S3 object lock in Portworx Backup
Portworx Backup supports object lock for all S3 compliant object stores and allows configuring object lock with a bucket-level locking mechanism to secure the objects placed in a bucket. All objects in a bucket comply with the object lock settings defined for the bucket. Object lock provides following features to secure your objects:
- Retention modes:
- Governance: you cannot overwrite or delete an object version or alter its lock settings unless they have special permissions.
- Compliance: you cannot overwrite or delete a protected object version even if you are the root user of an AWS account.
- Retention period: specifies a fixed period of time during which an object remains locked
Protection period is the number of days your backup will be protected from ransomware attack. Protection period acts as the determiner for retention period.
For an object lock enabled backup, retention period in days = protection period in days + 6 days of buffer.
Prerequisites:
-
In S3 compliant object store user interface, create a bucket, enable object lock, and set retention period.
noteObject lock enabled backup locations should be configured with a minimum retention period of 7 days or above.
-
For all S3 compliant object store, enable the following permissions for the IAM role:
s3:GetBucketObjectLockConfiguration
s3:GetObjectLegalHold
s3:GetObjectRetention
noteTo configure object lock on S3 buckets in all S3 compliant object stores, below S3 permissions are needed for IAM role:
s3:BypassGovernanceRetention
s3:PutBucketObjectLockConfiguration
s3:PutObjectLegalHold
s3:PutObjectRetention
-
Configure an AWS/S3 cloud account in Portworx Backup.
-
Install the latest version of MinIO that supports object lock.
-
Install or upgrade to Stork version 23.9.1 or above for object lock.
Backups to object lock enabled buckets fail with the following error message if the minimum Stork version is not installed:
Following sections guide you to retain your objects in an object lock enabled bucket:
📄️ Create object lock enabled backup location
Add an object lock enabled backup location
🗃️ Create object lock enabled schedule policy
2 items
🗃️ Create object lock enabled backups
4 items
📄️ Recover deleted object lock enabled backups
If you delete an object lock enabled backup location associated with an object lock enabled bucket, then all the corresponding backups get deleted.