Currently, Veeam by default uses the more stringent compliance mode of Object Lock when writing data to a S3 repository.
For those who are not that deep into the modes:
Compliance mode is more stringent in the way that also the S3 storage system admin cannot delete data. (Without wiping disk or physical destruction, of course.)
Governance mode is a bit more relaxed in the way that while data deletion is not possible via the S3 frontend until the lock has expired, it is for example possible for the S3 admin to delete entire buckets, even though some buckets might still contain locked objects.
While compliance mode is usually preferred for security reasons in most applications where the S3 storages system is operated by the same entity as the backup server, for us as a service provider, providing S3-aaS to our customers, this is becoming a huge problem once a customer cancels his contract or stops paying, while still having stored a large amount of data which is locked.
This might get us into a situation where we have to store data which is not getting payed for.
As the security tradeoff isn't that bad in this SP situation, as the storage system is managed by a complete different company than the backup server, It would be a valid option to switch to governance mode.
However, Veeam only gives us the option to do this globally for ALL S3 repos via a registry key: https://community.veeam.com/blogs-and-p ... art-7-6757
This is obviously not an option for many customers who are utilizing both self-hosted S3 as well as S3-aaS at the same time (usually seld-hosted as primary and aaS as offsite backup storage).
Therefore, I would really appreciate it if Veeam would give us this option on a more granular level, for example on a per-repository level during repo creation.
-
np-mast
- Service Provider
- Posts: 8
- Liked: never
- Joined: Apr 13, 2023 6:00 pm
- Full Name: Maximilian Stumpf
- Contact:
-
Mildur
- Product Manager
- Posts: 11367
- Liked: 3152 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: S3 Object Lock compliance vs governance mode
Hi Maximilian,
Thanks for your feedback.
You’re right — currently, it’s a global option.
I can’t confirm yet whether more granular options will make it into the product, but I’ve noted your request.
Best regards,
Fabian
Thanks for your feedback.
You’re right — currently, it’s a global option.
I can’t confirm yet whether more granular options will make it into the product, but I’ve noted your request.
Best regards,
Fabian
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: No registered users and 3 guests