So we had an issue we were working in regards to immutable backups come up, we have it all configured per the docs.
However, when I looked at the actual blob objects, the immutable policy is there, but it's configured in "unlocked" mode. This provides basically zero protection, because the exact same access used by Veeam to set the immutability policy can be used to remove it and delete it with just an extra API call.
To test this, I set up a test repo and backed up a small test VM with 45 day immutability. The VM backup shows in the storage account and the blob has a version-level policy enabled with a retention date.
ETag 0x8DC0D6B8DBF69A1
Version-level immutability policy Enabled
Retention period 3/29/2026, 7:26:13 PM
I then take the same account key that Veeam uses (that only has blob write permissions), and use Powershell invoke-restmethod to remove the retention policy and delete the blob. It worked, there isn't even a 24 hour grace period or anything, I could delete it immediately.
Is there an option to tell veeam to do locked LOCKED immutability, being aware of the massive risks here if you screw up your policy and make a 10 year backup by accident that not even MS support will help you delete?
If not, then what's the point of this immutability? It doesn't protect you at all except against maybe an automated script that doesn't know about the extra step of removing the immutability policy.
Someone help me if I'm missing something here. Thanks.
-
jgrote
- Influencer
- Posts: 16
- Liked: 4 times
- Joined: Jul 13, 2010 12:14 am
- Full Name: Justin Grote
- Contact:
-
nielsengelen
- Product Manager
- Posts: 6261
- Liked: 1312 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: Is Azure Storage Blob Immutable Backups Snake Oil?
Hi Justin,
Can you clarify which product you are talking about? Is this for VBR or the VB for Azure appliance?
Can you clarify which product you are talking about? Is this for VBR or the VB for Azure appliance?
GitHub: https://github.com/nielsengelen
-
jgrote
- Influencer
- Posts: 16
- Liked: 4 times
- Joined: Jul 13, 2010 12:14 am
- Full Name: Justin Grote
- Contact:
Re: Is Azure Storage Blob Immutable Backups Snake Oil?
VBR with an azure storage repository (either in a SOAR capacity tier or standalone)
I investigated adjusting the scopes I give to the agent, and you can remove the "delete" rights, but the write rights would still enable you to simply modify the immutable versioned policy to expire 1 second later and then delete the blob, so I don't know how this offers immutability at all.
I investigated adjusting the scopes I give to the agent, and you can remove the "delete" rights, but the write rights would still enable you to simply modify the immutable versioned policy to expire 1 second later and then delete the blob, so I don't know how this offers immutability at all.
-
jgrote
- Influencer
- Posts: 16
- Liked: 4 times
- Joined: Jul 13, 2010 12:14 am
- Full Name: Justin Grote
- Contact:
Re: Is Azure Storage Blob Immutable Backups Snake Oil?
Noone chiming in saying I'm totally wrong and I'm missing something is not engendering me with confidence...
Who is online
Users browsing this forum: No registered users and 3 guests