I already opened a case #08159957 regarding the backup immutability matter with VBAWS, but I probably didn't explain myself well...
I understand there is no way to set a "Default retention mode" (in Governance or Compliance mode) on an AWS S3 Bucket with the "Default retention" set as "Disabled" (as per Veeam requirement), but I'd also like to know in which way the backup data is written to an immutable Backup Repository, in order to establish if is it possible to remove that in some way, since the Governance mode admit to do that using an user with specific permissions, but in this case there is no explicit retention mode in place.
P.S. I reconfirm that I don't want to set any retention (days) on AWS side (S3 Bucket)
When you configure an S3-based backup repository in Veeam with immutability enabled:
Veeam writes each backup object with its own retention settings (retention mode + retain-until date) at the object level, not at the bucket level.
The immutability period you configure in the Veeam repository (e.g., 7/14/30 days) becomes the per-object lock duration.
Veeam Backup & Replication will not delete any backup files from the object storage repository until that object’s immutability period has expired.
So even though the bucket shows “Default retention: Disabled,” the backup data is still protected by per-object retention that Veeam sets when it writes the files.
the bucket’s “Default retention = Disabled” is expected and required; immutability is enforced -per object- by Veeam, and Veeam will not delete those objects before their retention expires. Any possibility of early deletion would come from AWS-side permissions that can override object retention, not from Veeam’s behavior.
Does the same behavior apply with Veeam Backup for AWS? I was not referring to VBR.
As far as I know, in this case the immutability expiration is alligned with the retention of the restore points created.
Regarding the previous statement:
the bucket’s “Default retention = Disabled” is expected and required; immutability is enforced -per object- by Veeam, and Veeam will not delete those objects before their retention expires. Any possibility of early deletion would come from AWS-side permissions that can override object retention, not from Veeam’s behavior.
Do you know if there is a way to do that? If so, with what permissions?