How Object First Uses the S3 Versioning and Object Lock
From NASCAR to Dropsuite, millions of organizations worldwide rely on Amazon S3 as their key storage platform for its built-in data protection features. Among these, S3 Object Lock and Versioning are widely recognized as industry-standard tools for making backup data immutable, ensuring it remains protected from bad actors and accidental deletion alike. This blog breaks down how these features work, why it matters, and how Object First uses them to deliver secure, immutable backup storage.
What Is Amazon S3 Data Protection?
Amazon S3 (Simple Storage Service) is a widely adopted object storage protocol that supports secure, scalable data storage across cloud and on-prem environments. Its data protection capabilities are grounded in a Zero Trust Security Architecture, which enforces strict separation between backup software and storage. This natural segmentation ensures that even if one component is compromised, the other remains safe.
Unlike proprietary protocols, S3 is publicly documented and universally supported, allowing for transparent security evaluations and broad vendor interoperability. It functions as a foundational protocol—similar to TCP/IP in networking—making it a reliable choice for organizations seeking consistent, auditable data protection.
How Versioning Works
S3 Versioning ensures that every write operation creates a new object version. Instead of modifying existing data, S3 writes a new object and assigns it a unique version number—automatically generated by the storage array, not the application. This guarantees a chain of custody, enabling full traceability and recovery of previous versions.
A key advantage is immediate immutability. As soon as data is written, it becomes immutable, eliminating any vulnerabilities associated with immutability delays.
From a performance and cost perspective when enabling versioning on a bucket, versioning introduces no significant overhead. S3 is designed by default to handle billions of objects and lock extensions, making it ideal for backup workloads managed by Veeam.
How Object Lock Works
While versioning prevents overwrites, S3 Object Lock ensures that individual object versions cannot be modified or deleted. It operates in two modes:
- Compliance Mode (Recommended): Once an object is locked, it cannot be altered or deleted—even by privileged users. This mode aligns with Zero Trust security principles.
- Governance Mode (Not Recommended): Allows privileged users to modify or remove object locks. While useful for service providers managing customer data, it introduces potential vulnerabilities.
Although two modes exist, Object First exclusively uses Compliance Mode for S3 Object Lock because Governance Mode contradicts one of our core security philosophies: “Assume Breach, Prepare for Recovery.” We operate under the premise that ransomware attacks are inevitable—not hypothetical.
To truly protect data, we assume that credentials may be compromised, and all secrets exposed. This is the only way to ensure that no single user should be able to perform destructive actions.
Meeting Compliance with Immutable and Encrypted Data
Object Lock helps companies meet regulatory compliance requirements. For example, HIPAA’s 2025 update mandates end-to-end encryption and verifiable immutability for protected health information. End-to-end encryption with rotating keys ensures that data remains unreadable to unauthorized users; this can then be assigned to Veeam to perform, control, and track. Object Lock guarantees that the data itself cannot be altered or deleted once written—even by privileged accounts. When they work together, encryption secures the data in transit and at rest, while Object Lock preserves its integrity over time.
Object First's Ootbi (Out-of-the-Box Immutability) supports end-to-end encryption and provides verifiable immutability, satisfying 2025 HIPAA requirements. This is validated by independent assessments such in Cohasset Associate’s published findings of Object First.
How Versioning + Object Lock Work Together to Achieve Immutability
Used together, versioning and object lock create a secure, immutable storage environment. This combination protects data from both accidental and intentional threats.
In a Veeam-integrated setup, backup data written to an S3 bucket with versioning and object lock enabled is locked during the write operation. Veeam tracks the specific version numbers assigned by the storage array, ensuring that only the correct versions are accessed or restored. This tight integration simplifies recovery workflows and reinforces data integrity.
Object First’s Approach to S3 Data Protection
Object First is purpose-built for Veeam workloads. Our architecture leverages S3’s versioning and object lock features to deliver immediate immutability, automatic version tracking, and scalable object storage. We also support Veeam’s SOS API, enabling seamless integration and optimized performance.
Unlike other vendors who bolt immutability on as an afterthought, Object First builds it into the core of our solution. We understand how Veeam manages backup data, and we’ve purpose-built our solution for Veeam to ensure that your data is protected from day one.
Where Other Vendors Fall Short—and How Object First Gets It Right
Many vendors treat immutability as a secondary feature, adding it after the initial data is written through delayed processes or manual configuration. This approach introduces a window of vulnerability where backup data can be modified or deleted before protections are in place. These solutions often rely on proprietary, opaque security mechanisms, inconsistent encryption standards, and manual setup, making them difficult to audit and likely to misconfigure.
Object First takes a fundamentally different approach. By leveraging Amazon S3’s native versioning and Object Lock features, we implement immutability the instant data is written—no delays, no manual steps, and no reliance on privileged user trust. Our architecture ensures that data is immediately protected and permanently unchangeable, aligning with zero-trust principles and delivering true out-of-the-box immutability.