如何在启用保管库锁定的情况下将对象从Amazon S3移动到Glacier？ [英] How to move object from Amazon S3 to Glacier with Vault Locked enabled?

问题描述

我正在寻找一种在启用保管库锁定的情况下将Amazon S3对象移动到Glacier的解决方案（如此处所述 https://aws.amazon.com/blogs/aws/glacier-vault-lock/ ）。如果可能的话，我想使用Amazon内置的工具（生命周期管理或其他工具）。

我找不到任何说明或选项。 S3似乎只允许将对象移动到Glacier存储类。但这不能提供数据完整性，也不能防御数据丢失。

我知道我可以用一个程序来做到这一点。它将下载S3对象，并通过各自的REST API将其移至Glacier。对于这个简单的任务，这种方法似乎太复杂了。

解决方案

以这种方式描绘：

• 冰川是AWS的服务。




• S3是AWS的服务。




• 但是S3也是Glacier服务的客户。

将S3中的对象迁移到Glacier存储类时，S3使用S3拥有的AWS帐户将对象存储在Glacier ...中。

S3中使用 GLACIER 存储类的那些对象不在您的 Glacier保管库中，而是在S3拥有的保管库中。 / p>

这与外部可观察到的证据一致：

• 您不能从Glacier控制台在保管库中看到这些S3对象。




• 您无需授予S3任何IAM权限即可访问Glacier（相反，您要做，必须授予S3权限才能将事件通知发布到SQS，SNS或L ambda）




• Glacier不会为Glacier存储类对象向您收费-S3会向您收费。

鉴于此，您要完成的工作完全不同。您希望使用您的策略将一些档案存储在您的冰川保管库中，而目前该内容目前只是可能存储在S3中。

从S3下载然后上传到Glacier是解决方案。

但这不提供数据完整性也无法防御数据丢失。

在上传到Glacier时可以确保有效载荷的完整性，因为树哈希算法可以有效地防止损坏的上传。

从S3下载，除非对象与 SSE-C ，如果使用单部分上传，则ETag是存储对象的MD5哈希值，或者是级联二进制编码的MD5的十六进制编码MD5哈希值部分的哈希值，然后是-和部分的数量。理想情况下，上传到S3时，您可以在对象元数据中存储更好的哈希值（例如sha256），例如 x-amz-meta-content-sha256 。

防御数据丢失-是的，Glacier确实提供了更多功能功能，这里是S3，但S3并非完全没有功能：具有匹配的 DENY 操作的存储桶策略将始终覆盖冲突的 any > ALLOW 操作，无论它是在存储桶策略中还是在其他任何IAM策略（例如角色，用户）中。

I'm looking for a solution for moving Amazon S3 objects to Glacier with Vault Lock enabled (like described here https://aws.amazon.com/blogs/aws/glacier-vault-lock/). I'd like to use Amazon built in tools for that (lifecycle management or some other) if possible.

I cannot find any instructions or options to do that. S3 seems to only allow moving object to Glacier storage class. But that does not provide data integrity nor defends against data loss.

I know I could do it with a program. It would download S3 object and move it to Glacier through their respective REST API's. This approach seems too complicated for this simple task.

解决方案

Picture it this way:

• Glacier is a service of AWS.

• S3 is a service of AWS.

• But S3 is also a customer of the Glacier service.

When you migrate an object in S3 to the Glacier storage class, S3 stores the object in Glacier... using an AWS account that is owned by S3.

Those objects in S3 that use the GLACIER storage class aren't in "your" Glacier vaults, they're in vaults owned by S3.

This is consistent with the externally-observable evidence:

• You can't see these S3 objects in vaults from the Glacier console.

• You don't have to give S3 any IAM permissions to access Glacier (by contrast, you do have to give S3 permission to publish event notifications to SQS, SNS, or Lambda)

• Glacier doesn't bill you for Glacier storage class objects -- S3 does.

In that light, what you are trying to accomplish is completely different. You want to store some archives in your Glacier vault, with your policy, and that content currently just "happens to be" stored in S3 at the moment.

Downloading from S3 and then uploading to Glacier is the solution.

But that does not provide data integrity nor defends against data loss.

The integrity of the payload can be assured when uploading to Glacier because the tree hash algorithm effectively prevents corrupt uploads.

Downloading from S3, unless the object is stored with SSE-C, the ETag is the MD5 hash of the stored object if single-part upload is used, or is the hex-encoded MD5 hash of the concatenated binary-encoded MD5 hashes of the parts, followed by - and the number of parts. Ideally, when uploading to S3, you'd store a better hash (e.g. sha256) in the object metadata, e.g. x-amz-meta-content-sha256.

Defense against data loss -- yes, Glacier does offer more functionality, here, but S3 is not entirely without capability here: bucket policies with a matching DENY action will always override any conflicting ALLOW action, whether it is in the bucket policy or any other IAM policy (e.g. role, user).

这篇关于如何在启用保管库锁定的情况下将对象从Amazon S3移动到Glacier？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！