So we had an issue we were working in regards to immutable backups come up, we have it all configured per the docs.
However, when I looked at the actual blob objects, the immutable policy is there, but it's configured in "unlocked" mode. This provides basically zero protection, because the exact same access used by Veeam to set the immutability policy can be used to remove it and delete it with just an extra API call.
To test this, I set up a test repo and backed up a small test VM with 45 day immutability. The VM backup shows in the storage account and the blob has a version-level policy enabled with a retention date.
ETag 0x8DC0D6B8DBF69A1
Version-level immutability policy Enabled
Retention period 3/29/2026, 7:26:13 PM
I then take the same account key that Veeam uses (that only has blob write permissions), and use Powershell invoke-restmethod to remove the retention policy and delete the blob. It worked, there isn't even a 24 hour grace period or anything, I could delete it immediately.
Is there an option to tell veeam to do locked LOCKED immutability, being aware of the massive risks here if you screw up your policy and make a 10 year backup by accident that not even MS support will help you delete?
If not, then what's the point of this immutability? It doesn't protect you at all except against maybe an automated script that doesn't know about the extra step of removing the immutability policy.
Someone help me if I'm missing something here. Thanks.
-
jgrote
- Influencer
- Posts: 14
- Liked: 4 times
- Joined: Jul 13, 2010 12:14 am
- Full Name: Justin Grote
- Contact:
Who is online
Users browsing this forum: No registered users and 1 guest