Skip to main content

Using S3 Object Lock’s Governance mode with Veeam Backup & Replication v12.1

 

Veeam Backup & Replication (VBR) v12.1, which was launched in December of 2023, has many great features and new capabilities.  One of those features is the ability to use S3 Object Lock’s Governance mode when you setup an object storage repository to be immutable.  The purpose of this blog is to introduce you to the Governance mode and how to use it within VBR 12.1.

So, what is Governance mode?  To answer that I first need to briefly explain S3 Object Lock.  It is a feature of S3 and S3 Compatible object storage to prevent objects from being deleted or modified until the object lock retention has been met and the lock expires. 

There are two modes for the object lock retention

  • Compliance
  • Governance

Compliance mode has been used by Veeam Backup & Replication since v10 of VBR was released in February of 2020.  Compliance mode locks the objects with a high level of strictness.  This strictness includes: 

  • prevents the locked object from being deleted or modified until the lock expires by anyone including root/administrator users
  • The object lock duration can only be increased and not decreased when using Compliance mode
  • You can’t demote the object lock retention mode to Governance mode.

Governance mode also locks the objects to prevent them from being deleted or overwritten, but it is less strict than Compliance mode:

  • Users with the appropriate permissions can delete or modify the objects before the object lock retention is met
  • Governance mode also allows the users with proper permissions to reduce and increase the object lock retention period
  • You can promote Governance mode to Compliance mode.

Due to the less strict nature of Governance mode, the best practice recommendation is to use Compliance mode with Veeam Backup & Replication.  But there is a use case where Governance mode makes sense.  If you are providing object storage as a service and you are using Compliance mode, the scenario can and has arisen where a customer using your service has their object lock retention set for the length of their contract.  Let’s say that is 3 years.  6 months goes by and the customer terminates their contract.  Now the object storage service provided is stuck with the customer’s objects for another 2.5 years until the object lock expires.  This can be extremely costly for the service provider since their object storage can’t be utilized by new or existing customers.  By introducing Governance mode with VBR 12.1, the service provider can now remove the ex-customer’s objects after the contract is terminated.

Having the object storage managed by a service provider will add additional strictness to Governance mode.  This is because the storage administrator at the service provider is not the same person/organization as the backup administrator. This segregation of the backup administration and object storage administration add a level of protection since a bad actor would need to compromise both organizations to present a threat to your backed up data.

There are some things to factor in when making the decision to use Governance mode instead of Compliance mode within a VBR environment.  The 1st is the setting to use Governance mode is VBR server-wide.  This means any repositories on the VBR server using S3 object lock must use Governance mode.  For a new VBR server this isn’t a concern, but if you have an existing VBR server using Compliance mode it is a concern.  If you enable Governance mode, backup jobs using Compliance mode enabled repositories will fail.  You will still be able to restore the data from the Compliance mode repositories though.  So, you will have to remove the Compliance mode enabled repositories from your existing job configurations and replace them with Compliance mode repositories.  In most cases this is impractical, so our recommendation and best practice is to create a new VBR server that will use Governance mode.

You enable Governance mode on the Veeam Backup & Replication server by setting the registy setting HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\S3GovernanceImmutabilityMode to be “1”. 

Governance mode = Enabled

The default value is “0” which disables Governance mode and uses directs VBR to use Compliance mode.

Compliance mode = Enabled

You can identify what object lock retention mode is applied to the objects in the bucket that your object storage repository is using by using a product like S3 Browser or the AWS CLI:

Object Lock Retention Mode for an Object - S3 Browser
aws s3api head-object --bucket <bucket name> --key <object name> --query 'ObjectLockMode'

"GOVERNANCE"

For customers using Compliance mode today and are not an object storage service provider, there probably isn’t a reason for you to use Governance mode.  But if you are a service provider and you find yourself facing the scenario of having to deal with locked objects for canceled customers, this may be an option that can help you.

Really great post Steve.  Love seeing new things with Object Storage and Veeam.  Bookmarked!


I didn’t know about this restriction as I’m not with, nor have I ever been with, an SP. Great new feature enhancement from Veeam! 


Hi Steve,

Great article.. can you please explain the process of deleting the unwanted immutable backup in Governance mode? Is this done from the S3 bucket end or from VBR server end?

 

This is so we can set long GFS retention without fearing lock-in if things start getting out of hand with costs.


can you please explain the process of deleting the unwanted immutable backup in Governance mode? Is this done from the S3 bucket end or from VBR server end?

All deletions are issued via VBR.  Nothing should be manually deleted from a bucket used by VBR,VB365, etc….  Our software applications should be the only thing issuing deletions.

 

Hope that answers your question.

 

Steve


Hi @SteveF - appreciate the post. Pretty straight forward for Veeam Backup and Replication.

However, is it also possible to use Governance mode for M365 backups? If so, how do we ensure M365 uses Governance mode for M365 immutability, rather than default Compliance mode?


@TylerJurgens the compliance mode feature is currently only available via VBR. If/when I hear about it becoming available in VB365, I’ll update this comment.

Thanks for reaching out.


@TylerJurgens the compliance mode feature is currently only available via VBR. If/when I hear about it becoming available in VB365, I’ll update this comment.

Thanks for reaching out.

Appreciate it @SteveF . Thank you.


Comment