This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Working with the AWS Cloud Utility

You can work with the AWS Cloud Utility in various ways. This section contains usage examples for using the AWS Cloud Utility. However, the scope of working with Cloud Utility is not limited to the scenarios covered in this section.

The following scenarios are explained in this section:

  1. Encrypting and storing the backed up files on the AWS S3 bucket.
  2. Setting metrics-based alarms using the AWS Management Console.

1 - Storing Backup Files on the AWS S3 Bucket

If you want to store backed up files on the AWS S3 bucket, you can use the Cloud Utility feature. You can transit these files from the Protegrity appliance to the AWS S3 bucket.

The following tasks are explained in this section:

  1. Encrypting the backed up .tgz files using the AWS Key Management Services (KMS).
  2. Storing the encrypted files in the AWS S3 bucket.
  3. Retrieving the encrypted files stored in the S3 bucket.
  4. Decrypting the retrieved files using the AWS KMS.
  5. Importing the decrypted files on the Protegrity appliance.

About the AWS S3 bucket and usage

The AWS S3 bucket is a cloud resource which helps you to securely store your data. It enables you to keep the data backup at multiple locations, such as, on-premise and on cloud. For easy accessibility, you can backup and store data of one machine and import the same data to another machine, using the AWS S3 bucket. It also provides an additional layer of security by helping you encrypt the data before uploading it to the cloud.

Using the OS Console option in the CLI Manager, you can store your backed up files in the AWS S3 bucket. You can encrypt your files using the the AWS Key Management Services (KMS) before storing it in the AWS S3 bucket.

The following figure shows the flow for storing your data on the AWS S3 bucket.

Encrypting and storing files on the AWS S3 bucket

Retrieving and decrypting files from the AWS S3 bucket

Prerequisites

Ensure that you complete the following prerequisites for uploading the backed up files to the S3 bucket:

Encrypting and Storing Files

To encrypt and upload the exported file from /products/exports to the S3 bucket:

  1. Login to the Appliance CLI manager.

  2. To encrypt and upload files, navigate to Administration > OS Console.

  3. Enter the root credentials.

  4. Change the directory to /products/exports using the following command.

    cd /products/exports
    
  5. Encrypt the required file using the aws-encryption-cli command.

    aws-encryption-cli --encrypt --input <file_to_encrypt> --master-keys key=<Key_ID> region=<region-name> --output <encrypted_output_filename> --metadata-output <metadata_filename> --encryption-context purpose=<purpose_for_performing encryption>
    
    ParameterDescription
    file_to_encryptThe backed up file that needs to be encrypted before uploading to the S3 bucket.
    Key_IDThe key ID of the KMS key that needs to be used for encrypting the file.
    region-nameThe region where the KMS key is stored.
    encrypted_output_filenameThe name of the file after encryption.
    metadata_filenameThe name of the file where the metadata needs to be stored.
    purpose_for_performing encryptionThe purpose of encrypting the file.

    For more information about encrypting data using the KMS, refer to the following link.

    https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html

    The file is encrypted.

  6. Upload the encrypted file to the S3 bucket using the following command.

    aws s3 cp <encrypted_output_filename> <s3Uri>
    

    The file is uploaded in the S3 bucket.

    For example, if you have an encrypted file test.enc and you want to upload it to your personal bucket, mybucket, in s3 bucket, then use the following command:

    aws s3 cp test.enc s3://mybucket/test.enc
    

    For more information about the S3 bucket, refer to the following link:

    https://docs.aws.amazon.com/cli/latest/reference/s3/

Decrypting and Importing Files

To decrypt and import the files from the S3 bucket:

  1. Login to the Appliance CLI manager.

  2. To decrypt and import the file, navigate to Administration > OS Console.

  3. Enter the root credentials.

  4. Change the directory to /products/exports using the following command:

    cd /products/exports
    
  5. Download the encrypted file using the following command:

    aws s3 cp  <s3Uri> <local_file_name(path)>
    

    For example, if you want to download the file test.txt to your local machine as test2.txt, then use the following command:

    aws s3 cp s3://mybucket/test.txt test2.txt
    
  6. Decrypt the downloaded file using the following command:

    aws-encryption-cli --decrypt --input <file_to_decrypt> --output <decrypted_file_name>
     --metadata-output <metadata_filename>
    
    ParameterDescription
    file_to_decryptThe backed up file that needs to be decrypted after downloading from the S3 bucket.
    decrypted_output_filenameThe name with which the file is saved after decryption.
    metadata_filenameThe name of the file where the metadata needs to be stored.

    Ensure that the metadata_filename must be the same filename which is used during encryption of the file.

    The file is decrypted.

    For more information about decrypting the downloaded file, refer to the following link.

    https://aws.amazon.com/blogs/security/how-to-encrypt-and-decrypt-your-data-with-the-aws-encryption-cli/

  7. Import the decrypted file to the local machine.

    For more information about importing the decrypted file, refer to Import Data/Configurations from a File.

2 - Set Metrics Based Alarms Using the AWS Management Console

If you want to set alarms and alerts for your machine, using Protegrity appliances, you can send logs and metrics to the AWS Console. The AWS Management Console enables you to set alerts and configure SNS events as per your requirements.

You can create alerts based on the following metrics:

  • Memory Use Percent
  • Disk I/O
  • Network
  • Disk Used Percent
  • CPU Idle
  • Swap Memory Use Percent

Prerequisite

Ensure that the CloudWatch integration is enabled.

For more information about enabling the CloudWatch integration, refer to Enabling AWS CloudWatch Integration.

Creating an SNS Event

The following steps explain how to create an SNS event for an email-based notification.

To create an SNS event:

  1. Login to the Amazon Management Console.

  2. To create an SNS event, navigate to Services > Application Integration > Simple Notification Services > Topics.

  3. Select Create topic.

    The following screen appears.

  4. Enter the required Details.

  5. Click Create topic.

    The following screen appears.

    AWS SNS ARN

    Ensure that you remember the Amazon Resource Name (ARN) associated to your topic.

    For more information about the ARN, refer to the following link.

    https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

    The topic is created.

  6. From the left pane, click Subscriptions.

  7. Click Create subscription.

  8. Enter the Topic ARN of the topic created in the above step.

  9. From the Protocol field, select Email.

  10. In the Endpoint, enter the required email address where you want to receive the alerts.

    AWS Subscription

  11. Enter the optional details.

  12. Click Create subscription.

    An SNS event is created and a confirmation email is sent to the subscribed email address.

  13. To confirm the email subscription, click the Confirm Subscription link from the email received on the registered email address.

Creating Alarms

The following steps explain the procedure to set an alarm for CPU usage.

To create an alarm:

  1. Login to the Amazon Management Console.

  2. To create an alarm, navigate to Services > Management & Governance > CloudWatch.

  3. From the left pane, select Alarms > In alarm.

  4. Select Create alarm.

  5. Click Select metric.

    The Select metric window appears.

  6. From the Custom Namespaces, select CWAgent.

  7. Select cpu, host.

  8. Select the required metric and click Select metric.

  9. Configure the required metrics.

    SNS Metric

  10. Configure the required conditions.

    SNS Condition

  11. Click Next.

    The Notification screen appears.

  12. Select the alarm state.

  13. From Select SNS topic, choose Select an existing SNS topic.

  14. Enter the required email type in Send a notification to… dialog box.

  15. Select Next.

  16. Enter the Name and Description.

  17. Select Next.

  18. Preview the configuration details and click Create alarm.

    An alarm is created.