Before getting started

• Make sure you’ve spoken to your Account Manager about enabling BYOS for your organization.
• BYOS currently only supports Amazon AWS S3. Support for other cloud providers is coming soon—speak to your Account Manager for more details.
• You must be an Organization Owner or Organization Administrator in Rewind to set up BYOS. Learn more about roles and permissions →

{
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:GenerateDataKey*"
  ],
  "Resource": [
    "arn:aws:kms:us-east-2:111111111111:key/some-key-arn"
  ],
  "Effect": "Allow"
}

How to set up Bring Your Own Storage (BYOS) in Rewind

To enable BYOS in Rewind for the first time, you’ll follow a two-step process:

• Create an S3 bucket in your own AWS account to store Rewind backup data.
• Link your Rewind account(s) to the S3 bucket using the BYOS setup flow in Rewind.

Step 1: Create an S3 Bucket on Amazon AWS

Before using BYOS, you’ll need to create an S3 bucket to store your backup data:

• Follow these instructions to create a bucket in AWS.
• Ensure the bucket is created in the same AWS region where your Rewind backups will run (cross-region storage is not supported). The supported regions are:
  • us-east-2
  • ca-central-1
  • eu-central-1
  • ap-southeast-2
  • eu-west-2
• Confirm that versioning is enabled on the bucket and that it is configured as follows::
  • Non-current versions persist for at least 365 days
  • Current versions persist indefinitely
  • Object storage class supports instant retrieval

Step 2: Set up BYOS in Rewind

You'll link each account individually to your AWS S3 bucket by following these steps:

1. In Rewind, go to the Integrations list and select the account you'd like to link.
2. Choose Use your own storage, then click Continue.
   
3. After setting up your S3 bucket, check the box: “I have completed the prerequisites and am ready to proceed with the set up.” Then click Next.
   
4. Select the AWS region where your S3 bucket was created. This must match the bucket’s region.
5. Enter your S3 Bucket ARN.
6. Enter a desired Prefix, and review the preview before clicking Next.

7. Click Generate IAM role to open the AWS Console and create the required IAM role. This role allows Rewind to interact with your S3 bucket. The generated role must include, at minimum, the following permissions:

   • s3:GetObject
   • s3:GetObjectVersion
   • s3:PutObject
   • s3:PutObjectAcl
   • s3:ListBucket
   • s3:AbortMultipartUpload
   • s3:GetLifecycleConfiguration
      

   The following permissions are optional and used only to clean up temporary test files created during Rewind's connection checks. Rewind will never attempt to delete any actual backup data.:

   • s3:DeleteObject
   • s3:DeleteObjectVersion
      
8. Copy and paste the generated IAM Role ARN into the field in Rewind, then click Next.
9. Rewind will validate the permissions and confirm the connection is successful.
10. Click Go to Vault to return to the Home page.

What happens next?

• Rewind will run a check every night and before each backup to ensure your bucket is still accessible.
• If access is lost, backups will stop, and you’ll receive an email notification. You will not be able to interact with your data in Rewind until the issue is resolved.
• Make sure the IAM Role remains active and that Rewind retains the correct permissions at all times.
• To learn more about BYOS, including supported data types, see Bring Your Own Storage (BYOS): Feature Overview.

Need More Help?

If you have questions or need assistance, contact help@rewind.com, or  submit a request. We’re here to help!