Hello guys,
I m trying to implement a new Wasabi repository with immuability in governance mode.
On Wasabi side I just create a new bucket with versionning and object-lock enabled.
On Veeam side I configure my new repository with the checkbox "Use governance mode".
My backup just finish now I want to try to delete my datas.
How to test it properly to be sure than immuability is apply but an admin could delete it in case?
-
Stabz
- Expert
- Posts: 148
- Liked: 11 times
- Joined: Apr 07, 2017 7:40 am
- Full Name: Philippe DUPUIS
- Contact:
-
Mildur
- Product Manager
- Posts: 10285
- Liked: 2747 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: How to implement a repository in governance mode?
Hi Philippe,
To use Governance mode effectively, you need to make sure to use Wasabi Access Keys with limited permissions in VB365. Never use your Wasabi super admin account directly in Veeam Backup for Microsoft 365 (refer to KB4046).
A test should be easy:
1.) Run a backup of a single user to the repository with immutability enabled.
2.) Use S3 Explorer, Cyberduck or any other S3 browsing tool to delete the objects in your buckets. Use the same access key as you have used in Veeam Backup for Microsoft 365 to connect the bucket. You should not be able to delete these backup objects.
3.) On Wasabi, delete all objects in the bucket and then delete the bucket itself. If the bucket removal was successful, then you successfully tested "deleting immutable objects written with Governance mode" by a Wasabi super admin.
Deleting Restore Points manually within VB365 is blocked for repositories with immutable backups:
You can also verify object lock mode and object lock date with a S3 browsing tool. In my case I didn't used Governance mode:
Best,
Fabian
To use Governance mode effectively, you need to make sure to use Wasabi Access Keys with limited permissions in VB365. Never use your Wasabi super admin account directly in Veeam Backup for Microsoft 365 (refer to KB4046).
A test should be easy:
1.) Run a backup of a single user to the repository with immutability enabled.
2.) Use S3 Explorer, Cyberduck or any other S3 browsing tool to delete the objects in your buckets. Use the same access key as you have used in Veeam Backup for Microsoft 365 to connect the bucket. You should not be able to delete these backup objects.
3.) On Wasabi, delete all objects in the bucket and then delete the bucket itself. If the bucket removal was successful, then you successfully tested "deleting immutable objects written with Governance mode" by a Wasabi super admin.
Deleting Restore Points manually within VB365 is blocked for repositories with immutable backups:
You can also verify object lock mode and object lock date with a S3 browsing tool. In my case I didn't used Governance mode:
Best,
Fabian
Product Management Analyst @ Veeam Software
-
Stabz
- Expert
- Posts: 148
- Liked: 11 times
- Joined: Apr 07, 2017 7:40 am
- Full Name: Philippe DUPUIS
- Contact:
Re: How to implement a repository in governance mode?
Hello Fabian,
Thank you for your answer.
I created a new job with one user and I ll give you my result.
I don't get it why Wasabi Access Keys with limited permissions in VB365 should not delete the data cause in the policie we have:
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
Thank you for your answer.
I created a new job with one user and I ll give you my result.
I don't get it why Wasabi Access Keys with limited permissions in VB365 should not delete the data cause in the policie we have:
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
-
Mildur
- Product Manager
- Posts: 10285
- Liked: 2747 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: How to implement a repository in governance mode?
You can't delete immutable objects with only s3:DeleteObject and s3:DeleteObjectVersion.
Try to delete the object and then the version. You should see an access denied.
To permanently delete objects written with Government Mode, you will need to assign the s3:BypassGovernanceRetention permission or use your Wasabi super admin.
Best,
Fabian
Try to delete the object and then the version. You should see an access denied.
To permanently delete objects written with Government Mode, you will need to assign the s3:BypassGovernanceRetention permission or use your Wasabi super admin.
Best,
Fabian
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: sfey and 82 guests