Using Immutability with Acronis Cyber Protect Cloud

  • Published on Jun 17, 2025
  • 4 minute(s) read
Prev Next

You can use Wasabi’s Object Lock feature with Acronis Cyber Protect Cloud to make your backups immutable.To configure immutable backups, please follow the instructions below.

Prerequisites

  • An active Acronis Cyber Protect Cloud account to access Cyber Protection Service.

    • If you are an Acronis partner, create accounts for your customers.

    • If you are a customer of an Acronis partner, you will receive the user account from your partner.

    • Have Cyber Administrator, User, or Company Administrator access. 

    • Agents running version 24.07 or higher are required for the object lock settings to be applied.

  • A Wasabi Cloud Storage account.

Access Requirements Needed to Backup to Wasabi

To define a Wasabi bucket as a backup location, a user with relevant policies needs to be created. 

For security purposes, root user access keys cannot be used to define a backup location in Acronis. A user with relevant policies should be created. The credentials of this user will be used to define the Backup Location in Acronis.

The sections below outline the steps to fulfill the access requirements needed to add a Wasabi bucket as a backup location in Acronis.


Policy Permissions

Create a policy with the below permissions. For more information, review Creating a Policy.

This policy gives the user the minimum set of permissions to a wide scope of resources. 

In the policy, * indicates all resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketVersioning"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "sts:GetCallerIdentity",
                "sts:AssumeRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetObjectVersion",
                "s3:GetObjectRetention",
                "s3:PutObjectRetention"
            ],
            "Resource": "*"
        }
    ]
}

Creating a User 

Create a user with programmatic (create API key) access and apply the policy created above to the user. For more detail, refer to Creating a User.

CAUTION: Remember to save the access keys, as they will be needed to define the backup location.

Creating an Immutable backup location in Acronis Cyber Protect Cloud

Note: To use Wasabi with Acronis Cyber Protect Cloud without object lock, please click here.

  1. Log in the Wasabi console and create an Object Lock enabled bucket. For more detail, review Object Lock: Enabling. A lifecycle rule needs to be configured for the bucket to ensure proper cleanup (it will be detailed later in this section).

  2. Log into the Acronis Cyber Protect console. Click Backup Storage.

  3. In the Backup Storage tab, click +Add Location.

  4. Navigate to Public cloud and select S3 compatible from the drop-down menu.Click Connect.

  5. In the S3 compatible connection window, provide the following details and click Connect.

    Endpoint URL - Provide the endpoint URL of the region where the bucket is located

    Access Key ID - The access key of the Wasabi user created above in Access requirements needed to backup to Wasabi.

    Access Key Secret - The secret access key of the Wasabi user created above in Access requirements needed to backup to Wasabi

    This configuration example discusses the use of Wasabi's us-west-1 storage region. To use another Wasabi storage region, use the appropriate Wasabi service URL.

  6. In the Buckets dropdown menu, select the object lock enabled bucket created in Step 1.

    Select the checkbox for Backup immutability period (Days).Configure the desired number of days and click Add,


  7. The Locations page will display the newly added location.

  8. Assign the backup location to the desired Protection plan and configure the retention period as shown below.

    It is recommended to keep the retention period longer than the Backup immutability period configured in Step 6.

  9. A lifecycle rule needs to be configured for the object lock enabled bucket to ensure proper cleanup in order to avoid increase in storage consumption.

    Login to the Wasabi console. On the Buckets list, clickfor the desired bucket. Click Settings

  10. Click the Lifecycle tab. The Lifecycle Policy panel is displayed. In this example, no lifecycle policy is defined yet. Click Create New Rule.

  11. Configure the policy with the settings below -  

    Provide a Lifecycle rule name and choose the scope of the rule to Apply to all objects in the bucket.

    Select the option Permanently delete concurrent version of objects and provide the number of days after which the object becomes concurrent. It is recommended to configure this number to be 1 day longer than the retention period configured in the previous step ( In our example, it is set to 4 days as the retention period is 3 days).

    Also select the Delete expired object delete markers and click Save.

    All the backups written to the backup target will now be immutable.