Immutable Backup Implementation

We configure S3 buckets with Object Lock in Compliance mode — objects cannot be deleted or overwritten by anyone, including the root account, for the specified retention period. Governance mode is available for less strict requirements where designated admins can override. We set default retention periods at the bucket level and per-object retention for critical backups. Legal holds provide indefinite retention for compliance investigations.

Your existing backup tools (pgBackRest, Velero, Restic, Borg) are configured to write directly to Object Lock-enabled buckets. We handle the integration details: proper IAM permissions, retry logic for conditional writes, and metadata tagging for retention management. The backup pipeline does not change from the operator's perspective — immutability is enforced at the storage layer.

For maximum protection, backup copies land in a separate AWS account with no cross-account admin access. The backup account has its own IAM boundaries, CloudTrail logging, and SCPs (Service Control Policies) preventing Object Lock removal. Even if your production account is fully compromised, the backup account remains untouched. We configure automated cross-account replication so no manual process is required.

Immutable backups cannot be deleted early, so retention periods must be chosen carefully. We analyze your compliance requirements and set appropriate windows: 30 days for operational recovery, 1 year for audit compliance, 7 years for regulatory archives. Lifecycle rules transition immutable objects to Glacier after the active recovery window. We model storage costs upfront so there are no billing surprises when retention periods stack up.