Limitations and Considerations

When adding a backup repository to Veeam Backup for AWS, keep in mind the following limitations and considerations.

Before you add a backup repository, check the following prerequisites:

An Amazon S3 bucket must be created in AWS beforehand as described in AWS Documentation.
If you have any S3 Lifecycle configuration associated with the selected Amazon S3 bucket, it is recommended that you limit the scope of lifecycle rules applied to Amazon S3 objects in the bucket so that no rules are applied to backup files created by Veeam Backup for AWS. Otherwise, the files may be unexpectedly deleted or transitioned to another storage class, and Veeam Backup for AWS may not be able to access the files. For more information on managing S3 Lifecycle configurations, see AWS Documentation.

Important

To maintain the security of your data, you should never use a public S3 bucket as a repository for Veeam Backup for AWS. For more information on creating buckets, see AWS Documentation.

Repository Folder

If you plan to select an existing folder for storing backup files, consider the following:

The folder must not be specified as a backup repository on multiple backup appliances simultaneously. Retention sessions running on different backup appliances may corrupt backup files stored in the folder, which may result in unpredictable data loss.
If the backup repository is already managed by any backup appliance, you must import the repository to the current appliance at step 3 of the wizard to take ownership of this repository. Consider that as soon as you import the repository to the current appliance, the backup policies configured on the previous appliance will start failing.
The created backup repository will have the storage class that has been specified when creating the folder. You cannot change the storage class for the repository.
If encryption at the repository level is enabled for the selected folder, it will be required to provide a password or an encryption key for this folder at step 4 of the wizard.
If the selected folder already contains backups created by the Veeam backup service, Veeam Backup for AWS will import the backed-up data to the configuration database. You can then use this data to perform all disaster recovery operations described in section Performing Restore.

By default, Veeam Backup for AWS applies retention settings saved in the backup metadata to the imported backups. However, if the selected folder contains backups of resources that you plan to protect by a backup policy with the created repository specified as a backup target, Veeam Backup for AWS will rewrite the saved retention settings and will apply to the imported backups new retention settings configured for that backup policy.

Immutability

If you plan to add a repository with immutability enabled, keep in mind the following limitations:

S3 Object Lock and S3 Versioning must be enabled for an Amazon S3 bucket in which the repository will be located. The default retention period must not be configured in the Object Lock settings. For more information on the S3 Versioning and S3 Object Lock features, see AWS Documentation.
Amazon S3 buckets with only S3 Object Lock enabled is not supported. It is recommended that S3 Object Lock and S3 Versioning are either both enabled or both disabled for a bucket.

You cannot change immutability settings for the repository since these settings are based on the immutability settings of the selected Amazon S3 bucket, which are configured in the AWS Management Console upon bucket creation and cannot be modified afterward. For more information, see AWS Documentation.

An IAM role that you plan to specify to create the repository and further to access the repository when performing data protection and recovery tasks must be assigned permissions to collect immutability settings of Amazon S3 buckets and to create immutable backups. For more information on the required permissions, see Repository IAM Role Permissions.

You cannot store indexes of EFS file systems and backups of the appliance configuration database in the repository with immutability enabled.
You cannot remove immutable data manually using the Veeam Backup for AWS Web UI, as described in sections Removing EC2 Backups and Snapshots, Removing RDS Backups and Snapshots and Removing VPC Configuration Backups.
You can neither remove immutable data from AWS using any cloud service provider tools nor request the technical support department to do it for you. Since Veeam Backup for AWS uses S3 Object Lock in the compliance mode, none of the protected objects can be overwritten or deleted by any user, including the root user in your AWS account. For more information on S3 Object Lock retention modes, see AWS Documentation.

Encryption

If you plan to enable encryption for a backup repository, consider the following:

After you create a repository with encryption enabled, you will not be able to disable encryption for this repository. However, you will still be able to change the encryption settings as described in section Editing Backup Repository Settings.
If you enable encryption for a repository where EC2 image-level backups are stored when editing the repository, this will affect the creation of an existing backup chain — the next sequence of backups will be a full backup instead of an incremental backup. After creating the full backup, Veeam Backup for AWS will continue to copy only those data blocks that have changed since the previous backup session.
If you choose to encrypt data using an AWS KMS key, keep in mind that:

AWS managed keys cannot be used to encrypt data stored in repositories due to AWS limitations.
Only symmetric KMS keys are supported.
Do not disable KMS keys specified in the repository settings. Otherwise, Veeam Backup for AWS will not be able to encrypt data, and backup policies that store backups in these repositories will fail to complete successfully.
Do not delete KMS keys specified in the repository settings. Otherwise, Veeam Backup for AWS will not be able to decrypt data stored in these repositories.

If a KMS key is scheduled for deletion, it will acquire the Pending deletion state. In this case, Veeam Backup for AWS will raise the warning notifying that you must either change the encryption settings for the backup repository in Veeam Backup for AWS or cancel the key deletion during the following 7 days.

For more information on managing AWS KMS keys, see AWS Documentation.