We have just recently started using Restic to push a fairly large dataset (around 3T) to S3 for archive storage. These are actually filesystem backups from about 60 individual linux servers which are pushed to a central server 3 times a week, and once complete, that central server uses restic to push the entire set up to S3 for archival purposes. Because this is a fairly high-security setup (some of this data falls under PCI data compliance rules) I wanted to ensure backup data is not accidentally deleted. So, I’ve started setting up a Cloudwatch Event + Lambda that will trigger on any DeleteObject event in the bucket. If the DeleteObject is part of the locks folder, it immediately exits, but if it’s anywhere else in the bucket, it will trigger up an alert for us to examine. However, during my initial testing of this Lambda, it actually detected a delete in the data directory - data/ec/ec12297407d6ac25c8d35c0a220fc57cfe2a78bc9404aca2adb848e107b4194d. At the time this occured, the only action occuring against the repository is a “restic backup” command that started earlier this morning.
As I understand it, restic’s backup command should not be removing data from the repository, but only adding - data should not be deleted until a prune/forget/etc is run - so I can’t explain why this occured, and if it’s a normal thing, I can’t setup this alert like I hoped.