Thanks Fabian, I thought that would be the case but never hurts to ask, I'm sure if there was a more secure way to do it, Veeam would share it.Hi Pat,
As you mentioned, s3:deleteObject and s3:deleteObjectVersion permissions are mandatory; otherwise, your backup server will not be able to delete outdated objects. If the backup server can't clean up old objects, your bucket could become a mess very quickly.
And deleting backup objects outside of the Veeam application is not supported. Even if it were, it would be impossible without accessing the metadata on the backup server to identify which objects need to be deleted.
Best,
Fabian
I have been looking at other options for further securing access and found that using aws:SourceIp conditions would be an additional layer of security we can add, on top of everything else that can be done to lock things down.
https://docs.wasabi.com/v1/docs/how-to- ... ip-address?
That could be worth adding to the Veeam KB/suggestions, as in the scenario I described above, attackers were able to extract s3 access keys but did not do anything with them many hours later, and the eventual API delete requests can from a foreign IP. Limiting access to known IPs is one more way to protect the data.
Statistics: Posted by pat_ren — Sep 09, 2025 10:13 am
