Veeam Backup & Replication allows you to prohibit deletion of data from the capacity extent of the capacity tier by making that data temporarily immutable. It is done for increased security: immutability protects your data from loss as a result of attacks, malware activity or any other injurious actions.
To make the data immutable, Veeam Backup & Replication uses the Object Lock technology provided by Amazon and some S3-Compatible providers. Once imposed, the object lock prohibits deletion of data from the capacity extent until the immutability expiration date comes.
You can enable the immutability feature when adding (or editing) an Amazon S3 or S3 Compatible object storage repository as a capacity extent, at the Bucket step of the Adding Amazon S3 Object Storage or Adding S3 Compatible Object Storage wizards. The immutability expiration date is specified at the same point.
The immutable data within the capacity extent cannot be subject to the following operations:
- Manual removal of data, as described in Removing Backups from Capacity Tier.
- Removal of data by the retention policy, as described in Retention Policy.
- Removal of data using any cloud service provider tools.
- Removal of data by the cloud service provider technical support department.
- Removal of data by the Remove deleted items data after option, as described in Maintenance Settings.
Preparing to Use Immutability
In order to use immutability, you need to enable the Object Lock and Versioning features on your S3 bucket at the time you create the bucket. Keep in mind that you can enable Object Lock only at the time of creating the bucket.
For more information on enabling the Object Lock and Versioning features, see these Amazon articles: How do I create an S3 Bucket? and How do I enable or suspend versioning for an S3 bucket?.
For considerations and limitations on immutability, see Considerations and Limitations.