Document toolboxDocument toolbox

Replicate Backup Files to AWS S3

In additional to having the backup snapshot files stored locally at /opt/logichub/backups, it is very important that you replicate the backup files to another location. If the disk of the deployment is somehow unrecoverable, having backup files in another location will enable Devo SOAR to resume your deployment in the shortest amount of time.

There are two ways to do it. You can configure the system to upload the backup files (encrypted) to an AWS S3 bucket. Or, you can run a script provided by us on another Linux machine to sync the files.

In this page, we describe how to configure S3 replication. The next page describes how to replicate them to another Linux machine.

Here is the procedure for S3:

  1. Set up an S3 bucket that has an object expiration policy, such as 60 days.

  2. Create an IAM user that has PutObject permission to the bucket. We strongly recommend that you allow only the PutObject permission by this user.

  3. Install s3cmd on the server using yum install s3cmd.

  4. Run the following command to configure s3cmd.
    s3cmd --configure
    a. When prompted, provide the AWS Access Key ID and Secret Access Key of the IAM user you have created in step #2
    b. Specify True for Use HTTPS protocol.
    c. Provide the Encryption Password. The Encryption Password is the string representation of a GPG key. s3cmd uses GPG to encrypt the files. This is required because the Devo SOAR backup process invokes s3cmd with client-side encryption.
    d. Follow the prompts to complete the rest of the configuration steps for s3cmd.
    e. As the list step of configuration, s3cmd will attempt to validate whether the AWS credentials you have provided in #4(b) is correct. It is expected to fail because the validation checks whether ListObjects works. It will not if you follow the advice in #2 to not give the IAM user any permission other than PutObject.

  5. Update /opt/logichub/InstallerSettings.conf to put this line
    S3_BUCKET="<BUCKET_NAME_IN_STEP_#1>"

  6. Reinstall the same version of Devo SOAR software. After about 12 hours, you should see the first backup file replicated to the S3 bucket.

Store the GPG encryption key safely

Make sure that the GPG encryption key is stored securely and is accessible independent of the server that is running Devo SOAR. If the key is lost, Devo SOAR will not be able to recover the backup files.