Secure access to Amazon Glacier files

Goal is to ensure that our database and image files that are stored on Amazon Glacier remain secure.

Is it possible to have Glacier set up so that multiple people can have access to the our Amazon Services group (including Glacier), but once files have been uploaded, they become secure so that only those designated to access those files are able to do so?

Presently, we have developers that update our program files and then manually back up our database and image files to Amazon Glacier.  The issue is that if one of these developers decided to delete everything, all of our backups could also be eliminated.  The developers have full access to everything.  

The simplest solution seems to be a secure location within Glacier where files could be uploaded by anyone, but accessed by only a few.  Can this be accomplished?

If not, any alternative secure solutions are welcome.

Thanks
zerogravityAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Glacier support API-level permissions through AWS Identity and Access Management (IAM) service integration. AWS IAM enforces ACL such that each user is allowed to do only what they need to do as part of the user's job. e.g. Permissions based on organizational groups—
@ @ http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html

You can restrict users' AWS access based on their job duties (for example, admin, developer, etc.) or departments. When users move inside the organization, you can easily update their AWS access to reflect the change in their role

Specifically, you can see this quick run through to have some feel
@ http://www.newvem.com/how-to-set-access-control-iam-for-a-glacier-vault/
The various access control field for IAM are available
@ http://docs.aws.amazon.com/amazonglacier/latest/dev/using-iam-with-amazon-glacier.html

------------------
More info
IAM Best Practices @ http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html

Lock away your AWS account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
Use roles for applications that run on Amazon EC2 instances
Delegate by using roles instead of by sharing credentials
Rotate credentials regularly
Use policy conditions for extra security

Getting started, check this out to create the admin group
@ http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMGettingStarted.html

Role based (with specific permissions granted) assignment based on job role by delegation and differenting from admin and developer. Can also modify a role
@ http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html
@ http://docs.aws.amazon.com/IAM/latest/UserGuide/modifying-role.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zerogravityAuthor Commented:
B instead of A because the specific solution "select deleteArchive effect Deny" was not mentioned.  

I found that from a different source.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.