How to Upload One File to Amazon Glacier, for Paranoid Developers

Amazon Glacier can be used as a data sanctuary-of-last-resort.  The API is simple and Amazon’s AWS offerings inspire Google-level confidence.  While gleeful to augment my collection of ad-hoc backup methods, I was also wary of trusting the github projects that were sprouting like dandelions.

But eventually my old Ubuntu distro wore out, and I decided to create my own Glacier “client” before upgrading.  Its mission: upload one file to Glacier.  No GUI, no command-line interface, not even a progress bar. Lo and behold, Amazon has a tutorial for exactly this.  If you are familiar with the Java/Eclipse (or .Net) ecosystem, then you too can roll your own archival tool with very little time investment and no third-party vendor lock-in.

How-To

From memory, the steps were:

  1. Sign up for Amazon Glacier.  It takes about 10 minutes to get access after signing up.
  2. Add a new “vault” in the AWS Glacier management console
  3. Download Eclipse IDE for Java EE Developers
  4. Unpack it, run it, install the AWS plugins by searching for “AWS” in the Eclipse marketplace
  5. Create an “AWS” project
  6. Copy your access key and secret key from your AWS account security web page into the “AwsCredentials.properties” file.  Make sure you don’t source control this file.
  7. Copy the file upload tutorial code into a class
  8. Change the vault, the file path, and perhaps the description to whatever you want to upload
  9. “Run As” a Java application
  10. Watch the Eclipse console, see no exceptions, see the expected final output.  Red messages may just indicate a network problem that the AWS libs have successfully overcome.

That’s it!  There is a downloading example as well.

Security

There are a few ways this casual archival process can fail to assuage moderate levels of paranoia.

First, whatever gets uploaded is potentially readable by rogue Amazon employees, crackers, and the government.  Encrypt where you feel privacy is necessary.  For me, this is in surprisingly few places.  Perhaps consider light encryption on media archives to foil false positives from future copyright infringement detection attempts.

Second, beware that there is one very serious failure mode accessible to an attacker.  It goes:

  1. Gain access to PC
  2. Gain access to AWS
  3. Delete Glacier vaults
  4. Delete local files (and other things like dropbox, gmail, etc.)

At this point, one is left with air-gap backups which hopefully spin up when asked.  Relying on Glacier for a man-made disaster scenario means keeping AWS access secure.  No local saved passwords.  No keys that can be used to delete vaults or archives left scattered in Eclipse workspaces.  Amazon has an AWS Identity and Access Management (IAM) service, which may be a way to create a “user” that cannot delete from Glacier?

Advertisements

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: