To use an Object Storage Repository for backup, it must be configured as Capacity Tier in the Scale-out Backup Repository.
Starting v10, Veeam Backup & Replication supports backup immutability on object storage. Enabling this feature on existing S3 bucket containing backups created by 9.5 Update 4 requires that both Versioning and Object Lock are enabled on the bucket at the same time, before the immutability feature is enabled. Any other approach will lead to backup offload failures and inability to correctly interact with backups in the bucket.
Data in object storage bucket/container must be managed solely by Veeam, including retention and data management. Enabling lifecycle rules is not supported, and may result in backup and restore failures.
Create an own bucket and own user where possible for the Object Storage Repository and limit the user account to have only the required access on the object storage bucket.
For an extra layer of security the access to public object storage can be piped through a VPN connection to an internal object storage service endpoint in a private cloud network.
Veeam Backup & Replication supports immutability on object storage. Cloud providers currently require that Versioning and Object Lock must enabled on the bucket, before uploading data to it. Any other approach will lead to backup offload failures and inability to correctly interact with backups in the bucket.
Do not delete manually from an object storage bucket used for a Veeam Object Repository. Veeam will take care of deleting old objects based on your configured retention period in the backup or backup copy job.
You can safely delete everything manually when the Object Storage Repository is decommissioned completely (unconfigured in VBR).
In the case of AWS it’s not possible to enable immutability on a bucket, after creation via the GUI. It requires contacting AWS support who will provide information to enable it.
Be aware that AWS Snowball Edge will require a similar process as you cannot enable file versioning, and therefore object lock, prior to moving data into S3. The destination bucket must have no object lock/versioning enabled, otherwise Snowball will be unable to copy data. After the copy is complete, versioning can be enabled and you can check with AWS support to enable immutability.