 replication. The next page describes how to replicate them to another Linux machine.
Here is the procedure for S3:
Set up an S3 bucket that has an object expiration policy, such as 60 days.
Create an IAM user that has
PutObject
permission to the bucket. We strongly recommend that you allow only thePutObject
permission by this user.Install
s3cmd
on the server usingyum install s3cmd
.Run the following command to configure
s3cmd
.
s3cmd --configure
a. When prompted, provide the AWSAccess Key ID
andSecret Access Key
of the IAM user you have created in step #2
b. Specify True for Use HTTPS protocol.
c. Provide the Encryption Password. The Encryption Password is the string representation of a GPG key.s3cmd
uses GPG to encrypt the files. This is required because the Devo SOAR backup process invokess3cmd
with client-side encryption.
d. Follow the prompts to complete the rest of the configuration steps fors3cmd
.
e. As the list step of configuration,s3cmd
will attempt to validate whether the AWS credentials you have provided in #4(b) is correct. It is expected to fail because the validation checks whetherListObjects
works. It will not if you follow the advice in #2 to not give the IAM user any permission other than PutObject.Update
/opt/logichub/InstallerSettings.conf
to put this line
S3_BUCKET="<BUCKET_NAME_IN_STEP_#1>"
Reinstall the same version of Devo SOAR software. After about 12 hours, you should see the first backup file replicated to the S3 bucket.
Store the GPG encryption key safely
Make sure that the GPG encryption key is stored securely and is accessible independent of the server that is running Devo SOAR. If the key is lost, Devo SOAR will not be able to recover the backup files.