WORM Retention with AWS S3

  • 13 February 2023
  • 1 reply

Badge +1


We are trying to redo our Aux copy backups we currently have going to S3 now. We want to harden our Aux/cloud backups by creating new S3 buckets and turning on WORM for them. 

I created a new test bucket and turning on the S3 Object Lock for the bucket. My question is around retention times. We currently have and will continue our retention of our yearly (gathering all the weekly full backups for 365 days) backups and then have data aging start deleting the full backups on-hand after 365 days. If I want to keep this same retention with WORM turned on, do I need to set the S3 object lock retention to the same amount (or less/more than 365 days)? 

I am reading through documents and other posts about setting retention 2 or 3 times the amount as the policy to prevent accidental deletion or preventing it from being deleted. This is where I am confused on. 

Right now we do have it deduped going to our Aux copy/cloud, but I guess I question if we should even dedupe our new backups to the new policies/buckets. Any thoughts on that? I understand that there are some things to keep in mind if you do dedupe to S3 with WORM turned on in that you have to reseal the DDB on occasion. And resealing can eat up just as much room possibly on S3 as if it were not deduped at all. 


1 reply

Userlevel 6
Badge +17

When using dedupe you will want to seal the DDB matching the retention, and then expect to have at least 2 of those DDB vaults under protection.  So consuming at least 2x the space.  With Object Lock it’s better than Bucket Lock which requires 3x the space.

If you used Metallic Recovery Reserve (MRR) you only require the 1x space.