Object Storage - Features

Structure

Object Store

An Object Store is a logically delimited container for Buckets and Objects stored in cegedim.cloud Object Storage Service.

It comes with a dedicated Object User which is the only one authorized to view and manage objects within this Object Store. You can, create other Object Users.

When creating an Object Store, you have to choose:

A simple name
A data center
- EB4 --> data will only be located in EB4 - Boulogne data center
- ET1 --> data will only be located in ET1 - Toulouse data center
- EB4-ET1 --> Data is replicated over EB4 and ET1 and is accessible from both data centers

You are not limited and can create as many Object Stores as you need.

Nevertheless, it can be better to use Bucket separation for objects within a same application, or different applications.

We recommend to use Object Store at the Project or "Group of projects" level, and Bucket at the "File typology" level.

For more information about Object Store creation, read Object Storage - Get started.

Buckets

A Bucket is a logically delimited container for objects. Each object in the cegedim.cloud Object Storage Service is located in a Bucket.

A Bucket can be created using a S3 client, and has some attributes you can use to control behavior of the Bucket and its objects, for example:

VersioningPolicy which allows you to configure how many versions of files has to be kept by cegedim.cloud Object Storage Service
BucketPolicy which allows you to configure permissions and restrictions for objects in bucket

Objects

An object is what we call a file on classic file system. Each object belongs to a Bucket and has a key as unique identifier.

Note that folders does not exist in cegedim.cloud Object Storage Service, but you can use prefixes and delimiters to organize the data that you store in Buckets.

A prefix is a string of characters at the beginning of the object key name. A delimiter is a character, usually, the slash '/', used to separate each level of objects and simulate file system like structure.

For example, if you store information about customers, organized by years and month:

customer1/2020/03
customer1/2020/04
customer1/2021/05
customer2/2020/03
customer2/2021/02

In this exemple '/' is the delimiter, and 'customer1/2020/' can be a prefix.

Diagram

S3 API Compatibility

Check the following page S3 API compatibility for the list of supported, unsupported S3 APIs and the special behaviors of the object storage solution of cegedim.cloud.

Endpoints

cegedim.cloud object storage solution provides two access endpoints:

https://storage-eb4.cegedim.cloud
- Allow you to use Object Storage Service from the EB4 - Boulogne data center.
https://storage-et1.cegedim.cloud
- Allow you to use Object Storage Service from the ET1 - Toulouse data center.

Geo-Replicated

For Geo-replicated Object Stores between EB4-ET1. Both endpoints allow you to access to your objects.

If you upload an object using the EB4 endpoint, EB4 will become the 'owner' of the object, and vice versa for ET1.

Authentification

Object User

Access to Buckets is done using an Object User.

When an Object Store is created, an Object User known as "Initial S3 user" is automatically created. Each Object User has an access_Key and a secret_Key. Both are randomly generated by cegedim.cloud Object Storage Service.

You can have more than one Object User by Object Store. An Object User is linked to only one Object Store, and can't be used to perform operation on another Object Store.

For more information about Object Users, refer to Manage Object Users.

Secret Key Renewal

At any time, you have the possibility to re-generate the secret key of an Object user, for security reason or when the Object User is compromised.

When changing the secret key, you can add a "grace period", during which, both old and new secret keys are valid and accepted by cegedim.cloud Object Storage Service.

Authorizations

Authorizations are managed at the Bucket level, using Bucket Policies.

Bucket Policies allow you to have fine management of permission to apply on objects and Object Users, based or not on conditional statements, like the access_key of the Object User or the Source Address IP

When creating a Bucket, there is no Bucket Policy by default and the bucket is not public.

That mean only the Object User who created the bucket can access to it.

For more information about Bucket Policy, refer to Bucket Policies.

Secured Transport

cegedim.cloud Object Storage Service is only available through the protocol HTTPS on port 443.

Log Management

S3 Bucket logging is not supported by cegedim.cloud Object Storage Service.

Any request or operation on the cegedim.cloud Object Storage Service are logged by cegedim.cloud internally.

Logs include operations on Object Store, Object User and also operations done at buckets and objects level (GET, PUT, DELETE,...)

If you need logs extraction on your Object Storage resources, Please contact cegedim.cloud support teams.

Features

Presigned URL

cegedim.cloud Object Storage Service supports the setting sharing objects using presigned URLs. You can share objects with other by creating presigned URL.

When you create a presigned URL, you must provide:

Your security credentials
A bucket name and an object key
An HTTP method (PUT for uploading objects)
An expiration time

The presigned URLs are valid only for the specified duration.

For more information about Presigned URL, refer to Presigned URL.

Bucket Policy Support

cegedim.cloud Object Storage Service supports the setting of S3 bucket policies.

Bucket policies provides specific users, or all users, conditional and granular permissions for specific actions.

Policy conditions can be used to assign permissions for a range of objects that match the condition and can be used to automatically assign permissions to newly uploaded objects.

Bucket policy example:

{
    "Version": "2012-10-17",
    "Id": "policyExample",
    "Statement":[
        {
            "Sid":"Granting PutObject permission to user24",
            "Effect":"Allow",
            "Principal": "user24 ",
            "Action":["s3:PutObject"],
            "Resource":["mybucket/*"],
            "Condition": {
                "StringEquals": {"s3:x-amz-server-side-encryption": [ "AES256"]
            }
        }
    ]For more information about Bucket Policies, refer to the How To
}

For more information about Bucket Policies, refer to Bucket Policies.

Object lifecycle management

cegedim.cloud Object Storage Service support S3 Lifecycle Configuration on both version-enabled buckets and non-version-enabled buckets.

An S3 Lifecycle Configuration is a set of rules that define actions applies to a group of objects. Only Expiration actions are supported.

You can define a S3 Lifecycle Configuration to automatically delete objects.

Lifecycle configuration example:

{
    "Rules": [
        {
            "Expiration": {
                "Days": 30
            },
            "ID": "lifecycle-expire-non-current-and-mpu",
            "Prefix": "",
            "Status": "Enabled",
            "NoncurrentVersionExpiration": {
                "NoncurrentDays": 1
            },
            "AbortIncompleteMultipartUpload": {
                "DaysAfterInitiation": 1
            }
        }
    ]
}

For more information about Lifecycle Configuration, refer to Bucket Lifecycle.

S3 Object Lock

cegedim.cloud Object Storage Service supports Object Lock configuration.

Object Lock prevents object version deletion during a user-defined retention period. Immutable S3 objects are protected using object- or bucket-level configuration of WORM and retention attributes.

The retention policy is defined using the S3 API or bucket-level defaults.

Objects are locked for the duration of the retention period, and legal hold scenarios are also supported.

There are two lock types for Object lock:

Retention period: Specifies a fixed period of time during which an object version remains locked. During this period, your object version is WORM-protected and can't be overwritten or deleted.
Legal hold: Provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods.

There are two modes for the retention period:

Governance mode

Users can't overwrite or delete an object version or alter its lock settings unless they have special permissions.

With Governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary.

You can also use Governance mode to test retention-period settings before creating a compliance-mode retention period.

Users cannot overwrite or delete an object version.
Users with s3:PutObjectRetention permission can increase an object retention period.
Users with special s3:BypassGovernanceRetention permission can remove or shorten an object retention.
Users with s3:BypassGovernanceRetention permission can also delete locked objects.

Compliance mode

A protected object version can't be overwritten or deleted by any user, including the root user in your account.

When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened.

Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period.

Users cannot overwrite or delete an object version.
Users with s3:PutObjectRetention permission can increase an object retention period.
User cannot remove or shorten an object retention.

In Compliance mode, if you applied a wrong retention period (e.g 6 years instead of 6 days) cegedim.cloud have no possibility to delete or shorten the retention period.

A good practice is to start with Governance mode to perform tests, and then switch to Compliance mode.

For more information about Object Lock, refer to Object Lock.

PreviousObject Storage NextS3 API compatibility

Last updated 9 months ago