Cloud storage bucket requirements
Before enabling Database Backup Shipping or HTTP request Log Shipping, a cloud storage bucket (e.g. Amazon Web Services (AWS) S3 buckets, Google Cloud Storage buckets, Azure Blob Storage) must be created and correctly configured to receive the shipped files.
- The name of the bucket must be globally unique. To ensure a unique bucket name, include the organization’s name, the application’s name, and the name of the enabled feature. For example, an organization named “Acme, Inc.” would name their S3 bucket for Database Backup Shipping:
acme-inc-db-shipping. Failure to create a globally unique name creates a risk for files to be shipped to a bucket other than the one intended. - The bucket name can only include lowercase letters (
a-z), numbers (0-9) and hyphens (-). - File shipping will fail if the name of the bucket includes a period (
.).
Encryption
- Files are encrypted in-transit using TLS between VIP and the cloud storage bucket.
- For an AWS S3 bucket, encryption can be configured to ensure that files are encrypted at-rest.
- An AWS S3 bucket must not use KMS encryption; SSE-S3 is the preferred encryption option.
- The name of the bucket must be globally unique. To ensure a unique bucket name, include the organization’s name, the application’s name, and the name of the enabled feature. For example, an organization named “Acme, Inc.” would name their S3 bucket for Database Backup Shipping:
acme-inc-db-shipping. Failure to create a globally unique name creates a risk for files to be shipped to a bucket other than the one intended. - The bucket name can only include lowercase letters (
a-z), numbers (0-9) and hyphens (-). - File shipping will fail if the name of the bucket includes a period (
.).
Encryption
- Files are encrypted in-transit using TLS between VIP and the cloud storage bucket.
- For a Google Cloud bucket, Cloud Storage encrypts customer content at rest by default. Customers can optionally utilize the default key option for customer-managed encryption keys (CMEKs).
- Azure Storage Account names must be globally unique, 3 to 24 characters long, and use only lowercase letters (
a-z) and numbers (0-9). - The name of an Azure Blob Storage container does not need to be globally unique. The name must be 3 to 63 characters long, begin with a lowercase letter or number, and only include lowercase letters (
a-z), numbers (0-9) and hyphens (-). - File shipping will fail if the name of the bucket includes a period (
.).
Encryption
- Files are encrypted in-transit using TLS between VIP and the cloud storage bucket.
- Azure blob containers can be encrypted with Microsoft-Managed Keys, Customer-Managed Keys (CMK), or Infrastructure Encryption.
Last updated: October 27, 2025