Using object storage as a backup target
Post Reply
bryanmeche
Influencer
Posts: 12
Liked: never
Joined: Feb 23, 2015 2:02 pm
Full Name: Bryan
Contact:

S3 Immutable Question

Post by bryanmeche »

I created an S3 bucket, setup a IAM API for Veeam to use with access to that bucket and the outlined permissions needed as discussed object-storage-f52/iam-json-for-aws-s3- ... 65327.html and set my S3 repository to immutable.

When I was exploring the bucket (not as root though my IAM account is a full admin) I saw on the properties of various objects they were set to immutable with an expiration of about ten days out. I didn't understand how it got to ten days since I'm just doing a POC I set the immutable timeframe to be three days, but I can experiment a bit with that later.

Either way, I was able to delete the immutable objects and the entire bucket full of immutable objects. I guess my question is since I was able to delete some immutable objects, I missed a step somewhere along the way. It was my understanding the only way to remove the objects I removed was to terminate the entire AWS account. Does anyone have a good step-by-step guide of setting up S3 with immutability or know of one? My Googling of that has failed me a bit.

dalbertson
Veeam Software
Posts: 279
Liked: 70 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: S3 Immutable Question

Post by dalbertson »

It’s block generation. Explained here

https://helpcenter.veeam.com/docs/backu ... ml?ver=100

dalbertson
Veeam Software
Posts: 279
Liked: 70 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: S3 Immutable Question

Post by dalbertson »

The other part about deleting the bucket won’t work. We use compliance mode and even though you are an admin or root it still won’t delete the data. It’s still there until it expires.

bryanmeche
Influencer
Posts: 12
Liked: never
Joined: Feb 23, 2015 2:02 pm
Full Name: Bryan
Contact:

Re: S3 Immutable Question

Post by bryanmeche »

Thanks Dustin! So I'm sorry for asking "basic" questions here as I'm very new to AWS and S3. The bucket has object lock showing as permanently enabled, with no automatic settings (none) for objects that are uploaded without an object lock config. I believe I read somewhere in a forum or in the documentation that part is correct. In the management interface I was able to delete objects that were set to immutable until nearly the end of this month.

I guess this is a stupid question, but if I was able to delete an immutable object from the AWS console did they just go somewhere else? Are they just not visible in the console anymore but still there and accessible via API?

I did rescan my storage in Veeam and it lost all the files so even Veeam can't see the immutable objects I was able to delete.

dalbertson
Veeam Software
Posts: 279
Liked: 70 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: S3 Immutable Question

Post by dalbertson »

No worries about asking questions as that’s what we are here for. To help share knowledge and learn from each other.

It’s just hidden. If you go into the bucket and select show versions button they should show back up. I would suggest opening a ticket and support can help you get them to show back up in veeam.

bryanmeche
Influencer
Posts: 12
Liked: never
Joined: Feb 23, 2015 2:02 pm
Full Name: Bryan
Contact:

Re: S3 Immutable Question

Post by bryanmeche »

Ha! Thanks.

Since this is just a POC I don't need to use support resources right now. As long as Veeam would be available to help in the very unlikely event of an attack that made its way to AWS object storage I'm fine with calling the POC a success. It looks like there are various scripts around that can be used to "undelete" the deleted items in the bucket and I imagine once that is done it's just a matter of rescanning the storage in Veeam and going from there. Hopefully Veeam support has some tried and tested documentation on that scenario but I certainly see how it's possible to do.

dalbertson
Veeam Software
Posts: 279
Liked: 70 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: S3 Immutable Question

Post by dalbertson »

This is indeed something that is known and planned for.

barry11
Lurker
Posts: 1
Liked: never
Joined: Sep 16, 2020 8:54 pm
Full Name: Barry Strittmatter
Contact:

Re: S3 Immutable Question

Post by barry11 »

I also had this same experience and had these same questions. Did you ever figure out your statement about:

"When I was exploring the bucket (not as root though my IAM account is a full admin) I saw on the properties of various objects they were set to immutable with an expiration of about ten days out. I didn't understand how it got to ten days since I'm just doing a POC I set the immutable timeframe to be three days, but I can experiment a bit with that later."

I have mine set to 1 day in Veeam but the AWS S3 console states the Veeam backup files are object locked for 10 days.

Gostev
SVP, Product Management
Posts: 26699
Liked: 4274 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: S3 Immutable Question

Post by Gostev » 2 people like this post

This is explained in the User's Guide. Thanks!

Post Reply

Who is online

Users browsing this forum: No registered users and 11 guests