Immutability is a feature that locks backup datasets for a period specified in GFS retention policy settings. Within this period, backup data cannot be modified nor deleted.
Immutability is supported for the following storage providers:
- Amazon AWS
- Backblaze B2
Immutability is a solution that suits best to data preserving purposes in accordance with compliance requirements. It allows an administrator to specify a data retention period or to implement a legal hold that prevents data from being deleted until the hold is removed.
The Immutability feature is linked with the GFS retention policy. If the Immutability is applied along with GFS settings, full backups that are subject to the GFS retention policy become immutable for the GFS keeping period.
For example, if in GFS settings you enable weekly and monthly keeping periods with 2 weeks and 2 months of keeping backups accordingly and then enable immutability, it means that all weekly and monthly backups selected by the GFS keeping period assignment mechanism will be locked on backup storage and cannot be deleted with Backup Agent.
Use the Immutability feature with extreme caution. Once a backup data becomes immutable, there is no way to delete it from the storage until the specified GFS keeping period expires except the storage account termination. Careless or light-headedly made settings can cause high storage bills
Retention Modes For Immutable Data
Generally, there are two retention modes:
- Governance mode
- Compliance mode
These retention modes apply different levels of protection.
These object lock retention modes apply different levels of protection.
In Governance mode, users cannot overwrite or delete an object version or alter its lock settings using Backup Agent. With Governance mode, objects in backup storage are protected against being deleted, but you can still delete the object, if necessary, in the backup storage provider console.
In Compliance mode, a protected object version cannot be overwritten or deleted by any user, including the root user in your storage provider account. When an object is locked in Compliance mode, its retention mode cannot be changed, and its retention period cannot be shortened. Compliance mode helps ensure that an object version cannot be overwritten or deleted for the duration of the retention period defined in the GFS retention policy settings.
Immutable data retention mode configured for the existing storage destination cannot be changed in Backup Agent. If you have not any storage destination with enabled immutability, you can create a new destination bucket. By design, when you create destination bucket, the Governance mode is used for all destination buckets with immutability enabled. If need to use the Compliance mode for the case, you can check this option with MSP360 support.
How It Works
Enable this feature for an appropriate storage account, if you need to comply with the regulations, maintenance or legal requirements, or anything else that requires an immutable backup dataset. In some cases, it could be easier to create a new bucket in the existing storage account for immutability purposes.
You can only enable Immutability for new buckets. If you want to turn on Immutability for an existing bucket, contact the storage provider support team if they can help you.
Note that if your storage provider is AWS and you create a new bucket with the Immutability feature enabled, versioning for this bucket is automatically enabled
If you create a bucket with Immutability enabled, you cannot disable it or suspend versioning for this bucket
Support for Versioning Buckets in Amazon S3/Wasabi
With the Immutability feature enabled in storage account, synchronization is performed file list formed on the list of versions.
Along with it, a so-called postponed synchronization approach is used that implies data collections from a list of files, then analyzed and added to the database. During the analysis, immutable generations are checked for deleted files. If any deletions are detected, some deleted files are restored: common generation files (generation metadata, GFS marker) and restore point files up to the first successful one.
During consistency checks, the same logic applies: immutable generations are checked for deleted files. If any deletions are detected, some deleted files are restored: this concerns common generation files (generation metadata, GFS marker) and restore point files up to the first successful one.
Enable Immutability for Storage Account
To use Immutability feature GetBucketObjectLockConfiguration permission must be granted to the account used for backup storage connection
To enable the Immutability feature for the storage account, proceed as follows:
- In the application menu, select Edit Storage Accounts.
- Select the account you want to enable the Immutability feature for, then click Edit.
- Select the bucket that supports the Immutability or create a new one. If the selected bucket does not support Immutability, you will be informed with an appropriate warning.
Note that you can only enable the Immutability feature for new buckets. If you want to turn on the Immutability for an existing bucket, contact AWS Support
- Select the Allow Immutability check box.
- Read carefully the confirmation dialog, then confirm the action.
- Click OK.
Once the Immutability feature is enabled on the required storage account, proceed to create or edit the backup plans that require immutable data.
Enable Immutability in Backup Plan
- Edit the backup plan you intend to apply immutability to or create a new one.
- Follow the backup wizard steps to the Retention Policy step.
- Select the Enable GFS check box.
- Configure your GFS settings according to your requirements or compliance mandate.
- Select the Enable Immutability check box.
- Confirm the action in a dialog box, then click Next.
Attention! Once the Immutability is enabled, it is NOT possible to edit or delete the backup data unless the specified GFS keeping period expires, so be extremely cautious since it may lead to serious storage bill increases
- Follow the backup wizard to an end to save the backup plan configuration.