S3 object lock in Portworx Backup
Portworx Backup supports object lock for all S3 compliant object stores and allows configuring object lock with a bucket-level locking mechanism to secure the objects placed in a bucket. All objects in a bucket comply with the object lock settings defined for the bucket. Object lock provides following features to secure your objects:
- Retention modes:
- Governance: you cannot overwrite or delete an object version or alter its lock settings unless they have special permissions.
- Compliance: you cannot overwrite or delete a protected object version even if you are the root user of an AWS account.
- Retention period: specifies a fixed period of time during which an object remains locked
Protection period is the number of days your backup will be protected from ransomware attack. Protection period acts as the determiner for retention period.
For an object lock enabled backup, retention period in days = protection period in days + 6 days of buffer.
In S3 compliant object store user interface, create a bucket, enable object lock, and set retention period.NOTE: Object lock enabled backup locations should be configured with a minimum retention period of 7 days or above.
For all S3 compliant object store, enable the following permissions for the IAM role:
NOTE: To configure object lock on S3 buckets in all S3 compliant object stores, below S3 permissions are needed for IAM role:
Configure an AWS/S3 cloud account in Portworx Backup.
Install the latest version of MinIO that supports object lock.
Install or upgrade to Stork version 2.10 or above for object lock.
Backups to object lock enabled buckets fail with the following error message if the minimum Stork version is not installed:
Following sections guide you to retain your objects in an object lock enabled bucket: