protecting S3 backups with Object Lock

Leonardo Rodrigues

Hello Guys ... my first post here :)

I'm studying MSP360 Backup for a while, have been using it on the lab, and I believe I have understood quite well some of the options and modes, specially while backing up to AWS S3 buckets. (I'm using "regular" backup mode, not Legacy one)

One of my main concerns is how to protect the backup, on my S3 buckets, from a ransomware attack, *even* by a ransonware that attacks the network and could, somehow, fetch S3 keys and try to mess with backup files there.

GFS retention, and Object Locking for the configured GFS retention periods, is completly understood. On the defined day a new full backup is created (and retained), GFS retention policies will be set for the configured period. For that, of course Object Lock is enabled on the bucket and on the Storage Account.

But on a worst case scenario, for example, if the Full backup is created every week on Mondays, my incremental backups from Tuesday, Wednesday, etc, would still be "vulnerable" to a malware attack, to my understanding. Only the "full" backup will receive Object Lock policies, not the daily incremental ones.

To my best knowledge, watching how MSP360 stores data on the S3 bucket, it seems files are not overwritten, appended or anything like that. On incremental backups, new files are created and uploaded. Deleted files are only "flagged" as deleted and won't be restored, if a restore action is made.

My question, finally, is ... would setting (for example) a 7 day default Governance Object Lock on the bucket avoid MSP360 from working properly? With that, I'm expecting to protect ALL files uploaded, and let MSP360 change Lock Policies when needed (access used by MSP360 do has GET and PUTObjectRetention). Considering that GFS smallest Lock Period would be 1 week (if I keep weekly for 1 week), that would never be smaller even by the remaining time calculated based on the default 7 days.

Would that, setting a 7 day default Governance Object Lock, mess with MSP360 workings by any means?

Thanks for all the tips and considerations!! :)

View Answer

Alexander Negrash

↪Leonardo Rodrigues

That's a good question. You're right that object lock inside the product is currently available for full backups stored with the GFS retention policy. Incremental and full backups outside of GFS could not be locked, though this is in our plans to add soon.

Speaking of enabling object lock directly on the bucket, it should not break your backups. It's just that you might get some warnings about being unable to purge some of the files we generate to perform synthetic full backups (usually, these files are purged right after the new synthetic full is created). In other words, you will end up with all your backups in the cloud plus some additional data we couldn't purge as there is a lock on the bucket itself. However, these data will get purged once the lock is released.

Leonardo Rodrigues

↪Alexander Negrash

Thanks for the answer, Alexander ... so, at worst case scenario, considering i'm thinking on a 7 day default retention, i would use some unneeded storage for just a few (less than 7) days and, once that is expired, files that couldn't be deleted *will be* deleted anyway, lost won't be unneededly used forever? If that's the only drawback, it seems a very cheap price to pay to get REALLY "up to last backup" data protection on the S3 buckets :)

Leonardo Rodrigues

And actually, Alexander, it might worth upgrading your blog post "Specifying AWS IAM User Group ...." ( https://www.msp360.com/resources/blog/backup-with-iam-users/ ) to include the need for "s3:PutObjectRetention" and maybe "s3:GetObjectRetention" policies as well. It seems that without at least PutObjectRetention, setting the GFS retention policies, by MSP360, would be denied.

protecting S3 backups with Object Lock

Welcome to MSP360 Forum!

Categories

More Discussions