Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Deduplication Guide
  5. MSDP cloud support
  7. About MSDP cloud immutable (WORM) storage support
  9. About immutable object support for AWS S3
  11. About bucket policy for immutable storage
NetBackup™ Deduplication Guide

About bucket policy for immutable storage

Bucket policy protects the metadata objects of immutable storage, such as lockdown-mode.conf and lsu-worm.conf for each volume or sub-bucket. Bucket policy is created and updated automatically when cloud immutable volume is created.

If the bucket already has some bucket policy, cloud administrator needs to merge the existing bucket policy with the policy for immutable storage manually. For information about editing the S3 bucket policy, see Adding a bucket policy using the Amazon S3 console topic in the AWS documentation.

Following is the example of bucket policy for immutable storage in AWS S3.

{
    "Version": "2012-10-17",
    "Id": "vtas-lockdown-mode-file-protection",
    "Statement": [
        {
            "Sid": "vrts-lockdown-file-read-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:PutObjectRetention"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/volume-name/lockdown-mode.conf",
                "arn:aws:s3:::bucket-name/volume-name/lsu-worm.conf",
                "arn:aws:s3:::bucket-name/volume-name/lockdown-mode.conf",
                "arn:aws:s3:::bucket-name/volume-name/lsu-worm.conf",
                "arn:aws:s3:::bucket-name/volume-name/lockdown-mode.conf",
                "arn:aws:s3:::bucket-name/volume-name/lsu-worm.conf"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:userid": "YOUR-USER-ID-HERE"
                }
            }
        }
    ]
}

See Troubleshooting the error when the bucket is created without msdpcldutil .

See AWS user permissions to create the cloud immutable volume.

Feedback

Was this page helpful?
Previous

AWS user permissions to create the cloud immutable volume

Next

About immutable object support for AWS S3 compatible platforms

Feedback

Was this page helpful?