Immutability for Object Storage Repositories

Veeam Backup & Replication allows you to prohibit deletion of data from the object storage repository by making that data temporarily immutable. It is done for increased security: immutability protects your data against loss as a result of attacks, malware activity or any other injurious actions.

You can enable immutability for data stored in the following types of object storage repositories:

Amazon S3
S3-compatible
Microsoft Azure Storage
IBM Cloud Object Storage
Wasabi Cloud Object Storage

After you enable immutability, Veeam Backup & Replication will prohibit data deletion from object storage repositories until the immutability expiration date comes.

You will not be able to perform the following operations with the immutable data stored on object storage repositories:

Manual removal of data, as described in section Deleting Backups from Object Storage.
Removal of data by the retention policy, as described in section Retention Policy.
Removal of data using any cloud service provider tools.
Removal of data by the cloud service provider technical support department.
Removal of data by the Remove deleted items data after option, as described in section Maintenance Settings.

Important

Consider the following:

If retention policy for backups with GFS flags, backups created with VeeamZIP jobs and exported backup files exceeds immutability settings, Veeam Backup & Replication applies retention that is defined for these types of backups. Immutability settings defined for an object storage repository are ignored.
If you add an object storage repository as an extent of the performance tier, immutability depends on the scale-out backups repository configuration. For more information, see Immutability for Performance Tier.

Considerations and Limitations

For more information, see Considerations and Limitations.

Enabling Immutability

To enable immutability, you must do the following:

Configure the following settings when you create an S3 bucket or Azure container:

Amazon S3 Storage, S3 Compatible, IBM Cloud, Wasabi Cloud — You must enable the Object Lock and Versioning features on your S3 bucket when you create the bucket.

Important

Note that most vendors allow enabling Object Lock only at the moment of creating the bucket.

For more information on enabling the Object Lock and Versioning features, see these Amazon articles: Creating a bucket, Using S3 Object Lock and Enabling versioning on buckets.

Azure Storage — You must enable support for version-level WORM on the container and enable blob versioning for your storage account when you create a storage account.

For more information on enabling version-level WORM for a container, see Microsoft Docs.

For more information on blob versioning for a storage account, see Microsoft Docs.

Important

When you create the storage account, by default the version-level immutability support option is enabled. You must disable it, otherwise immutability will not be applied for your Azure object storage. For more information, see Microsoft Docs.

Enable the immutability option when you add an object storage repository to the backup infrastructure at the Container step (for Azure object storage repository) or Bucket step (for Amazon S3 or S3 compatible object storage repositories) of the new Object Storage Repository wizard.