Veeam Backup for Microsoft 365 7.0 in AWS
Deployment Guide
Search

Security Considerations

General Recommendations

Make sure that you granted permissions required for Veeam Backup for Microsoft 365 in the AWS environment. For more information, see Permissions.

Managing Access to Veeam Backup for Microsoft 365

Veeam Backup for Microsoft 365 utilizes Windows for authentication and authorization into the Veeam Backup for Microsoft 365 server and Console.

You can manage and change access credentials through Local user management of the Windows Server or through Microsoft Active Directory Services (AD).

For more information on how to access Veeam Backup for Microsoft 365, see the Launching Veeam Backup for Microsoft 365 section of the Veeam Backup for Microsoft 365 User Guide.

Securing EBS and S3 Environment

We recommend encrypting your EBS volumes. For more information, see Amazon EBS Encryption in the AWS Documentation.

S3 Buckets are encrypted by default. For more information on S3 encryption, see Protecting Data Using Encryption in the AWS Documentation.

KMS and Key Rotation

Veeam Backup for Microsoft 365 does not use or utilize Amazon KMS or programmatic key rotation. For more information on encryption and secrets management, see the Data Encryption section of the Veeam Backup for Microsoft 365 User Guide.

Veeam Backup for Microsoft 365 Database

One of the security concerns you must consider is protecting the Veeam Backup for Microsoft 365 configuration database. The database stores cloud credentials required to work with object storage and encryption passwords to encrypt data in object storage. For more information, see the Credentials section of the Veeam Backup for Microsoft 365 User Guide.

Both cloud credentials and encryption passwords stored in the database are encrypted. However, a user with administrator privileges on the Veeam Backup for Microsoft 365 server can decrypt the passwords, which presents a potential threat.

To secure the Veeam Backup for Microsoft 365 configuration database, make sure that user access to the database is restricted. Check that only authorized users can access the Veeam Backup for Microsoft 365 server and the server that hosts the Veeam Backup for Microsoft 365 configuration database (if the database runs on a remote server).

Data Encryption

To secure data, Veeam Backup for Microsoft 365 uses the following mechanisms:

  • For data encryption, Veeam Backup for Microsoft 365 uses the 256-bit Advanced Encryption Standard (AES). For more information about AES, see Advanced Encryption Standard (AES).
  • Veeam Backup for Microsoft 365 encrypts stored credentials using the Data Protection API (DPAPI) mechanisms. For more information, see this Microsoft article.

For more information, see the Data Encryption section of the Veeam Backup for Microsoft 365 User Guide.

View all results across Veeam
Back to document search