How are Datica S3 Buckets managed?
Datica sets a variety of default policies on S3 Buckets to achieve compliant behavior!
Bucket Policies
Require Server Side Encryption
Datica requires all POST/PUT operations to S3 Buckets to specify server-side encryption.
This policy affects API and command-line interactions with S3 buckets.
You WILL receive Access Denied
errors if you attempt a PUT/POST without a server-side-encryptoin flag or header.
When using the AWS CLI, you’ll need to add the --sse
flag to your command, such as
aws s3 cp myfile.txt s3://your_bucket_name/ --sse
For some SDKs, you may have to set the x-amz-server-side-encryption
header on the request instead. The value of this header should be set to AES256
. For example, the header on the upload request should look like
x-amz-server-side-encryption: AES256
CORS Policies
Datica enables the default CORS policy on S3 buckets. You can manipulate the CORS policies yourself with the AWS CLI s3api
routes.
Read more about manipulating those here
Alternatively you can contact Support and we can assist.
Backups
Datica does not have Cross-Region Replication or Versioning turned on by default for S3 buckets deployed on CPaaS. Please contact support if you would like these enabled for your S3 buckets. Your files have redundancy as explained here by AWS, but you should be extremely careful and/or deploy extra S3 buckets to store duplicates of data if you intend to delete PHI from your S3 buckets. Even with CRR and versioning available it is still possible for you to permanently delete data from your S3 buckets. Ensure that you adequately test any data migration or deletion that you may do with PHI in a non-production environment or shadow production environment before removing data permanently.