Skip to main content
NetApp Knowledge Base

ONTAP S3 Object Lock and Veeam - capabilities and limitations

  1. Last updated
  2. Save as PDF
Views:
916
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • S3 Object Lock
  • Veeam
  • ONTAP S3 Snaplock

Answer

  • What is an S3 Object Lock in ONTAP?
    • S3 Object Locks make data immutable—once written, it cannot be changed or deleted until the retention period ends.
  • Why should I use S3 Object Lock with Veeam?
    • It ensures backups are tamper-proof, protects against ransomware, and helps meet compliance requirements.
  • Can I shorten the retention period once it’s set?
    • No. Retention cannot be reduced once applied. This is intentional to guarantee immutability.
  • What happens when the retention period expires?
    • After expiry, objects can be modified or deleted as normal. New retention rules can be applied to future backups.
  • How do I confirm S3 Object Lock is working?
    • ONTAP System Manager shows Object Lock status in bucket properties.
    • Veeam job logs display immutability enforcement.
    • Deletion attempts before expiry will be blocked.
  • Can I use multiple Object Lock buckets with different retention policies?
    • Yes. You can create multiple buckets in ONTAP with different Object Lock settings and map them to separate Veeam repositories.
  • Does Object Lock affect performance or cost?
    • Performance impact is minimal.
    • Storage costs may increase if retention periods are long, since data cannot be deleted until expiry.
  • What if I urgently need to delete data?
    • You cannot override Object Lock once applied. Plan retention periods carefully before enabling.
  • What modes of Object Lock are supported by ONTAP S3?
    • ONTAP S3 supports both Compliance and Governance mode. But for Veeam immutable backup it is recommended to enable ONTAP S3 bucket in compliance mode.
  • Why are immutable backups ONTAP not certified with Veeam?
    • ONTAP S3 is certified as a Veeam Ready object backup target. ONTAP S3 is not certified as Veeam Ready for immutable object backups because Veeam requires that immutable backups are made in compliance mode buckets. ONTAP S3 defaults to creating buckets in governance mode.
    • Although configuring a bucket to use compliance mode can be accomplished manually, ONTAP S3 will need to either change the default option or provide an API that will change the default option to governance in order to be certified as Veeam Ready for immutable object backups.

Additional Information

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.