Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Deduplication Guide
  5. MSDP cloud support
  7. About MSDP cloud immutable (WORM) storage support
  9. About immutable object support for AWS S3
NetBackup™ Deduplication Guide

About immutable object support for AWS S3

NetBackup 9.1 and later versions support cloud immutable (WORM) storage with S3 Object Lock. For more information about Amazon S3 Object Lock, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html.

Cloud administrator and backup administrator need specific permissions to configure and use immutable storage. Cloud administrators need a set of permissions to manage the bucket and cloud volume in the cloud and backup administrators need permissions to manage backup data.

See AWS user permissions to create the cloud immutable volume.

Backup images can be locked in one of the following two retention modes:

  • Compliance mode

    Users cannot overwrite or delete the data that is protected using the compliance mode for the defined retention period. Once you set a retention period for the data storage, you can extend it but cannot shorten it.

  • Governance mode (also known as enterprise mode)

    Users require special permissions to disable the retention lock and then delete the image. Only the cloud administrator user can disable the retention lock and then the delete the image if required. You can use the governance mode to test the retention period behavior before you use compliance mode.

You can use MSDP cloud admin tool to manage cloud immutable volume.

See Managing AWS S3 immutable storage using msdpcldutil tool.

Cloud immutable volume (Cloud LSU) is a cloud volume with the following differences than normal cloud volumes:

  • The bucket is Object Lock enabled. It is created with the tool msdpcldutil.

  • The bucket policy is attached to the bucket to protect metadata objects of cloud immutable volume.

  • A retention range is defined for the cloud volume. The retention of any backup images must be in this range. NetBackup checks this condition when the backup policy is created. This range can be defined and changed with msdpcldutil.

  • The cloud volume has a live period which defines its lifetime. It provides a safety net so that the retention period of all data in it is restricted in the lifetime of cloud volume. When this live period expires, the volume will be down. You can use msdpcldutil to extend the live period when the volume does not expire or resurrect the volume when it expires.

  • You can set the storage class while creating immutable volume. Use the option --storageclass with your storage class, such as STANDARD_IA or GLACIER_IR. The default value is STANDARD.

Feedback

Was this page helpful?
Previous

About MSDP cloud admin tool

Next

Creating a cloud immutable storage unit

Feedback

Was this page helpful?