← All Tutorials
How to create an immutable backup on Amazon S3 with Object Lock
In this short tutorial we will see how to create an immutable backup on Amazon S3 with Iperius Backup, using the Object Lock feature.
What is Amazon S3 Object Lock
Amazon S3 Object Lock is an advanced feature of Amazon S3 that allows you to protect archived files (objects) from accidental or malicious deletion or overwriting, for a defined period of time. It does this by applying an “immutability” policy to the stored files, ensuring that no one — not even an administrator — can modify or delete them before the configured expiration.
Object Lock was created to meet the needs of security, compliance and data protection against ransomware or unauthorized deletion, offering WORM (Write Once Read Many) protection.
How Immutability Works in S3
With Object Lock you can apply two main modes:
- Governance Mode : Only users with special permissions can bypass immutability and modify or delete files.
- Compliance Mode : Even administrators with the highest privileges cannot delete or modify data until the retention period expires.
It is also possible to define:
- Retention period : The minimum time during which the object remains immutable.
- Legal Hold : Indefinite protection until manually removed.
Why Iperius Backup uses S3 Object Lock
Iperius Backup natively uses Amazon S3 Object Lock technology to create immutable backups in the cloud . This means that, thanks to Iperius, it is possible to configure backups on S3 with WORM protection in a simple and automatic way, guaranteeing maximum security of company data.
In the event of ransomware or human errors, the immutable backups created by Iperius are protected and always recoverable, as they cannot be deleted or altered during the configured retention period.
Benefits of Immutable Backups with Object Lock
| Advantage |
Description |
| Ransomware Protection |
Backups cannot be encrypted or deleted by malware. |
| Regulatory compliance |
Support for regulations requiring WORM protection (e.g. GDPR, ISO, HIPAA). |
| Data Security |
Unable to modify or delete files until they expire. |
| Simplicity |
Integrated in Iperius Backup, easily configurable even without advanced skills. |
| Flexibility |
Ability to define different policies for retention and legal hold. |
Create an immutable cloud backup with Iperius
With Iperius you can make many types of advanced backups: disk images, virtual machine backups, database backups, Microsoft 365 account backups, etc… But we can also make file and folder backups. For all these types of backups you can create an immutable copy on Amazon S3 with Object Lock. In this tutorial we will show the backup of some folders, to then create immutable copies of the files contained in them.
Open Iperius and create a new backup job:
In the “Items” panel, select the folders you want to backup:
Now click “Next”. In the “Destinations” panel, create a new destination of type Amazon S3:
Click the button to add a cloud destination type and then the button to add a new cloud account, in this case Amazon S3.
To see how to obtain the credentials for connecting to S3 ( Access Key and Access Secret ) from Amazon, read this tutorial .
Once you have entered your credentials and saved your Amazon S3 account (the connection and therefore the validity of the credentials are tested when you save), go back to the destination configuration window, select the account you just created and move on to configuring the other parameters.
You must choose the Amazon S3 region where you want to create the bucket and backup it (usually a geographically closer region is chosen if lower latency and faster upload speed are important, or a more distant region for disaster relief or geographic redundancy reasons).
Then you need to choose the name of the bucket . The bucket is the primary container of the backup and inside there will be the objects, that is, the files that are sent with the backup. The name of the bucket must respond to some precise rules: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html .
Finally, you can configure several other settings, such as incremental or differential backup, zip compression, or the creation of paths or files with dynamic names.
Set Object Lock mode
The most important option, which is also the topic of this guide, is the one related to immutability, or Object Lock.
To enable it, go to the destination’s “Options” panel (the option is selectable only if an Amazon S3 account type is selected):
When this setting is selected, Iperius creates the new bucket by enabling Object Lock mode for it. Furthermore, for each file that is uploaded, a number of days of retention is set. For example, if we set 30 days, each file that Iperius sends to that bucket cannot be deleted or altered for 30 days (or rather, the versions of that file cannot be deleted).
Iperius allows you to choose between two retention modes:
- Compliance: No one, not even the Amazon root user, can delete or modify file versions
- Governance: Only users with special permissions can edit or delete file versions
For more information about retention modes, read Amazon’s guide: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html#object-lock-retention-modes .
Please note: even when we set the Compliance mode, this does not mean that it is not possible to delete the files that we see inside the bucket . Both with Iperius and with the AWS Console, we can manually delete the files that we see in the bucket. However, for those same files, Amazon S3 will have kept immutable versions, which cannot be deleted and which can be viewed and downloaded by enabling the option that you can see in the image below:
So, even if the bucket appears empty, the file versions are actually still there and can be viewed and downloaded simply by enabling that option.
Storage costs
When activating Object Lock, you need to pay a little attention to costs. For example, if you set a retention of 60 days and the retention mode is “Compliance”, you will not be able to delete the immutable versions of the files, not even with the Amazon root account. This obviously affects costs, since – in this example for 60 days – Amazon will charge you for the space occupied by the file versions (the cost of Amazon S3 is in fact pay-per-use). As for the backups created by Iperius, it should be taken into account that, if you use zip compression, Iperius will create a new file inside the bucket each time, for which Amazon S3 will store the versions. Therefore, if you use the Compliance mode, it is advisable to monitor costs in the AWS Console, starting with a test period with a retention of perhaps just one week, and trying various types of backups with Iperius.
Other important information about Versioning and Object Lock
Once Object Lock is enabled for a bucket , it can no longer be disabled . Versioning, another bucket feature that is enabled (and required) along with Object Lock, cannot be disabled either.
If the bucket where Iperius is going to write the files already exists , and does not have Versioning and Object Lock enabled, Iperius will receive an error when trying to send files to that bucket with a retention setting, like the one shown in the following image:
In this case, if you do not want to create a new bucket with Iperius, you can enable Versioning and Object Lock on the existing bucket using the appropriate functions available in the AWS Console , as per the instructions shown in this guide: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html .
Once you have completed the destination configuration, click OK. The destination will be added to the list:
Click “Next” to configure other settings of the backup job, such as schedule or email notifications.
Finally, give a name to this backup job and save it by clicking “OK”
Now you can immediately manually perform the backup operation by right-clicking on it:
Conclusions
Implementing immutable backups on Amazon S3 using Iperius Backup is a fundamental strategy to ensure the protection of corporate data. Thanks to the Object Lock feature, it is possible to prevent accidental or malicious changes or deletions of data for a defined period, thus ensuring the integrity of the information. This protection is particularly effective against threats such as ransomware, since even in the event of an attack, backups remain intact and recoverable .
Iperius Backup simplifies the adoption of this technology, allowing you to easily configure backups to S3 with WORM (Write Once Read Many) protection. Furthermore, data immutability supports compliance with regulations and standards that require the unaltered preservation of information for specific periods .
Adopting a backup strategy that includes immutability not only strengthens data security, but also contributes to more efficient and compliant management of corporate information. With Iperius Backup and Amazon S3 Object Lock, companies can address the challenges of data protection in today’s digital environment with greater peace of mind.
For any questions or doubts regarding this tutorial,
Contact us