Skip to main content
Version: 2.6

S3 object lock in Portworx Backup

Portworx Backup supports object lock for all S3 compliant object stores and allows configuring object lock with a bucket-level locking mechanism to secure the objects placed in a bucket. All objects in a bucket comply with the object lock settings defined for the bucket. Object lock provides following features to secure your objects:

  • Retention modes:
    • Governance: you cannot overwrite or delete an object version or alter its lock settings unless they have special permissions.
    • Compliance: you cannot overwrite or delete a protected object version even if you are the root user of an AWS account.
  • Retention period: specifies a fixed period of time during which an object remains locked

Protection period is the number of days your backup will be protected from ransomware attack. Protection period acts as the determiner for retention period.

For an object lock enabled backup, retention period in days = protection period in days + 6 days of buffer.

Prerequisites:

  • In S3 compliant object store user interface, create a bucket, enable object lock, and set retention period.

    note

    Object lock enabled backup locations should be configured with a minimum retention period of 7 days or above.

  • For all S3 compliant object store, enable the following permissions for the IAM role:

    • s3:GetBucketObjectLockConfiguration
    • s3:GetObjectLegalHold
    • s3:GetObjectRetention
    note

    To configure object lock on S3 buckets in all S3 compliant object stores, below S3 permissions are needed for IAM role:

    • s3:BypassGovernanceRetention
    • s3:PutBucketObjectLockConfiguration
    • s3:PutObjectLegalHold
    • s3:PutObjectRetention
  • Configure an AWS/S3 cloud account in Portworx Backup.

  • Install the latest version of MinIO that supports object lock.

  • Install or upgrade to Stork version 23.9.1 or above for object lock.

    Backups to object lock enabled buckets fail with the following error message if the minimum Stork version is not installed:

    backup failed error message

Following sections guide you to retain your objects in an object lock enabled bucket: