Step 1 does not currently apply to VBR, although periodic key rotation is a best practice.
Step 2 works in conjunction with Veeam’s immutability feature (checkbox on the repository). Do not enable S3 Lifecycle Policies on Veeam repositories.
Step 3, monitoring resources, is a best practice for Veeam environments.
Implement step 4 by modifying IAM to block encryption on buckets used for Veeam backup repositories. The example resource policy is reproduced here.
Code: Select all
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictSSECObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<your-bucket-name>/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption-customer-algorithm": "false"
}
}
}
]
}
William Quigley - AWS