For Amazon EC2 restores of guest files, replication, and conversion, the Commvault software automatically creates an Amazon S3 bucket for the destination. You can customize the name and server-size encryption for the S3 bucket.
Note
The S3 bucket is created only once, is reused for subsequent operations, and is not cleaned up or removed.
Customizing the Name of the S3 Bucket
By default, the name of the bucket is gx-restore-account_id, where the account_id is the AWS account that is represented by the Amazon EC2 hypervisor. For example, the bucket might be named gx-restore-us-east-1-45367689749. To use a different bucket name, add the AWSBucketForNetworkRestore entity setting on the access node that performs the restore.
The custom bucket must have the Object ACL enabled.
Customizing the Server-Size Encryption for the S3 Bucket
By default, AWS enables server-side encryption on the bucket using Amazon S3 managed keys. The encryption methods that you can use for the Commvault-created gx-restore bucket are as follows:
-
Amazon S3 managed encryption keys (SSE-S3): This is the default encryption mode. No configuration settings are required to activate encryption of S3 objects using the ‘aws’s3’ S3 managed key.
-
KMS keys stored in AWS KMS (SSE-KMS): To use server-side encryption, on the access nodes that are used for EC2 backups and restores, add the AWSS3ServerSideEncryptionMethod entity setting with a value of "aws:kms" and the AWSS3ServerSideEncryptionKMSKeyId entity setting with a value of the KMS key ID.
Commvault supports server-side encryption with customer-provided keys (SSE-C) and dual-layer server-side encryption with AWS KMS keys (DSSE-KMS).
Recommendation
When using AWS KMS keys to encrypt objects in the gx-restore bucket, enable Amazon S3 Bucket Keys. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys in the AWS documentation.
For restores that use the access nodes of a service account, share the KMS key with the member (destination) account.