Object Lock
Object Lock works on the WORM (Write Once Read Many) principle and allows you to lock objects to prevent them from being overwritten or deleted.
To use Object Lock, versioning must be enabled in the bucket. Object Lock applies only to object versions. If you have enabled Object Lock, it cannot be disabled and versioning cannot be paused.
Locking can be of different types and modes. Depending on the type of interlocking, it can be set to individual objects or to the default bucket - the interlocking will be applied to new objects.
The ability to manage the lock also depends on the user role and access policy rules, more details in the Managing Access in S3 tutorial . You can work with Object Lock only through the S3 API and tools that use it.
To manage object locking after setting up Object Lock, use the Manage Object Lock instructions.
If you delete a project that has locked objects, they will not be deleted while the lock is active. At the same time, they will not be displayed in the control panel and through the API. To restore locked objects after deleting a project, create a ticket.
Types and modes of interlocking
Blocking can be temporary or indefinite. A temporary lockout has two modes - Governance and Compliance.
If an object has both temporary and indefinite locks enabled at the same time, the indefinite lock has priority.
* Available to users only:
- as
member; - with other roles with access to S3, if the bucket has an access policy that allows the action s3
:BypassGovernance.
Customize Object Lock in the baket
Customizing Object Lock can:
- Account Owner;
- role users member, s3.admin and
object_storage:admin; - role users s3.bucket.user, s3.user and
object_storage_userif the access policy allows them the action s3:PutBucketObjectLockConfiguration.
Once you have configured Object Lock in baket, you can lock objects manually or load objects immediately with the lock active.
- Enable versioning.
- Enable Object Lock in the bucket.
- Optional: enable temporary default locking in the baket.
1. Enable versioning
Use the Enable Versioning subsection of the Versioning instructions.
2. Enable Object Lock
Enabling Object Lock does not lock objects automatically, but allows you to control object locking.
AWS CLI
-
If you haven't used the AWS CLI, configure it.
-
Open the CLI.
-
Enable Object Lock:
aws s3api put-object-lock-configuration \
--bucket "<bucket_name>" \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled"}'Specify
<bucket_name>is the name of the bucket. -
Make sure Object Lock is enabled:
aws s3api get-object-lock-configuration --bucket "<bucket_name>"Specify
<bucket_name>is the name of the bucket.If Object Lock is enabled, a response will be returned:
{
"ObjectLockConfiguration": {
"ObjectLockEnabled": "Enabled"
}
}
3. Optional: enable temporary default locking in the bucket
The temporary lock will be applied to all new objects in the bucket.
AWS CLI
-
Open the CLI.
-
Enable temporary locking in the default baket:
aws s3api put-object-lock-configuration \
--bucket "<bucket_name>" \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled",
"Rule": { "DefaultRetention": { "Mode": "<lock_mode>", "<time_gap>": <number> } }
}'Specify:
<bucket_name>- bucket name;<lock_mode>- lock mode. Possible values areGOVERNANCEorCOMPLIANCE;<time_gap>- The unit of time in which the lock time will be measured. Possible values are.DAYSorYEARS;<number>- the lockout period in days or years. Cannot be more than 100 years or 36,500 days.
-
Make sure that the temporary lock in the buckboard is enabled:
aws s3api get-object-lock-configuration --bucket "<bucket_name>"Specify
<bucket_name>is the name of the bucket.Example of a response with time lock enabled:
{
"ObjectLockConfiguration": {
"ObjectLockEnabled": "Enabled",
"Rule": {
"DefaultRetention": {
"Mode": "GOVERNANCE",
"Days": 30
}
}
}
}