Immutability for Object Storage Repositories

Veeam Backup & Replication allows you to prohibit deletion of data from the object storage repository by making that data temporarily immutable and to protect data against malware activity by maintaining several versions of a single backup.

The immutability feature can help in the following cases:

  • Data on the object storage is corrupted.
  • Retention policy is set to keep only one restore point.
  • Due to the hacker attack, the retention policy has been modified to a shorter period. For example, instead of keeping data for 5 days, the retention is set to keep it for only 1 day.

Immutability allows you to restore data from the object storage in these or other cases when necessary data is unavailable. To restore data, you need to run Veeam PowerShell. For more informtion, see Get-VBRObjectStorageRepositorySyncInterval and the Sync-VBRObjectStorageRepositoryEntityState cmdlets.

After you enable immutability, you will not be able to perform the following operations with the immutable data stored on object storage repositories:

  • Manual data removal, as described in section Deleting Backups from Object Storage.
  • Removal of data by the retention policy, as described in section Retention Policy.
  • Removal of data using any cloud service provider tools, for example an S3 browser.
  • Removal of data by the cloud service provider technical support department.
  • Removal of data by the Remove deleted items data after option, as described in section Maintenance Settings.

You can enable immutability for data stored in the following types of object storage repositories:

  • Amazon S3
  • S3-compatible
  • Microsoft Azure Storage
  • IBM Cloud Object Storage
  • Wasabi Cloud Object Storage

Considerations and Limitations

For more information, see Considerations and Limitations.

Enabling Immutability

To enable immutability, you must do the following:

  1. Configure the following settings when you create an S3 bucket or Azure container:
  • Amazon S3 Storage, S3 Compatible, IBM Cloud, Wasabi Cloud — You must enable the Object Lock and Versioning features on your S3 bucket when you create the bucket.


Note that most vendors allow enabling Object Lock only at the moment of creating the bucket.

For more information on enabling the Object Lock and Versioning features, see these Amazon articles: Creating a bucket, Using S3 Object Lock and Enabling versioning on buckets.

  • Azure Storage — You must enable support for version-level WORM on the container and enable blob versioning for your storage account when you create a storage account. For instruction on how to configure your Azure storage account with the necessary settings, see this Veeam KB article.

For more information on enabling version-level WORM for a container, see Microsoft Docs.

For more information on blob versioning for a storage account, see Microsoft Docs.


When you create the storage account, by default the version-level immutability support option is enabled. You must disable it, otherwise immutability will not be applied for your Azure object storage. For more information, see Microsoft Docs.

  1. Enable the immutability option when you add an object storage repository to the backup infrastructure at the Container step (for Azure object storage repository) or Bucket step (for Amazon S3 or S3 compatible object storage repositories) of the new Object Storage Repository wizard.

Related Topics

Considerations and Limitations

Block Generation


Page updated 2/28/2024

Page content applies to build