Amazon S3 Compliant Object Store

Document stores of type Amazon S3 Compliant Object Store are used to connect to object storage services that provide a Amazon S3 compliant API. Service providers include the Amazon S3 service itself, as well as S3-compliant third-party providers such as EMC ECS.

For this functionality to be available, the feature Amazon S3 Compliant Storage Integration must be selected in the System Options Features page.

To configure the store, you need to provide several details.

  1. On the Administration menu, click Document Stores from the displayed list. .

    The Document Stores window appears.

  2. Right-click and on the New Document Store menu, click Amazon S3 Compliant Object Store.

    The New Document Store dialogue box appears.

  3. Fill in the fields on the Amazon S3 tab:

    NOTE: If you are planning on implementing an SEC Compliant store, you should implement the S3 Object Lock feature. This also applies vice versa – if you implement S3 Object Locking on the S3 bucket then it will not work correctly if you do not enable this option. There are some extra configuration options that are needed when using Content Manager with S3 object locking:

    1. The account that connects to S3 will need the additional permissions PutObjectRetention and DeleteObjectVersion. See S3 Permissions for additional details.
    2. Don’t set default retention mode and date at bucket level.
    3. The Content Manager Document Store Event Handler Event Processor must be enabled.

      NOTE: With SEC compliance enabled, Content Manager will apply retention with COMPLIANCE mode.
      Once you define the store as SEC Compliant, it cannot be changed.

    • Notify store when holds are added and removed from a record - select this option to update the Amazon server that a record(s) stored in this store have been added or removed from a record hold so it can be updated accordingly on the Amazon server. If this option is not enabled, record(s) can be added or removed from holds in Content Manager but the Amazon server will not be updated.

      NOTE: Once this option has been enabled and records within the store have been added to a hold, even if they have been removed, the option can not be unselected.

    • Amazon S3 Storage URL - the storage URL as specified by the storage provider. For Amazon-based stores, this would be https://s3.amazonaws.com.
    • Amazon S3 Bucket Name - the name of the bucket where Content Manager documents will be stored. This bucket must already have been created by the administrator.
    • Amazon S3 Virtual Directory - optional value - this allows you to specify a sub-directory within the S3 bucket, where Content Manager documents will be stored. The sub-directory is implemented as a path prefix within the bucket.

      • NOTE: If this folder does not exist within the Amazon S3 Bucket, it will be automatically created

  4. Apply the required Authentication details on the Authentication tab:
  • Use AWS Credentials - select this option if using AWS.
    • Access Key - enter the Access Key, as specified by the storage provider.
    • Secret Key - click Secret Key and enter the key as specified by the storage provider.
  • Use Amazon Security Token Service (STS) - select this option to create and provide trusted user with temporary security credentials that can control access to your AWS resources.
    • URL – enter the URL for STS endpoint (example: https://sts. ap-southeast-1.amazonaws.com)
    • Region - enter the AWS STS Region name (example: ap-southeast-1)
    • RoleARN - enter the Role that delegates access to the Amazon AWS resource for the AWS IAM user.

  • Use EC2 Instance Metadata Service (IMDS) - enable this option to make use of IMDS to access metadata details from running EC2 instance to access AWS S3 resource.

    • IAM Role – enter th Role that delegates access to the Amazon S3 from EC2 instance.

  1. Select the required options on the General tab. See Document stores general settings.
  2. Select the Storage Pool options, see Document stores Storage Pool tab.
  3. Fill in the fields on the Tiered Storage tab, if required. See Tiered storage.
  4. Fill in the fields on the Usage tab - optional. See also Configuring the usage details.
    • Test - click to test the store link
  5. Click OK.

    Content Manager saves your new store and it appears in the list pane.

  6. In Content Manager Enterprise Studio, enable the event processor Document Store Event Handler.
    It is a way of guaranteeing that delete requests to any Content Manager document store are eventually processed by retrying failed requests until they are successful.

NOTE: If you are creating a new electronic document store to replace an old one, remember to point your Record Types to the new store.

  1. On the Administration menu, click Document Stores from the displayed list. .

    The Document Stores window appears.

  2. Right-click and on the New Document Store menu, click Manage In Place (Amazon S3 Compliant ).

    The New Document Store dialogue box appears.

  3. In the Amazon S3 tab, enter details as required:

    NOTE: If you are planning on implementing an SEC Compliant store, you should implement the S3 Object Lock feature. This also applies vice versa – if you implement S3 Object Locking on the S3 bucket then it will not work correctly if you do not enable this option. There are some extra configuration options that are needed when using Content Manager with S3 object locking:

    1. The account that connects to S3 will need the additional permissions PutObjectRetention and DeleteObjectVersion. See S3 Permissions for additional details.
    2. Don’t set default retention mode and date at bucket level.
    3. The Content Manager Document Store Event Handler Event Processor must be enabled.

      NOTE: With SEC compliance enabled, Content Manager will apply retention with COMPLIANCE mode.
      Once you define the store as SEC Compliant, it cannot be changed.

    • Amazon S3 Storage URL - the storage URL as specified by the storage provider. For Amazon-based stores, this would be https://s3.amazonaws.com.
    • Amazon S3 Bucket Name - the name of the bucket where Content Manager documents will be stored. This bucket must already have been created by the administrator.
    • AWS region - specify the AWS region.

  4. Apply the required Authentication details on the Authentication tab:

    • Use AWS Credentials - select this option if using AWS.
      • Access Key - enter the Access Key, as specified by the storage provider.
      • Secret Key - click Set Secret Key and enter the key as specified by the storage provider.
    • Use Amazon Security Token Service (STS) - select this option to create and provide trusted user with temporary security credentials that can control access to your AWS resources.
      • URL – enter the URL for STS endpoint (example: https://sts. ap-southeast-1.amazonaws.com)
      • Region - enter the AWS STS Region name (example: ap-southeast-1)
      • RoleARN - enter the Role that delegates access to the Amazon AWS resource for the AWS IAM user.

    • Use EC2 Instance Metadata Service (IMDS) - enable this option to make use of IMDS to access metadata details from running EC2 instance to access AWS S3 resource.

      • IAM Role – enter th Role that delegates access to the Amazon S3 from EC2 instance.

  1. In the Manage In Place tab, enter details as required.

    See Backup a copy to Manage In Place.

  2. Test - click to test the store link
  3. Click OK.

    Content Manager saves your new store and it appears in the list pane.

To ensure the S3 Storage works correctly, the following permissions are required:

  • Bucket Level permissions

    • GetBucketLocation

    • ListAllMyBuckets

    • ListBucket

    • ListBucketMultipartUploads

  • Permissions required for items contained in the bucket:

    • AbortMultipartUpload

    • DeleteObject
    • GetObject
    • ListMultipartUploadParts
      • PutObject
    • DeleteObjectVersion (only if the store is SEC compliant)
    • PutObjectRetention (only if the store is SEC compliant)