Objective
Object Lock is a feature that allows you to store objects using a Write Once, Read Many (WORM) model and can be used for scenarios where it is imperative that data is not changed or deleted after it has been written.
This guide explains how to manage Object Lock
Concept
Object Lock provides two ways to manage object retention. The first is retention periods and the second is Legal hold.
Retention periods
A retention period specifies a fixed period of time during which an object remains locked. During this period, your object is protected and can’t be overwritten or deleted. You apply a retention period either in number of days or number of years with the minimum being 1-day and no maximum limit.
When setting a retention period for your objects or containers, you can choose the retention mode you wish to apply to your objects. You can choose either the Governance mode or the Compliance mode for your objects.
Governance mode
You should use the Governance mode if you want to protect objects from being deleted by most users during a pre-defined retention period, while authorizing some users with special permissions to have the flexibility to alter the retention settings or delete the objects. Users with the s3:BypassGovernanceRetention permission can override or remove governance-mode retention settings.
Compliance mode
You should use the Compliance mode if you have a requirement to store compliant data. When this mode is set, an object version cannot be overwritten or deleted by any user. If this mode is configured for an object, then its retention mode cannot be changed, and its retention period can’t be shortened.
You should only use the Compliance mode if you never want any user, including the administrator user, to be able to delete the objects during a pre-defined retention period.
Legal hold
Designed for any situation where you are not sure for how long you want your objects to stay immutable, Legal hold is an ON/OFF switch that can be applied to every object in a locked container, independently from the lock configuration, the object retention or the object age. It can be applied to objects which are locked.
Legal hold provides the same protection as a retention period, but it has no expiration date. Instead, a Legal hold remains in place until you explicitly remove it.
Requirements
- Your S3 credentials (access_key and secret_access_key)
- aws cli installed and configured
See our Getting Started with S3 Object Storage guide for more information.
Instructions
Note: All the following examples will use aws cli. To learn more about aws cli, please read this guide.
Permissions
Read this guide to learn more about IAM.
Object Lock configuration
Warning: If you have not installed awscli-plugin-endpoint, you must add --endpoint-url https://s3.<region_in_lowercase>.perf.cloud.ovh.net to the command line.
To use Object Lock, you have to create a container that supports the feature with the --object-lock-enabled-for-bucket flag. If a container is created without --object-lock-enabled-for-bucket, the flag cannot be added later.
The following command does not apply Object Lock to the container’s objects, it only activates the feature.
aws s3api create-bucket \
--bucket object-lock-bucket \
--object-lock-enabled-for-bucket
This action also enables versioning of the container.
How to configure Object Lock on a container
The lock configuration enables you to set a lock configuration on a specified container. Once set, the rule specified in the Object Lock configuration is applied by default to every new object placed in the specified container.
aws s3api put-object-lock-configuration \
--bucket object-lock-bucket \
--object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "GOVERNANCE", "Days": 60 }}}'
To view the Object Lock configuration of a container, run:
aws s3api get-object-lock-configuration \
--bucket object-lock-bucket
The result should look like this:
{"ObjectLockConfiguration":{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"GOVERNANCE","Days":60}}}}
How to configure an Object Lock retention period on an object
To set an object retention configuration on an object:
aws s3api put-object-retention \
--bucket object-lock-bucket \
--key test.txt \
--retention '{ "Mode": "COMPLIANCE", "RetainUntilDate":"2023-01-01T12:00:00.00Z" }'
The date format is standard iso8601:Y-m-dTH:M:S.%3fZ
To view the Object Lock retention configuration of an object, run:
aws s3api get-object-retention \
--bucket object-lock-bucket \
--key test.txt
The result should look like this:
{"Retention":{"Mode":"COMPLIANCE","RetainUntilDate":"2023-01-01T12:00:00Z"}}
Bypassing Governance mode
If you have the s3:BypassGovernanceRetention permission, you can perform operations on object versions that are locked in governance mode as if they were unprotected.
To bypass governance mode, you must explicitly indicate in your request that you want to bypass this mode. To do this, include the --bypass-governance-retention header with your request:
aws s3api delete-object \
--bucket object-lock-bucket \
--key test.txt \
--bypass-governance-retention
How to configure an Object Lock Legal hold on an object
To set a Legal hold configuration to the specified object:
aws s3api put-object-legal-hold \
--bucket object-lock-bucket \
--key test.txt \
--legal-hold Status=ON
To view the Object Lock Legal hold configuration of an object, run:
aws s3api get-object-legal-hold \
--bucket object-lock-bucket \
--key test.txt
The result should look like this:
{"LegalHold":{"Status":"ON"}}