Using S3 Object Lock’s Governance mode with Veeam Backup & Replication v12.1
Veeam Backup & Replication (VBR) v12.1, which was launched in December of 2023, has many great features and new capabilities. One of those features is the ability to use S3 Object Lock’s Governance mode when you setup an object storage repository to be immutable. The purpose of this blog is to introduce you to the Governance mode and how to use it within VBR 12.1.
So, what is Governance mode? To answer that I first need to briefly explain S3 Object Lock. It is a feature of S3 and S3 Compatible object storage to prevent objects from being deleted or modified until the object lock retention has been met and the lock expires.
There are two modes for the object lock retention
- Compliance
- Governance
Compliance mode has been used by Veeam Backup & Replication since v10 of VBR was released in February of 2020. Compliance mode locks the objects with a high level of strictness. This strictness includes:
- prevents the locked object from being deleted or modified until the lock expires by anyone including root/administrator users
- The object lock duration can only be increased and not decreased when using Compliance mode
- You can’t demote the object lock retention mode to Governance mode.
Governance mode also locks the objects to prevent them from being deleted or overwritten, but it is less strict than Compliance mode:
- Users with the appropriate permissions can delete or modify the objects before the object lock retention is met
- Governance mode also allows the users with proper permissions to reduce and increase the object lock retention period
- You can promote Governance mode to Compliance mode.
Due to the less strict nature of Governance mode, the best practice recommendation is to use Compliance mode with Veeam Backup & Replication. But there is a use case where Governance mode makes sense. If you are providing object storage as a service and you are using Compliance mode, the scenario can and has arisen where a customer using your service has their object lock retention set for the length of their contract. Let’s say that is 3 years. 6 months goes by and the customer terminates their contract. Now the object storage service provided is stuck with the customer’s objects for another 2.5 years until the object lock expires. This can be extremely costly for the service provider since their object storage can’t be utilized by new or existing customers. By introducing Governance mode with VBR 12.1, the service provider can now remove the ex-customer’s objects after the contract is terminated.
Having the object storage managed by a service provider will add additional strictness to Governance mode. This is because the storage administrator at the service provider is not the same person/organization as the backup administrator. This segregation of the backup administration and object storage administration add a level of protection since a bad actor would need to compromise both organizations to present a threat to your backed up data.
There are some things to factor in when making the decision to use Governance mode instead of Compliance mode within a VBR environment. The 1st is the setting to use Governance mode is VBR server-wide. This means any repositories on the VBR server using S3 object lock must use Governance mode. For a new VBR server this isn’t a concern, but if you have an existing VBR server using Compliance mode it is a concern. If you enable Governance mode, backup jobs using Compliance mode enabled repositories will fail. You will still be able to restore the data from the Compliance mode repositories though. So, you will have to remove the Compliance mode enabled repositories from your existing job configurations and replace them with Compliance mode repositories. In most cases this is impractical, so our recommendation and best practice is to create a new VBR server that will use Governance mode.
You enable Governance mode on the Veeam Backup & Replication server by setting the registy setting HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\S3GovernanceImmutabilityMode to be “1”.
The default value is “0” which disables Governance mode and uses directs VBR to use Compliance mode.
You can identify what object lock retention mode is applied to the objects in the bucket that your object storage repository is using by using a product like S3 Browser or the AWS CLI:
aws s3api head-object --bucket <bucket name> --key <object name> --query 'ObjectLockMode'
"GOVERNANCE"
For customers using Compliance mode today and are not an object storage service provider, there probably isn’t a reason for you to use Governance mode. But if you are a service provider and you find yourself facing the scenario of having to deal with locked objects for canceled customers, this may be an option that can help you.