Solved

Backup in AWS with compliance lock

  • 23 November 2023
  • 7 replies
  • 184 views

Userlevel 4
Badge +15

Hello, 

does anyone in the community have experience with offside backup to an S3 bucket in AWS?
We created a bucket in the AWS with the "Object Lock" option in compliance mode with a retention of one day. We also did the same with a storage policy in Commvault. Also compliance lock and retention 1 day.
We then sent a VSA backup to this storage policy and everything worked immediately without any errors. However, after the retention expired, the data in the AWS bucket was not deleted. To find out whether something was stuck here, I manually deleted the data in the storage policy. That was yesterday. Today, the data that Commvault wrote is still available in the AWS bucket. There is no delete marker on it and the bucket has not changed in size from 7.7 GB and the number of files and folders.

 

 

Regards

Thomas

icon

Best answer by Deepali S 5 December 2023, 08:51

View original

7 replies

Badge

Hi, If they have storage worm enabled, in which case we will not prune until the entire store prunes (min 7 day sealing) or other thing could be next backups referring to all data written by the first backup. Can you formally escalate to check further and know the exact reason.

Userlevel 4
Badge +15

Hello, 

We have now found out how it works. Commvault probably never deletes the entire data after a single backup. However, the old ones will probably be replaced during a new backup run if the retention has expired.
But I'm now plagued by the problem that if commvault doesn't completely empty the "library" after the retention period has expired, how can I remove this library again? Because of the compliance lock, I am not allowed to delete the data and therefore not the storage policy and everything related to it.

 

Badge

Hi Thomas,

Storage policy can be deleted when there are no jobs on it even if it has compliance lock set.

That will eventually trigger deletion of all data on library and then library can be deleted.

Compliance lock is set by user only when we want to prevent job deletion from any level and not allow anyone lower retention on a copy.if this is not the requirement,compliance lock need not be set.

Additionally, if object lock is set on the bucket,we recommend to set storage lock in CV. Since in this case lock period is very low, 1 day , should be OK else good to set storage lock.

Userlevel 4
Badge +15

Hello @Deepali S

The retention is set to one day because this is a test run to find out how the compliance lock works and how we can roll it out later in production.
I have attached screenshots of the test data that cannot be deleted. As you can see, the retention has expired but this data cannot be deleted.

 

Is there perhaps another way how I can get the data deleted again?
10 days is specified here, which is ok. We used these in the first test. However, the data should now have been released again. But they aren't.
I think the problem is the Cycle… but I don’t know how to solve this.

Regards

Thomas

Badge

Hi Thomas,

when compliance lock is set ,we cannot delete jobs manually. Once the retention is met on the job and Data Aging job is run, jobs will be deleted and so will the data on library eventually. 

 

thanks

Deepali

Userlevel 4
Badge +15

Hi @Deepali S

Is there a way to somehow override that? Because there are no more new jobs running for this storage policy and I believe that it does not delete the data that still exists because the cycle cannot be fulfilled.

 

Regards

Thomas

Badge

Hi Thomas,

To disable compliance lock you would need to escalate and customer support should be able to help you.

 

thanks

Deepali

Reply