To improve the security management level of data backup and meet security compliance requirements, you must protect your data against accidental operations and malicious attacks. Cloud Backup provides the immutable backup feature for general-purpose backup vaults based on the write once, read many (WORM) technology. This topic describes how to enable the immutable backup feature for a general-purpose backup vault.
Feature introduction
Immutable backup is a protection mechanism that is provided for backup vaults. If you enable the immutable backup feature for a backup vault, data can be written to the backup vault only once and read from the backup vault multiple times. This mechanism prevents accidental or malicious deletion of important backup data and provides additional security for your backup data. You can enable the immutable backup feature in the backup vault settings. You can also enable the feature when you create a backup policy.
After the immutable backup feature is enabled, it cannot be disabled.
For General Backup Policy:
After you enable the immutable backup feature for a backup vault, the backup vault and all backup data in the backup vault cannot be deleted until the retention period expires.
After you enable the immutable backup feature for a backup vault, all the existing backup points and newly generated backup points are locked.
If you enable both the immutable backup feature and the cross-region replication feature, the backup vault and the backup points replicated to another region are locked.
For ECS Instance Backup Policy:
After the immutable backup feature is enabled, backup points of Elastic Compute Service (ECS) instances cannot be deleted until they automatically expire.
After the immutable backup feature is enabled, only the backup points created in the next backup cycle are locked. Existing backup points of ECS instances are not locked.
If you enable both the immutable backup feature and the cross-region replication feature, the backup points replicated to another region are locked.
After the immutable backup feature is enabled, the normal use of the corresponding disks and snapshots is not affected. For example, you can still create disks and share snapshots.
The immutable backup feature does not affect backup and recovery operations.
The immutable backup feature is used to protect backup data against unauthorized modification or deletion. After the immutable backup feature is enabled, the backup data cannot be manually modified or deleted before it is automatically deleted upon expiration. Even users with appropriate permissions cannot modify or delete the backup data.
Applicable scope
The Immutable Backup feature can be enabled for backup policies (general backup policies or ECS instance backup policies) and general-purpose backup vaults. The immutable backup feature is not available for backup vaults with a 30-day free trial and database backup vaults.
For more information about the regions that support the feature, see Features available in each region.
Enable the immutable backup feature
After you complete the preceding operations, Immutable Backup is displayed in the Data Lock Mode column of the backup vault.
FAQ
Why am I unable to enable Immutable Backup in the Modify Backup Vault panel?
You can enable the immutable backup feature for general-purpose backup vaults. If the Storage Vault Type is Tablestore Backup or Database Backup, the Immutable Backup switch is not displayed.
Can I disable the immutable backup feature for a backup vault?
No, you cannot disable the immutable backup feature after it is enabled. After the immutable backup feature is enabled, the backup vault and backup data cannot be deleted until the retention period expires. The immutable backup feature does not affect backup and recovery operations.
References
Cloud Backup provides the following enterprise-class capabilities to ensure data security: