This is what gets me about read-write online backup media. How do you ensure it's not compromised by ransomware? How do you ensure that your snapshots aren't compromised? It boggles the mind to to think that defense in depth and software write protection is considered fine these days.
I regularly bring up the subject of physical write-enable switches (that hard drives used to have). Inevitably, someone responds that it's a great idea, and their software has a write-enable setting.
The other mind-boggling thing is I argue that remote updating shouldn't be allowed unless there's a physical switch to enable it. The response is that remote updating is necessary to keep systems secure from malicious remote updates.
I have a paper sleeve that goes over my webcam when not in use.
I would probably pay extra for a switch although a big heavy mechanical switch in the middle of the signal path for a modern SSD would probably not be as cheap as you might expect.
It can even be jumper pins the user who cares can attach their own switch to. I'd pay extra for a slide switch on a USB stick. Heck, USB sticks often come with a slider for a retractable cover, obviously that cost is insignificant.
Hard drives used to come with those jumper pins. They are not costly.
The point I was making is that the signal integrity work would be a lot harder than for a hard drive of yesteryear. The BOM cost of the switch isn't that important
Floppy days! Way back then I remember there are bootable linux or freebsd server running off a DVD disk. The idea is that the server data then is immutable.
Yes, you said read write, but to answer your question at an industrial level, set your AWS IAM permissions to write only for your normal backup role. No delete or modify.
