An S3 repository is a folder in an Amazon S3 bucket where Veeam Backup for AWS stores image-level backups of EC2 instances.
To communicate with an S3 repository, Veeam Backup for AWS uses the Veeam Data Mover — the component on a worker instance that is responsible for data processing and transfer. When a backup policy addresses the S3 repository, the Veeam Data Mover establishes a connection with the S3 repository enabling data transfer.
To let the Veeam Data Mover access the target Amazon S3 bucket, Veeam Backup for AWS uses permissions of an IAM role specified in S3 repository settings.
For enhanced data security, Veeam Backup for AWS allows you to enable encryption at the S3 repository level. Veeam Backup for AWS encrypts backup files stored in S3 repositories in the same way as Veeam Backup & Replication encrypts backup files stored in backup repositories. For details on algorithms that are used to encrypt backup files, see the Encryption Standards section in the Veeam Backup & Replication User Guide.
For information on how to enable encryption at the S3 repository level, see Step 5. Specify Data Encryption Settings.
Veeam Backup for AWS also supports scenarios of data backup to S3 buckets with enabled Amazon S3 default encryption. You can add an S3 bucket of this kind to the backup infrastructure as an S3 repository and use it as a target for image-level backups. For information on Amazon S3 default encryption, see AWS Documentation.
Veeam Backup for AWS allows you to store backups only in the S3 Standard storage class. S3 Standard-IA, S3 One Zone-IA and S3 Glacier storage classes are not supported.