How do we set up S3 Object Lock concretely for immutable backup?
Object Lock puts a bucket into 'write once, read many' mode, so even a compromised root key can't wipe your backup until retention expires. It's the simplest real immutable mechanism a SMB shop can set up.
Try this first
- 1Create a new bucket with Object Lock enabled. Important: you can't enable it on an existing bucket retroactively. Set name, region and lifecycle rules separately.
- 2Pick Governance mode (admins with proper rights can still delete) or Compliance mode (nobody can delete, including root, until retention expires). Compliance is safer but irreversible if you set retention wrong.
- 3Use a sensible default retention (say 30 or 90 days), not years. Too long = unpurgeable storage costs if you mess up.
- 4Configure your backup tool (Veeam, NAKIVO, Restic, Duplicacy) to write to this bucket with the Object Lock flag on. Test by uploading a test file and trying to delete it, that should fail.
- 5Plan retention overlap: backup-job retention slightly shorter than Object Lock retention. Otherwise objects sit in 'expired but locked' status and you pay for storage you no longer use.
- 6Use separate IAM credentials for the backup tool with PutObject only, no DeleteObject. Belt and braces.
When to bring us in
Compliance questions on evidence, audit trails and legal retention all hit Object Lock choices directly. For regulated sectors, get a cloud-security review before committing to Compliance mode.
See also
- We have backups but we do not know if they workA backup that cannot be restored is not a backup. Testing matters as much as taking the backup.
- Suspected ransomware: what to do RIGHT NOWThe first 30 minutes are critical. One wrong move spreads the damage. Read before acting.
- Someone accidentally deleted an important folderUsually fine to recover. The trick: do not save anything new on that drive until you know how.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.