SEAGATE S3 Lyve Cloud Storage User Manual

: June 16, 2024
: Seagate

Table of Contents

SEAGATE S3 Lyve Cloud Storage
Lyve Cloud S3 Storage User Manual
Setting Expiration Duration
About User Roles
Product Features
Quick Start Guide
Login Sequence
STORAGE
Using Account
Administrator’s Guide – Account
References
Read User Manual Online (PDF format)
Download This Manual (PDF format)

SEAGATE S3 Lyve Cloud Storage

Lyve Cloud S3 Storage User Manual

Specifications

Model: [Model Name]

Product Features

[Product features description]

Quick Start Guide

[Quick start guide instructions]

S3 API Endpoints

[S3 API endpoints information]

Using Account API

[Account API usage instructions]

Administrator’s Guide – Introduction

[Administrator’s guide introduction]

Console Session Management

[Console session management instructions]

Supported Browsers

[Supported browsers information]

Administrator’s Guide – Bucket Management

[Bucket management instructions]

Administrator’s Guide – Account Management

[Account management instructions]

Setting Expiration Duration

[Expiration duration setting instructions]

Administrator’s Guide – Audit Log Management

[Audit log management instructions]

Administrator’s Guide – Identity and Access Management
(IAM)

[IAM instructions]

About User Roles

[User roles information]

About User Authentication Types

[User authentication types information]

Administrator’s Guide – Sub-Account Management

[Sub-account management instructions]

Lyve Cloud S3 Storage User manual

Product Features

Lyve Cloud offers several features designed to support a variety of use cases. Customers can easily store, analyze, and manage data on secure, cost-efficient Seagate storage. Lyve Cloud provides an object storage solution that allows customers to move data to and from storage buckets through an HTTPS protocol. Admins can easily manage bucket access with user-specific access control lists. With Lyve Cloud’s flexible application programming interface (API), customers can plug in their favorite S3compatible applications to store data, run big data analytics, audit storage activity, and manage users across the platform.

Storage management
Lyve Cloud’s single-tier design breaks away from traditional storage classes to provide uninterrupted data movement. Objects stored in Lyve Cloud can be uploaded, downloaded, updated, and erased anytime. Using S3 Select API calls, customers can easily connect to third-party clients to move and manage data. Applications are authenticated to Lyve Cloud using an access key and secret key provisioned at service account creation. Once authenticated, applications will access buckets and objects using the defined permissions set in the service account (read-only, write-only, or all operations).
All S3 API activity and actions within the Lyve Cloud console are tracked withAudit logs . Audit logs record all S3-supported API calls and activities on the console to access audit functions and track suspicious activity.
Lyve Cloud also offers features to help prevent unintended data modifications and provide versioning. Using Object Immutability prevents objects from being deleted or overwritten by any user, including the account owner, for a specified retention duration. Object Immutability also supports Amazon S3 Object Lock to reinforce Write-Once-Read-Many (WORM) policies. Customers can toggle on Object Immutability at bucket creation to enable this feature, which also enables Versioning. Versioning allows customers to protect, recover, and restore every iteration of an object stored in a bucket in case of accidental deletions or failures. Versioning remains enabled even if Object Immutability is later disabled.
Lyve Cloud offers Global Account Management to allow customers to create buckets in different regions or create service accounts to access buckets in different regions. For more information, seeS3 API endpoints. This provides simplified management of multiple regions on the Lyve Cloud console and the ability to increase redundancy and availability. For more information, seeUnderstanding Global Accounts.
Customers also use Lyve Cloud Sub-Accounts to create, provision and manage additional sub-accounts to maintain a multi-level account structure. Each sub- account can function as its storage account with the ability to manage its users, create buckets and upload data.
Learn more about Managing Lyve Cloud storage.

Product Storage Analy cs

1/4/24

8

Storage Analy cs
Customers can now analyze, process, move, and transform massive amounts of data on Lyve Cloud using Lyve Cloud Analytics. This platform uses big data frameworks such as Apache Spark, Trino, and ML to satisfy a variety of use cases, including scheduling, monitoring, machine learning, and more. For more information, visit Getting Started with Analytics.
Lyve Cloud’s flexible backend was designed to complement various computing applications. As a vendoragnostic solution, Lyve Cloud can connect to public cloud environments such as AWS, Azure, and Google to utilize their analytics services on Lyve Cloud storage. This functionality allows businesses to consolidate, query, and analyse big data on cost-efficient Seagate storage. Customers can visit Lyve Cloud Marketplace to utilize validated Lyve Cloud partner solutions for computing, such as Zadara zCompute and Equinix Metal.
Access management and security
Access management
Account administrators have several tools to authorize access to Lyve Cloud users.Identity and access management (IAM) allows Lyve Cloud Administrators to manage users and their access to the console. Access is managed with user- defined roles that offer varying levels of accessibility. IAM users can use Configuring multi-factor authentication (MFA) for additional verification during login.
Configuring Federated Login requires Security Assertion Markup Language (SAML) protocol to provide a single sign-on authentication method through an organization’s IDP (identity provider).
Security
Lyve Cloud offers security features to protect data in flight and at rest. To ensure data is protected in flight, Lyve Cloud aligns with Transport Layer Security (TLS) 1.2 protocol and leverages 256-bit Advanced Encryption Standard (AES) Galois/Counter Mode (GCM) encryption, establishing secure communications to the client. By default, all data is encrypted before it is stored.
Learn more by visiting the Data Security Overview and the Lyve Cloud Data Security Whitepaper.
Availability and durability
Lyve Cloud data centers are located in multiple geographic locations, including Northern California, Virginia, and Singapore, with dedicated operations staff to ensure the Lyve Cloud services are available with a monthly uptime of 99.9%.
Data durability refers to long-term data protection against bit rot or other forms of corruption over long periods. Due to Lyve Cloud’s industry-leading architecture, Lyve Cloud can achieve 11 9s of data durability making data loss statistically insignificant.

Product

1/4/24

9

Product

1/4/24

10

Quick Start Guide

Seagate on Vimeo: Lyve Cloud – Getting Started with Lyve Cloud

Understanding Account ID

Account ID is a unique identification that is associated with the Lyve Cloud account. An account ID is unique across all Lyve Cloud accounts globally and can include your company name, which is created during the onboarding process. The account ID helps to identify and distinguish resources in one account from the resources in another account.

While creating, the length of the account ID must be between 3 and 63 characters, where only lowercase characters, numbers, and “-” are allowed.

You cannot change the account ID once it is created.

The account ID is used to create the unique URL for the account’s console URL with the following format: https://.console.lyvecloud.seagate.com

A single URL is used to access the Lyve Cloud console, which is authenticated by the account ID.

Signing in to Lyve Cloud

To use the Lyve Cloud console, you must sign in using your account credentials. To sign in to Lyve Cloud, you will need a login URL, which contains a unique account ID. The account ID can include your company name chosen during onboarding. You cannot change the account ID once it is created. The account ID is unique across Lyve Cloud accounts.

A single URL is used to access Lyve Cloud console which is authenticated by the account ID, and the URL has the following format: https://.console.lyvecloud.seagate.com .

If you know the Lyve Cloud account login URL

After successful onboarding, you will receive a welcome email. This email contains the Lyve Cloud URL. Using this URL, you can sign in to Lyve Cloud by creating a password.

This URL is in the following format: https://.console.lyvecloud.seagate.com . The user can bookmark or save this URL to log into the console.

If you do not know the Lyve Cloud account login URL

Quick Start

1/4/24

11

If you have not saved the URL: https://.console.lyvecloud.seagate.com you will not be able to login to Lyve Cloud console. But when you try to log in using the URLhttps://console.lyvecloud.seagate.com , you are directed to enter the Lyve Cloud Account ID to access the console.

You have an Account ID–Enter the Account ID on the login page, followed by the registered email address. An email with all the details of the Lyve Cloud account is sent, which contains the Lyve Cloud URL to log in.

You do not have an Account ID–You will receive your account ID by providing your registered email address. You must selectGet Help on the Login page. You are directed to enter your email address.

Quick Start

1/4/24

12

If the email address is not registered with Lyve Cloud, contact the support team at support.lyvecloud@seagate.com.
Finding your Account ID in the Lyve Cloud console
If you have already signed in to the Lyve Cloud account, you can view the Account ID from the Header pane. Select the username in the top right to view the Account ID.
The following image highlights the Account ID in the console.

Quick Start

1/4/24

13

Using the Lyve Cloud console
The Lyve Cloud console includes three panes: the header pane, left menu, and main view. The following image displays the three panes of the Lyve Cloud console.

Header pane: Select the Lyve Cloud logo to return to the dashboard. TheStart Here button, Help link, user name, and icon are displayed on the top right corner of the header pane. Open thSetart Here window to find quickstart resources. View our documentation and training videos underHelp. To exit Lyve Cloud, select the user name and then selectLogout.
Left menu: The left menu is organized as follows:
Home page: It is the landing page after you login to the console. It shows the number of buckets, reports, and usage and more. For more information, seeUnderstanding the home page dashboard below.

Quick Start

1/4/24

14

Marketplace : This section displays and provides more information on partner solutions like Backup and Recovery, Surveillance, Compute, etc. that are certified with Lyve Cloud.

STORAGE

Buckets: Allows you to create and manage buckets.
Permissions: Allows you to set the permissions for buckets.
Service Accounts: Generates access credentials that enable S3 applications to perform S3 operations on the bucket.

IDENTITY & ACCESS
Users: Allows you to create users and set user roles.
MFA: Allows you to add an additional factor to the login to prevent unauthorized access.
Federated Login: Allows you to enable federated single sign-on (SSO) from your organization’s Identity Provider (IdP).
Notification Recipients: Allows you to add recipients to receive service and other important Lyve Cloud notifications via email.

SETTINGS
Settings: Allows you to enable and disable audit logs. These logs are detailed records of activities in the Lyve Cloud console and S3 API operations.
Billing: Allows you to see each months’ costs, and download and view previous monthly invoices.
Support: Allows you to open new support tickets for any issues related to Lyve Cloud services.

The non-administrator roles can only see a subset of the menu options.

Main view: Displays the information corresponding to the left menu item selected.

Understanding the home page dashboard

After you log in to the Lyve Cloud console, you are taken to the dashboard’s home page, and the headings

Quick Start

1/4/24

15

on the page are displayed without data. However, if you have created buckets and are storing data in the buckets, the dashboard displays important details in the different sections.
The dashboard displays statistics of the storage system, usage, and estimated cost. A graphical view of usage trends, bucket count, and average usage are available.

Home page

Master Account home page

Buckets: Displays the total number of buckets.

Month-to-Date Usage: Displays the average usage of the account from the beginning of the month until the current date.

Estimated Cost: Displays the estimated monthly storage costs based on the current month’s usage trends. This cost is displayed in US dollars.

General Reports:
Daily Average Usage: Displays the daily average from a series of four usage snapshots within a 24hour period of data stored in all the buckets.

Date range selection: Select a current month, last six months, or custom time range to view usage trends.
This month is a default selection that displays the daily average usage trend for the current

Quick Start

1/4/24

16

month to date.
Selecting the Last 6 months shows the usage trend of the last six months. Each data point displays the monthly average for that month.
Selecting a Custom time range allows you to choose the monthly time range, and the data points display the monthly average usage.
Download the usage data in CSV format by selectingDownload. Use theDate range selection to select the length of time of the report. This report shows the Date, Region Name, Bucket Name, Usage(byte), Usage (GB) in the excel sheet.
Usage Report: Displays the usage of all the sub-accounts in the master account. The Sub-accounts Usage graph displays the usage of each sub-account on the same graph. The graph has different colour lines per account. Hovering over a particular day/month (depending on view scale) displays a tooltip with the time information for all selected accounts with the line colour, account name, and usage value per sub-account account.
Accounts Summary: Displays the summary of each sub-account. Customers: Lists the account ID of each sub-account in the master account.
Users: Lists the number of users for each sub-account.
Service Accounts: Lists the number of service accounts for each sub-account.
Buckets: Lists the number of buckets created by each sub-account.
Average Usage: Lists the average amount of data used per day for each sub- account, from the beginning of the month to the current date.
Created On: Displays the date when the sub-account is added to the Lyve Cloud master account.
Provisioning storage buckets
Seagate on Vimeo: Lyve Cloud – How to Create a Bucket
Create buckets
Begin by creating a bucket to add data. 1. On the left-hand menu, selectBuckets, and then selectCreate Bucket . 2. Enter the Bucket Name and Region. Select Create. (Optionally, enabe Object Immutability .)

After the bucket is created, it is listed on the Buckets page. For more information, seeAdministrator’s Guide – Bucket Management.
Create bucket permissions
Next, create and apply permissions to at least one bucket. Permissions define the type of operations that applications perform on the bucket:Read, Write, or All Operations (read, write, delete, and list).
1. On the left-hand menu, selectPermissions, and then selectCreate Bucket Permission . 2. On the Create Bucket Permission dialog:
Name: Enter the name for permission. Permission names can contain any alphanumeric characters, dashes (“-“), underscores (“_”), or spaces. Select one of the following fromWhich buckets does this permission apply to?
One or more existing buckets All buckets in this account with a prefix All buckets in this account Select Actions to assign privileges asAll Operations , Read only, Write only. Select Create to save the permission for the bucket.
The Description of the permission assigned to the buckets is displayed.
3. Alternatively, you may import policy permission files to create new permissions. SeeUsing policy permission files.
For more information on buckets, see Administrator’s Guide – Bucket Management.
Create service accounts
Finally, after creating permissions for a bucket, create a service account to allow applications to authenticate and use these permissions. Applications use service account credentials in API calls to access buckets to add and delete data.
1. On the left-hand menu, selectService Accounts, and then selectCreate Service Account. 2. Enter the Service Account Name, and then select applicable Permissions from the available list. 3. Select Create. A confirmation displays the access key and secret key required to access the bucket. 4. Copy these account credentials or download them in CSV or JSON format before you close the dialog.
The access key and secret key cannot be retrieved later.

For more information on service accounts, seeAdministrator’s Guide – Account Management.
Understanding Global Accounts
Lyve Cloud Global Accounts let customers create buckets in different regions for increased provisioning

Quick Start

1/4/24

18

and data access. For more information, seeCreating buckets .
Once you create buckets in different global accounts: The Lyve Cloud console lists all the buckets created for an account. For more information, seeListing buckets. Listing buckets using the S3 API displays the buckets for the region that is specified in the API command. You can copy objects between different Lyve Cloud regions using S3 API commands.
To access data from buckets created in different global regions: Make direct requests to one of the Lyve Cloud S3 API endpoints. For more information on S3 access points, see S3 API endpoints.
Lyve Cloud does not provide an S3 API global endpoint to access data across different global accounts. You must use the region specific endpoint to provision storage.

Quick Start

1/4/24

19

S3 API Endpoints

The following table shows Lyve Cloud regions where Lyve Cloud is currently available and the endpoints for these regions.

Region

Endpoint

Comment

US-East-1 (N. Virginia)
US-West-1 (N. California)
APSoutheast-1 (Singapore)
EU-West-1 (London)
US-Central-2 (Texas)

https://s3.us-east-1.lyvecloud.seagate.com https://s3.us- west-1.lyvecloud.seagate.com https://s3.ap-southeast-1.lyvecloud.seagate.com https://s3.eu-west-1.lyvecloud.seagate.com https://s3.us- central-2.lyvecloud.seagate.com

Standard Region Standard Region Standard Region Standard Region Standard Region

Lyve Cloud supports path-style requests and virtual hosted-style requests available with AWS S3. Use the URL format to access a bucket using a path- style endpoint or virtual hosted-style endpoint.

Lyve Cloud does not provide an S3 API global endpoint to access data across different regions.

Region
US-East-1 (Virginia)

Path-style endpoint
https://s3.us-east-1.lyvecloud.seagate. com/[bucket_name]

Virtual hosted-style endpoint
https://[bucket_name].s3.us-east-1.lyv ecloud.seagate.com

S3 API

1/4/24

20

Region
US-West-1 (California)
APSoutheast-1 (Singapore)
EU-West-1 (London)

Path-style endpoint
https://s3.us-west-1.lyvecloud.seagate. com/[bucket_name] https://s3.ap- southeast-1.lyvecloud.sea gate.com/[bucket_name] https://s3.eu- west-1.lyvecloud.seagate. com/[bucket_name]

Virtual hosted-style endpoint
https://[bucket_name].s3.us-west-1.lyv ecloud.seagate.com
https://[bucket_name].s3.ap-southeast1.lyvecloud.seagate.com
https://[bucket_name].s3.eu-west-1.lyv ecloud.seagate.com

US-Central-2 (Texas)

https://s3.us-central-2.lyvecloud.seagat e.com/[bucket_name]

https://[bucket_name].s3.us-central-2.l yvecloud.seagate.com

S3 API

1/4/24

21

Using Account API

Account API allows you to access Lyve Cloud account information through an API endpoint. The account API can be generated only by the account administrators. You can perform all Lyve Cloud operations using the account API credentials.
What can I do with Account API?
Account API enables customers and sub-account administrators to leverage Lyve Cloud account’s functionality programmatically.
You can perform the following actions using account API:
Permissions: Create permissions, List permissions, Get permissions by ID, Delete permissions by ID, and Update permission Service Accounts: Create service account, List service account, Get service account data by ID, Update service account, Enable service account and Disable service account. Usage: Get current month storage usage and historical storage usage by month.
For more information, see Lyve Cloud Account API version 2.
The API uses the secure HTTP/1.1 over TLS 1.2 protocol and operates mainly with JSON-formatted messages. All API responses are assigned specific numeric codes that help you quickly identify if a request to an endpoint is successful or unsuccessful. For more information on error codes, seeList of API error codes in the Account API version 2.
Genera ng Account API creden als
The credentials never expire when generating API credentials unless you configure an expiration duration. You can change the default setting by setting an expiry duration for all newly created API credentials; see Setting expiration duration. This limits the validity of the Account API credentials, which need to be changed again after the expiration. After the expiration date, the secret credentials cannot be used for authentication but will stay associated with the account until you delete or regenerate it.
1. On the Header pane, select the username in the top right. 2. Select Generate Account API Credentials . 3. Copy or download the Access Key and Secret Key after you create the Account API credentials.

Download the key in CSV or JSON format, as you cannot retrieve the secret key details later.

The status of credentials will show as one of the following. The status is based on the expiration duration.

Using Account

1/4/24

22

Expires in: XX days: You must generate the API credentials to use the API after expiration. Never Expires: The security credentials are not set, and these credentials will never expire. Expired: The credentials have expired, and you cannot access the account API.

After the credentials are generated, use these credentials to generate a time- bound token. This token is used to authenticate the Lyve Cloud Account API and is passed as a Bearer header value.

You must attempt to generate credentials the second time if Account API generation fails.

Regenera ng Account API creden als

You can re-generate the credentials regardless of their expiration status. If you already have active credentials and still regenerate new credentials, the old credentials become inactive.
1. On the Header pane, select the username in the top right. 2. Select Generate Account API Credentials ., and then selectRegenerate.

Using Account

1/4/24

23

Dele ng Account API creden als
Once you delete the credentials, you can again generate new credentials. However, any workload that uses these credentials will immediately lose access to the resources.
1. On the Header pane, select the username in the top right. 2. Select Generate Account API Credentials ., and then selectDelete.

Using Account

1/4/24

24

Administrator’s Guide – Introduc on

This guide provides instructions on creating buckets and managing bucket permissions and service accounts to authenticate and access data stored in the buckets. It describes identity and access management (IAM) to manage access to your Lyve Cloud resources. The Lyve Cloud console dashboard displays the storage system’s overall statistics. See graphical views of usage trends, numerical values of buckets, and average usage.
Console high-level workflow
This section explains the console workflow as determined by user roles. For more information on your assigned role, see Administrator’s Guide – Identity and Access Management (IAM).
There are three roles available in Lyve Cloud:
Administrator Storage Administrator Auditor
Administrator workflow (admin role)
Administrators can perform all actions available in the Lyve Cloud console.
1. Once you sign in to the Lyve Cloud console, a dashboard is displayed. The dashboard shows details of buckets and usage-related information. For more information, seeUnderstanding the home page dashboard .
2. To manage Lyve Cloud storage:
A. Storage is managed and provisioned in buckets. For more information, seeCreating buckets. B. Once you create a bucket, you must assign it Permissions, and define what operations are
allowed for buckets. SeeCreating bucket access permissions. C. After you assign permissions to a bucket, create a service account. Service accounts are used by
applications to authenticate API calls accessing the bucket. For more information, seeCreating service accounts.
3. Use Identity and Access Management (IAM) features to secure access to your Lyve Cloud account. For more information, see Administrator’s Guide – Identity and Access Management (IAM).
Storage management workflow (storage admin role)
The storage admin user can perform all the storage operations as anAdministrator user in Lyve Cloud, including managing buckets, managing permissions, and creating service accounts. The storage admin user is restricted from altering settings for Identity and Access Management (IAM) and Lyve Cloud

Administrator’s Guide – Introduction

1/4/24

25

account billing.
Auditor workflow
Users with the Auditor role have read only access throughout the Lyve Cloud console, and are not permitted to perform any storage operations or alter settings.
Console session management
The user login session management increases the strength and security of the Lyve Cloud session. To provide more secure access, non-persistent sessions invalidate a Lyve Cloud console session cookie when the browser is closed.
By default, a user session timeout is 24 hours. Users are not required to log in with their credentials for up to 24 hours only if the Lyve Cloud session is active. The session is active after successful authentication by the user. The Lyve Cloud console automatically signs out the user after 24 hours.
When users close and re-open the browser, they get a prompt for re- authentication.
In summary, the Lyve Cloud console requires re-authentication in the following cases: When you sign out of the Lyve Cloud session The browser is closed without any active session, or the active Lyve Cloud tab is closed. The authenticated session is more than 24 hours.
The Lyve Cloud console session remains active in the following cases: At least one Lyve Cloud active session is open, and the authentication session is less than 24 hours.
Supported browsers
The Lyve Cloud Console supports the following browsers:

Browser Google Chrome Mozilla Firefox Microsoft Edge Apple Safari

Version Last three versions Last three versions Last three versions Last three versions

Managing support ckets Administrator’s Guide – Introduction

1/4/24

26

Managing support ckets
If you experience a problem with Lyve Cloud, use the Support page to create a support ticket. Please provide detailed information in the Subject and Description fields, and attach any relevant references for the support team. Detailed information helps us provide a more efficient and effective resolution, as the ticket response time is based on its severity level which is determined from the details provided.
Each support ticket is assigned a unique number. Use this ticket number to track the progress of the reported issue, and update the support ticket by adding a comment. Comments and resolutions are recorded in each ticket.
You can also send an email tosupport.lyvecloud@seagate.com to report an issue. A support ticket is opened based on the issue reported in the email.
The support team reviews ticket details and updates the ticket status. New: This status is assigned immediately when a ticket is created, and work is not yet started. In Progress: This status indicates that the ticket is under review, and a support engineer is investigating the issue.
After the ticket is updated, you will receive an email notification containing the ticket number, subject, and changes made. You will receive an email notification when a new ticket is opened, a ticket is updated, or an issue is resolved and the ticket is closed.
The Support page lists the number of new and in progress tickets.

Note–Customers of a partner must report Lyve Cloud related issues to its partner. If you purchase Lyve Cloud through a reseller or partner, you will not have direct access to support. Please contact your reseller with all support queries.
Role-based access for the support page
The following table describes access to the Support page features based on the admin role.

Actions
Create ticket Edit ticket View ticket Add Comments

Admin

Storage Admin

Auditor (Read only) × ×
×

Actions View Comments

Admin

Storage Admin

Auditor (Read only)

Video: How to contact Lyve Cloud Support
Seagate on Vimeo: Lyve Cloud – How to Contact Lyve Cloud Support
Crea ng a support cket
To create a ticket:
1. On the left-hand menu, selectSupport. 2. On the Support page, selectCreate New Ticket. 3. In the Create New Ticket dialog, enter the following:
Subject: Enter a subject for the support ticket. This is a mandatory field. Description: Enter the ticket details. This is an optional field that allows you to describe the problem summary. Attachments: Add documents that provide more details about the issue. The file size must not exceed 4 MB. SelectUpload and choose the file from the desired location to upload an attachment, then select Open.
After the file is uploaded, it is listed under Attachments. To remove the attachment, select the x to the right of the file name.

4. Select Create. The new ticket displays in the ticket listing table.

Administrator’s Guide – Introduction

1/4/24

28

Note–Once a ticket is saved, you cannot delete the attachments.
Edi ng a cket
You can edit new and in progress tickets. Editing a ticket allows you to edit or add to the problem summary, description, customer name, and attachments.
To edit a ticket:
1. On the left-hand menu, selectSupport. 2. In the ticket listing table, select a ticket number to edit that ticket. 3. On the Details pane, selectEdit. 4. Edit any of the following fields:
Subject Description Attachments: You can add new attachments, but you cannot delete attachments that were previously added. Add New Comment
A. To add comments, selectAdd New Comment. B. Enter a comment and select Add.

5. Select Save.
Viewing cket details
To view a ticket: 1. On the left-hand menu, selectSupport. 2. On the Support page, select the ticket number to view its details.

Service availability

Administrator’s Guide – Introduction

1/4/24

29

Service availability
The Lyve Cloud availability in the following image shows the calculated service availability for the month.
Lyve Cloud service availability is calculated by subtracting the error rate from 100% within a five-minute interval. If a customer does not make any requests in a 5-minute interval, that interval is assumed to have an error rate of 0%. The error rate is the total number of errors returned, divided by the total number of requests during that 5-minute interval.
Error rate = number of errors ÷ number of request Availability = 100% – error rate

Administrator’s Guide – Introduction

1/4/24

30

Administrator’s Guide – Bucket Management

Lyve Cloud allows you to store objects (like files) in buckets (like folders). Before you add or store any object, you must create a bucket. When you create a bucket, you must specify the region where you want to create the bucket.
Role-based access to buckets
Bucket access levels are defined by the user roles. The following table describes console access to bucket features based on the user’s role:

Actions
Create bucket Edit bucket Delete List and View

Admin

Storage Admin

Auditor (Read only) × × ×

Crea ng buckets
To create a bucket: 1. On the left-hand menu, selectBuckets. 2. On the Buckets page, selectCreate Bucket .

Administrator’s Guide – Bucket Management

1/4/24

31

3. Enter the bucket name:
Remember the following while creating a bucket name: A. The bucket name must be unique across all of Lyve Cloud. B. A bucket name containing a dot (.) is not allowed. C. After you create a bucket, you cannot change the bucket name.
4. Select the region (metro) from the drop-down, where you want the bucket to reside. For more information, see Understanding Global Accounts.
US – Virginia (us-east-1) US – California (us-west-1) AP – Singapore – (AP- Southeast-1)
Note–You must create your first bucket in a region, using the console.
5. (Optional) Enable Object Immutability . For more information, seeUsing object immutability.
If Object Immutability is not enabled when a bucket is created, you cannot turn it on later. However, if you switch it on while creating a bucket, you can later switch it off and on again as needed.
If you enable Object Immutability, you can also set a duration to retain the objects. For more information, see Setting duration. 6. After you create a bucket, it is listed on the Buckets page.

Administrator’s Guide – Bucket Management

1/4/24

32

Note–Sometimes there may be a delay in creating a bucket.
Edi ng bucket proper es
The Buckets page displays the bucket list. It also displays the labels for each bucket, such as Immutable, Versioned, and Logged. For more information on the labels, seeUsing object immutability and Administrator’s Guide – Audit Log Management.
To edit a bucket:
1. On the left-hand menu, selectBuckets. 2. On the Buckets page, choose and select the name to edit. 3. Perform any of the following actions in the bucket properties:
S3 endpoint URL allows copying the S3 endpoint URL to the clipboard. This URL is used to access the bucket. For more information on the S3 endpoint URL seeS3 API endpoints. Object Immutability : You may choose to switch off Object Immutability if it is enabled. For more information, see Using object immutability.
Set Duration: You can set duration only when Object Immutability is switched on. Select the pencil icon to edit the retention duration. For more information, seeSetting duration.
S3 API Audit Logs: Select the toggle switch to enable or disable the audit logs for this bucket. For more information on audit logs, seeAdministrator’s Guide – Audit Log Management. After you enable the audit logs for the selected bucket, the bucket is labeled asLogged, and once you disable the audit logs, the label is removed. Delete Bucket: Select Delete to delete a bucket.
Before deleting a bucket, please make sure to:
Delete all data from the bucket. Delete all permissions referencing this bucket. Deleting a bucket associated with bucket permissions is allowed only if you have applied permission to all buckets or all buckets with a prefix in the account. Verify that the bucket is not set as the target bucket for Audit Logs.

Administrator’s Guide – Bucket Management

1/4/24

33

Lis ng buckets
To view the bucket list: 1. On the left-hand menu, select Buckets.
Note–This view displays the labels for each bucket, such as Immutable, and Logged. For more information on the labels, seeUsing object immutability and Administrator’s Guide – Audit Log Management.
By default, the Buckets page displays 10 buckets at a time. To increase or decrease the number of buckets per page, select the Rows per page arrow and select 10, 25, 50, or All. 2. Select the left or right arrow to move between the pages.

The following table displays the description to the column names of the bucket list.

Column Name Name

Description Displays the name of the bucket.

Column Name Region Usage Created On
Immutable, Versioned, Logged

Description
Displays the region where the bucket is residing. You can select the region while creating a bucket. For more information, seeCreating buckets.
Displays the total amount of data stored in the bucket in KiB, MiB, or GiB.
Displays when the bucket was created in YYYY-MM-DD format.
Displays the bucket labels. Immutable: The label indicates that the bucket is in compliance mode. To disable the compliance mode, seeEditing bucket properties. Versioned: The label indicates that the bucket is versioned. The bucket version is not suspended even after you disable the Object Immutability Logged: The label indicates that audit logs are enabled for the bucket. To disable the audit logs for buckets, seeEditing bucket properties.
For more information on these labels, seeUsing object immutability and Administrator’s Guide – Audit Log Management.

Video: Lyve Cloud – How to Create a Bucket
Seagate on Vimeo: Lyve Cloud – How to Create a Bucket

Using object immutability

Object immutability prevents objects from being deleted or overwritten by any user or application for a specified retention duration. This is especially useful when you want to meet regulatory data requirements or other scenarios where it is imperative that data cannot be changed or deleted. Object immutability must be used when you are certain that you do not want anyone, including the Administrator, to delete the objects during their retention duration. When you switch on object immutability, you must also set the duration and specify the defaretention period.

Video: Lyve Cloud – How to Prevent Objects From Being Deleted
Seagate on Vimeo: Lyve Cloud – How to Create a Bucket

How does versioning work in object immutability?
Versioning allows saving multiple variants of an object in the same bucket. It allows you to preserve, retrieve, and restore every version of an object stored in the bucket. Versioning enables the recovery of objects from any unintended or accidental user actions and application failures.

After switching on object immutability for a bucket, versioning is automatically enabled, Lyve Cloud

Administrator’s Guide – Bucket Management

1/4/24

35

automatically creates and stores an object version each time when: A new object is uploaded An existing object is overwritten An object is deleted
Note–Versioning may increase your storage capacity utilization.
For example, if you accidentally delete an object, instead of removing it permanently from Lyve Cloud, this deleted object becomes the current object version. You can then restore the previously available version.
When you create a bucket and switch on object immutability, you can switch off object immutability afterwards. However, versioning cannot be suspended for that bucket.
For example, if you accidentally delete an object, instead of removing it permanently from Lyve Cloud, this deleted object becomes the current object version. You can then restore the previously available version.
When you create a bucket and switch on object immutability, you can switch off object immutability afterwards. However, versioning cannot be suspended for that bucket.
Note–Switching on object immutability, the bucket is labelled as Immutable and Versioned. Switching off object immutability only removes the Immutable label.
Se ng dura on
The duration for immutability can be specified in days or years at the object level. When you set the duration, objects remain locked and cannot be overwritten or deleted. By default, the duration is set to 30 days. Setting the duration applies to individual object versions, and different versions of a single object can have different durations set.
For example, if you set duration to 10 days and then create an object A, object A will have its retention duration set to 10 days. If you later change the duration to 20 days and upload an object A again, in that case:
The retention duration for the first version of object A remains to 10 days. The later version of the same object is set to 20 days.
When you place an object in the bucket, Lyve Cloud calculates the retention duration for an object version by adding the specified duration to the object version’s creation timestamp. The calculated date is stored in an object’s metadata and protects the object version until the retention duration ends. When retention duration ends for an object, you can retain or manually delete an object.
By default, object immutability is switched off, and you can switch it on only while creating a bucket. Once object immutability is switched on, Lyve Cloud automatically enables versioning for the bucket. For step-

by-step instructions see below.
To set object immutability:
Enable object immutability when creating a new bucket, see Creating buckets. Optionally, check the Delete objects after the retention duration ends check box.
Managing bucket access permissions
Permissions are used to control access to buckets and define which actions the service accounts are allowed for a bucket. Bucket permission and Policy permission are two options available for granting permission to your buckets.
Bucket permission: Bucket permission is used to setRead only, Write only, or All operations permission for selected buckets. Using Bucket permission, you can grant access permissions to your bucket and the objects in the bucket. Only the admin and storage admin can associate permissions for the buckets. The permissions attached to the bucket apply to all of the objects in the bucket. For more information, see Creating bucket access permissions. Policy permission: Policy permission is used for creating policy permission by uploading a JSON file. You can also import a file which is compatible with the AWS IAM policy file. Using the Policy permission, you can allow or deny requests at a granular level based on the elements in the policy, resources, and aspects or conditions of the request. For more information, seeCreating policy permissions.
Role-based access to permission management
The following table describes access to permission management features based on your role.

Actions
Create permission Edit Delete Status List and view

Admin

Storage Admin

Auditor (Read only) × × × ×

Crea ng bucket access permissions
You can create bucket permissions without any buckets in the account only if you apply permission to all buckets in the account or all buckets with a prefix.

Administrator’s Guide – Bucket Management

1/4/24

37

To create bucket permissions: 1. On the left-hand menu, selectPermissions. 2. On the Permissions page, selectCreate bucket permission. 3. In the Create bucket permission dialog, enter the following:
Name: Enter a name for the permission. Which buckets does this permission apply to?: Select any one from the following:
One or more existing buckets: Choose one or more buckets from the Buckets list.
Buckets: The buckets field is displayed on when you select one or more existing buckets.
All buckets in this account with a prefix:
The bucket names must use the same few initial characters. For example, if four unique buckets for customer01 are created, such as customer01rawdata, customer01zipdata, customer01media and customer01, enter a prefix of the bucket names to assign and apply the permission. In this case, use the same beginning characters for each bucket for our prefix, customer01.
Note
Only one prefix is allowed for a single permission. The prefix field allows a maximum of 64 characters.
All buckets in the account: Apply permission to all current and future buckets in the account.
Actions: Select actions to assign privileges as:
All Operations : Allows all operations in all buckets meeting the conditions defined under Which buckets this permission applies to?. Read only: This option allows you to perform a read only operation on one or more selected buckets and its objects. Write only: This option allows you to write objects into the selected buckets without reading them back.

Administrator’s Guide – Bucket Management

1/4/24

38

Once you select the desired options, the description of the permissions is displayed for that bucket permission.
4. Select Create to save the permission for a bucket.
The permissions list page displays all permissions. To manage permissions, seeEditing bucket permissions and Deleting bucket permissions.
Crea ng policy permissions
Lyve Cloud allows the migration of AWS IAM policy files to the Lyve Cloud policy permission, making it simple to start working with service accounts based on existing policies. A policy file uses a JSON file format that is compatible with an AWS IAM policy.
Working with policy files allows you to specify the Condition element. Query the exact request values to determine when a policy is in effect, or list specific actions such asAction: [“s3:GetObject”,”s3:PuObject”] and specify the Resource element for several buckets and objects. For more information, seeExample policy permission file.
How to get an IAM policy file from AWS
You must manually copy policy permission details from AWS IAM policy to use in Lyve Cloud:
1. Login to AWS Management Consoleusing the credentials. 2. Select Services on the top left to view the list of services. 3. Select IAM in Security, Identity, & Compliance. 4. Under Access Management, selectPolicies and use the search field to find the relevant policy to copy
the policy details. 5. Select the JSON tab, copy the policy details into a new file, and then save it as a JSON file.

Administrator’s Guide – Bucket Management

1/4/24

39

Using policy permission files
The following table lists the mandatory, optional, and invalid elements in a policy permission file.
Note
Invalid elements must be removed from the file before importing, as these elements are not used in the Lyve Cloud policy permission file. Remove tags from elements available in AWS IAM policy, as tags cannot be used in the policy permission file.

Elements Statement Resource Effect Action Version
Condition

Mandatory/Optional/Invalid Mandatory Mandatory Mandatory Mandatory Mandatory
Optional

Description
Contains a single statement or an array of individual statements.
Specifies object(s) or bucket(s) that is related to the statement.
Allows or denies access to the resource.
Describes specific action(s) that will be allowed or denied.
It defines the version of the policy language and specifies the language syntax rules that are to be used to process a policy file.
Allows you to specify conditions when a policy is in effect.
The Condition element includes expressions that match the condition keys and values in the policy file against keys and values in the request.
Specifying invalid condition keys returns an error. For more information, seeKnown Issues.

Administrator’s Guide – Bucket Management

1/4/24

40

Elements Sid Id Principal NotPrincipal NotAction
NotResource

Mandatory/Optional/Invalid Optional Optional Invalid Invalid Invalid
Invalid

Description
A statement ID.
The statement ID must be unique when assigned to statements in the statement array. This value is used as sub ID for policy document’s ID.
A policy identifier, such as UUID (GUID).
Specifies the service account that is allowed or denied to access a resource.
The service accounts that are not specified, are allowed or denied access to the resource.
Specifies that it matches everything except the specified list of actions.
If this element is part of the permission file, you need to replace it with the Action element.
Specifies that it matches every resource except the available specified list.
If this element is part of the permission file, you need to replace it with the resource element.

Example policy permission file
In the following example, the policy permission has three statements:
Statement1 : Allows object listing with a prefix David in the bucket mybucket . It is done using a Condition element. Statement2 : Allows read and write operations for objects with the prefix David in bucket mybucket . Statement3 : Denies delete object operation for two resources:
All the objects in mybucket/David/ All the objects in mycorporatebucket/share/marketing/

{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “statement1”, “Action”: [“s3:ListBucket”],

Administrator’s Guide – Bucket Management

1/4/24

41

“Effect”: “Allow”, “Resource”: [“arn:aws:s3:::mybucket”], “Condition”: {“StringLike”: {“s3:prefix”: [“David/”]}} }, { “Sid”: “statement2”, “Action”: [ “s3:GetObject”, “s3:PutObject” ], “Effect”: “Allow”, “Resource”: [“arn:aws:s3:::mybucket/David/”] }, { “Sid”: “statement3”, “Action”: [“s3:DeleteObject”], “Effect”: “Deny”, “Resource”: [“arn:aws:s3:::mybucket/David/”, “arn:aws:s3:::mycorporatebucket/share/marketing/”] } ] }

Use the following policy to limit the bucket access to specific IP’s:
{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “Sid-1”, “Action”: [“s3:”], “Effect”: “Deny”, “Resource”: [“arn:aws:s3:::mybucket”], “Condition”: {“NotIpAddress”: {“aws:SourceIp”: [“134.204.220.36/32”]}} }, { “Sid”: “Sid-2”, “Action”: [ “s3:” ], “Effect”: “Allow”, “Resource”: [“arn:aws:s3:::mybucket”, “arn:aws:s3:::mybucket/*”] } ] }

To create policy permission:
1. On the left-hand menu, selectPermissions. 2. On the Permissions page, selectCreate Policy Permission. 3. In the Create Policy Permission dialog:
Enter a name. Edit the description if desired. Drag and drop a policy permission file, or browse to upload a file. Once the new policy permission file is available, download or replace the existing file.

Administrator’s Guide – Bucket Management

1/4/24

42

[ INSERT create-policy-permission-01.png ] 4. Select Create.
You might encounter errors if the policy permission file (JSON) has any additional or missing elements. The following is the list of possible error messages. Read them carefully and update the policy permission file accordingly.

Error Message File Import Failed: Invalid JSON file. File Import Failed: Effect field is required. File Import Failed: Resource field is required. File Import Failed: Action field is required. File Import Failed: Statement is required. File Import Failed: Version field value is empty.

Resolution Check the JSON file structure.
Add this element to the policy permission file.

File Import Failed: Action canot be empty.
File Import Failed: Resource canot be empty.
File Import Failed: Condition canot be empty.
File Import Failed: Effect value is invalid.
File Import Failed: Action value < action> is not valid.
File Import Failed: Resource value < resource> is not valid.
File Import Failed: Conditionname is not valid: .
File Import Failed: Conditionkey is not valid: .

Add a value to this element.
Add a valid value to this element. Choose a valid condition name, such as StringLike . Choose a valid condition key, such as s3:prefix .

Edi ng bucket permissions

Edit existing permissions to change selected buckets and their associated actions.

Administrator’s Guide – Bucket Management

1/4/24

43

To edit permissions: 1. On the left-hand menu, selectPermissions. 2. On the Permissions page, select the ellipsis of the permission to modify, and selectEdit.
To modify Policy Permission-type permissions:
In the Edit Policy Permission dialog, edit the following: Name Description Policy File: Download or replace the existing file.

To modify Bucket Permission-type permissions:
In the Edit Policy Permission dialog, edit the following: Name Which buckets this permission applies to? Actions
4. Select Save.
These changes take effect as soon as the updated permission is saved, and any subsequent application API calls will be affected.
Dele ng bucket permissions

Note–Permissions used by any service accounts cannot be deleted.

To delete permissions:

1. In the menu, select Permissions.

Administrator’s Guide – Bucket Management

1/4/24

44

1. In the menu, select Permissions. 2. On the Permissions page, select the ellipsis (…). 3. Select Delete, and then selectOK in the confirmation.
After you delete a permission, you cannot restore. However, you can create a new permission and reuse that permission name.
Viewing permissions
By default, the Permissions page displays 10 permissions at a time. You can sort the columns in the table.
To view all permissions: 1. In the left-hand navigation, select Permissions .

The following table describes the columns used to list permissions.

Column Name Name Description
Type
Service Accounts
Creation On

Description
Displays name of the permission.
Displays the permission description.
Displays the type of permission created. The type can bePolicy permission and Bucket permission.
Displays the number of service accounts using that specific permission. You can hover the mouse on the number to view the names of the attached service account and the question mark icon to view the tooltip.
Displays the date and time when the permission was created in the year, day, month YY:DD:MM AM/PM format.

2. Select the arrow next toRows per page to change the number of permissions to list per page.

Administrator’s Guide – Bucket Management

1/4/24

45

Administrator’s Guide – Account Management

Service accounts allow applications to authenticate and access Lyve Cloud buckets and objects. The appropriate access and secret keys are generated when you create a service account. This information must be saved during the account creation, as you cannot recover key details afterwards. You must create buckets and assign permission to buckets before creating a service account. For more information, see Creating buckets and Creating bucket access permissions.
Role-based access to manage service accounts
The following table describes access to service account features based on your role.

Actions
Create service account Edit Clone Delete Status List and view Service account expiration

Admin

Storage Admin
×

Auditor (Read only)
×
× × × ×

Crea ng service accounts

You must have at least one associated permission before creating a service account. To set the duration of keys generated after service account creation, you must first configure the expiration period. If the expiration duration is not set, the service account will not have an expiration set, and the secret credentials will never expire. For more information, seeSetting expiration duration.

To create a service account:

1. On the left-hand menu, select Service Accounts.

Administrator’s Guide – Account

1/4/24

46

1. On the left-hand menu, select Service Accounts. 2. Enter the Service Account Name.
A. Select Permissions from the available list, and select Create. B. On the Service Accounts page, select Create Service Account.
Note–Selecting permissions with different Actions (All operations, read only), the action with the least priority is applied to the account.

Note–When you configure the expiration duration, the Secret Key Expiration Duration displays the days when the secret key expires. Otherwise, the expiration duration is displayed as Never.
To change the expiration duration, seeSetting expiration duration.
If an administrator configures a new expiration duration during the same time frame as the storage administrator creates a service account, the storage administrator receives an information message about the new expiration duration.

Administrator’s Guide – Account

1/4/24

47

3. A confirmation displays the access key and secret keys required to access the bucket.
Important–Before closing the dialogue, you must copy or download the service account credentials containing the access and secret keys. Download the key in CSV or JSON format, as the secret key details cannot be retrieved later. The following image displays a generated access key and secret key.

Note–Once you create the service account, it may take a few minutes to replicate across other regions. If you cannot access your storage in a particular region, try after some time.

Note–Sometimes there may be a delay in creating a service account.

Viewing service accounts

The service account list displays the Access Key, expiration period, and the status of the service account.

The ‘Expires in’ column displays any of the following:
Expired: If the service account is already expired. Never Expires: The expiration period for the service account is not configured. Value: Displays the remaining days for the service account to expire.

Administrator’s Guide – Account

1/4/24

48

To view the service account list, selectService Accounts on the left-hand menu.
You can view the list of service accounts. You can increase the number of service accounts per page. You can change the name fromService_Account_1 to Service_Account_01. You can add permission3 (new permission) to permission0, permission1 and permission2 (existing). Or you can remove permission0 (existing) from the available list.
You can perform the following operations by selecting the ellipses for each service account:
Edit service account Disable service account Clone service account Delete service account
Edi ng service accounts
Editing allows you to edit the service account name and permissions. Editing does not generate a new secret key (credentials) for a service account. To generate new credentials, you must create a new or clone an existing service account. While editing the service account, the access key and expiration period for the service account is displayed. However, you cannot edit them. The expiration period is set when you create a service account. For more information on the expiration period, see Configuring expiration period.

Note–You cannot edit a service account if the expiration period is over..
If you edit Service_Account_1:When you save this service account, the name and permission of the service account are changed. However, the secret credentials and expiration period remain the same as the original.

Administrator’s Guide – Account

1/4/24

49

To edit a service account:
1. On the left menu, selectService Accounts. 2. On the Service Accounts page, select the service account to modify and then selecEt dit. 3. In the Edit Service Account dialog, you can edit the service account name and modify permissions. 4. Select or deselect the permissions to associate with the service account, and scroll to view all
available permissions for the account.

5. Select Save to save changes for the service account.
Changing the status of a service account
The service account is enabled by default. You can disable the service account anytime. Disabling a service account prevents you from using the secret key to authenticate.
Note–You cannot change the status of the service account if the expiration period is over..

Administrator’s Guide – Account

1/4/24

50

To change the status of a service account: 1. On the left-hand menu, selectService Accounts to view the list of service accounts. 2. Set Status to Enabled or Disabled to change the account status.
Dele ng a service account
Before you delete a service account, you can disable the key, and once you are sure that the service account is no longer needed, you can then delete the key. Deleting a service account permanently prevents you from using the secret key to authenticate.
To delete a service account: 1. On the left-hand menu, selectService Accounts. 2. On the Service Accounts page, selectDelete. 3. Select Yes to delete the service account.
You cannot restore a deleted account. However, you can reuse the service account name to recreate a new service account.
Cloning a service account
Cloning a service account is a quick and easy way to create a duplicate service account. The values of the service account, like the service account name, associated permissions, etc., are the same as the original service account. However, it generates new access and secret keys. The name of the service account appears as a Copy of , and you can change the name and associate different or same permission to this service account.
To clone a service account: 1. On the left-hand menu, selectService Accounts to view the list of service accounts. 2. Select the ellipses to clone the service account. 3. Select Clone, and edit the required fields of the service account.

New secret credentials are generated once you create a service account. For more information, see Creating service accounts.

Service account se ngs Administrator’s Guide – Account

1/4/24

51

Service account se ngs
Adding the expiration duration to the service account enhances the security level of the service account. The existing Service Accounts are set asNever Expires. By default, the key never expires when creating a service account unless you configure an expiration duration. You can change the default setting by setting an expiry duration for all newly created service accounts; seeSetting expiration duration. This limits the validity of the service account, which needs to be changed again after the expiration duration. After the expiration date, the secret key cannot be used for authentication but will stay associated with the service account until you delete it. If you disable or delete a service account, any workload that uses the service account will immediately lose access to the resources.
As a best practice, change your secret keys regularly. You can create a new secret key by doing the following:
Create a new service account or Clone the service account. Disable the old service account. Confirm that the old key is no longer in use. Delete the old service account.
Se ng expira on dura on
Setting an expiration duration enables you to enforce additional security. The more often you change the service account keys, the less likely it is to be leaked. Hence, periodically invalidating your service account keys and creating new keys adds to security.
The Service Account Expiration defaults toOff (disabled). The service account key never expires when creating a service account without setting an expiration period. You can turnOn (enable) the expiration and set the duration in days or years. All service accounts created after you turn on have an expiration period. For example, if you set the expiration duration as 365 days, any service account created after setting the duration has an expiration period of 365 days.
Based on the specified days, the service account expires at the end of the expiration date at 23:59:59 PM, regardless of the time the service account is created. For example, Setting the expiration duration to 30 days on the 1st of the month at 10:15:00 AM, the service account expires on day 30 at 23:59:59 PM.
To set expiration duration:
1. On the left-hand menu, selectSettings. 2. Enable the Service Account Expiration toggle. 3. Enter the number of Day(s) or Years to set the expiration duration, and selectSave.

Administrator’s Guide – Account

1/4/24

52

After the configuration is complete, all new service accounts created will have an expiration duration. Once it expires, you cannot perform any actions; however, you can only delete the service account.
You can configure the expiration duration as 90 days and create a service account. The Secret Key Expiration Duration in the create service account dialogue is set to 90 days. This value is displayed on pages where you create a service account, edit a service account, and list the service account. All service accounts created after configuring expiration duration will be, by default, set to 90 days.
After 90 days, the service account status will appear asExpired.

Administrator’s Guide – Account

1/4/24

53

Administrator’s Guide – Audit Log Management
Audit logs are detailed records of activities in the Lyve Cloud console and S3 API operations. Audit logs are used to access audit functions and track any suspicious activity.
When you enable audit logging, all audit logs are written to the selected target bucket. The target bucket must be immutable, which keeps audit logs immutable. For more information, seeUsing object immutability. You cannot switch off object immutability for the target bucket. You can maintain three types of audit logs:
S3 API audit logs: This log records all supported S3 API calls. For more information, seeSupported S3 API calls.
S3 API audit logs are recorded in the S3--.gz format, where the BUCKETNAME is the name of a bucket being logged. For more information, seeExample S3 API audit log. IAM audit logs: This log includes all events corresponding to identity and access management actions.
IAM audit logs are recorded in the IAM-.gz format. For more information, seeExample of IAM audit log. Console audit logs: This log includes all the events that originated from the Lyve Cloud console’s actions.
The console audit log is recorded in the console-.gz format. For more information, see Example of the console audit log.
Note–Switching on Console Audit Logs enables both the Console audit logs and IAM audit logs that are written to the target bucket.

Administrator’s Guide – Audit Log

1/4/24

54

The audit log files have TIMESTAMP format: yyyy-MM-dd-HH-mm-ss’ and are set to the UTC zone.
Audit log files keep sufficient information to establish which events occurred, when they occurred, and who caused them. Administrators can manually delete these audit log files after the specified retention duration ends. This helps you to manage the buckets cost-effectively. For more information, seeUsing object immutability.
Lyve Cloud periodically saves audit logs for specified buckets. The maximum size of a log file is 500 MB. If the file size reaches 500 MB, that log file is saved, and the logs continue to be written in a new file. Log files are saved to the target bucket as console audit log files, IAM audit logs, or S3 API logs.
Role-based access to permission
The following table describes access to enable and disable audit logs based on your role.

Actions
Enable/disable S3 API audit logs
Enable/disable account audit logs
Edit audit log target bucket
View audit log settings

Admin

Storage Admin × × × ×

Auditor (Read only) ×
×
×

Video: Lvye Cloud – How to manage audit log se ngs in the Lyve Cloud console
Seagate on Vimeo: Lyve Cloud – How to manage audit log settings in the Lyve Cloud console
S3 API audit logs
S3 API audit logs keep detailed records of activity in the Lyve Cloud console as well as S3 API operations. To enable S3 API audit logs, you must select buckets to be logged from the target buckets available in the account.
Example S3 API audit log

Administrator’s Guide – Audit Log

1/4/24

55

The following is an example of an S3 API audit log file.

{ “serviceAccountCreatorId”: “john.doe@email.com”, “auditEntry”: {
“api”: { “name”: “PutObject”, “bucket”: “bucket-1”, “object”: “values-v2.yaml”, “status”: “OK”, “statusCode”: 200, “timeToResponse”: “2246401314ns” }, “time”: “2021-01-22T10:49:30.699378337Z”, “version”: “1”, “requestID”: “165C883E70C2A5D0”, “userAgent”: “aws-sdk-java/1.12.25 Linux/4.15.0-135-generic OpenJDK_64-Bit_Server_VM/11.0.12+7 java/11.0.12 vendor/O racle_Corporation cfg/retry- mode/legacy”, “remotehost”: “127.0.0.1”, “deploymentid”: “ef46b1cb-6be1-4aa2-9c14-e7ffbc11986b”, “requestHeader”:{
“User-Agent”: “aws-sdk-java/1.12.25 Linux/4.15.0-135-generic OpenJDK_64-Bit_Server_VM/11.0.12+7 java/11.0.12 vend or/Oracle_Corporation cfg /retry-mode/legacy”,
“X-Amz-Date”: “20210122T104928Z”, “Content-Type”: “text/yaml”, “Authorization”: “AWS4-HMAC-SHA256 Credential=AHPEVYIPHVQ3XNOY/20210122/us- east-1/s3/aws4_request, Signed Headers=content-type;host;x-amz-content- sha256;x-amz-date, Signature=”, “Content-Length”: “5637”, “X-Amz- Content-Sha256”: “UNSIGNED-PAYLOAD”, “X-Amz-Server-Side-Encryption”: “AES256” }, “responseHeader”:{
“ETag”: “219857b61eb0c3dc9a3916a0992fc803”, “Vary”: “Origin”, “Server”: “LyveCloud/DEVELOPMENT.2020-06-22T03-43-44Z”, “Accept-Ranges”: “bytes”, “Content-Length”: “0”, “X-Amz-Request-Id”: “165C883E70C2A5D0”, “X-Xss- Protection”: “1; mode=block”, “Content-Security-Policy”: “block-all-mixed- content”, “X-Amz-Server-Side-Encryption”: “AES256” } }, “serviceAccountName”: “serv-acc-01” }

The following table describes the parameters specified in the S3 API audit log file.

Parameter name
serviceAccountCreatorId

Description A user who created the service account.

Parameter name

Description

name bucket object status statusCode timeToResponse time version requestID userAgent remotehost deploymentid requestHeader responseHeader
serviceAccountName

Specifies the API name. Specifies the bucket name. Specifies the object name. Specifies the HTTP status. Specifies the HTTP status code. Time for the entire request to complete. The timestamp in UTC zone. Represents the current version of Audit Log structure. A unique request identifier. Specifies the User-Agent request header Displays IP address of the client who sent the request A unique deployment identifier. Specifies the request header content. Specifies the response header content. Displays the name of Service Account associated with buckets.

Enabling S3 API audit logs
To enable S3 API audit logs:
1. On the left-hand menu