Limitations and Considerations

When adding a backup repository to Veeam Backup for AWS, keep in mind the following limitations and considerations.

Amazon S3 Bucket

Before you add a backup repository, check the following prerequisites:

  • An Amazon S3 bucket must be created in AWS beforehand as described in AWS Documentation.
  • If you have any S3 Lifecycle configuration associated with the selected Amazon S3 bucket, it is recommended that you limit the scope of lifecycle rules applied to Amazon S3 objects in the bucket so that no rules are applied to backup files created by Veeam Backup for AWS. Otherwise, the files may be unexpectedly deleted or transitioned to another storage class, and Veeam Backup for AWS may not be able to access the files. For more information on managing S3 Lifecycle configurations, see AWS Documentation.


To maintain the security of your data, you should never use a public S3 bucket as a repository for Veeam Backup for AWS. For more information on creating buckets, see AWS Documentation.

Repository Folder

If you plan to select an existing folder for storing backup files, consider the following:

By default, Veeam Backup for AWS applies retention settings saved in the backup metadata to the imported backups. However, if the selected folder contains backups of resources that you plan to protect by a backup policy with the created repository specified as a backup target, Veeam Backup for AWS will rewrite the saved retention settings and will apply to the imported backups new retention settings configured for that backup policy.


If you plan to add a repository with immutability enabled, keep in mind the following limitations:

  • You cannot change immutability settings for the repository since these settings are based on the immutability settings of the selected Amazon S3 bucket, which are configured in the AWS Management Console upon bucket creation and cannot be modified afterward. For more information, see AWS Documentation.
  • An IAM role that you plan to specify to create the repository and further to access the repository when performing data protection and recovery tasks must be assigned permissions to collect immutability settings of Amazon S3 buckets and to create immutable backups. For more information on the required permissions, see Repository IAM Role Permissions.
  • You cannot store indexes of EFS file systems and backups of the appliance configuration database in the repository with immutability enabled.
  • You cannot remove immutable data manually using the Veeam Backup for AWS Web UI, as described in sections Removing EC2 Backups and Snapshots, Removing RDS Backups and Snapshots and Removing VPC Configuration Backups.
  • You can neither remove immutable data from AWS using any cloud service provider tools nor request the technical support department to do it for you. Since Veeam Backup for AWS uses S3 Object Lock in the compliance mode, none of the protected objects can be overwritten or deleted by any user, including the root user in your AWS account. For more information on S3 Object Lock retention modes, see AWS Documentation.


If you plan to enable encryption for a backup repository, consider the following:

  • AWS managed keys cannot be used to encrypt data stored in repositories due to AWS limitations.
  • Only symmetric KMS keys are supported.
  • Do not disable KMS keys specified in the repository settings. Otherwise, Veeam Backup for AWS will not be able to encrypt data, and backup policies that store backups in these repositories will fail to complete successfully.
  • Do not delete KMS keys specified in the repository settings. Otherwise, Veeam Backup for AWS will not be able to decrypt data stored in these repositories.

If a KMS key is scheduled for deletion, it will acquire the Pending deletion state. In this case, Veeam Backup for AWS will raise the warning notifying that you must either change the encryption settings for the backup repository in Veeam Backup for AWS or cancel the key deletion during the following 7 days.

For more information on managing AWS KMS keys, see AWS Documentation.