Skip to main content

Object Lock

Object Lock uses the WORM (Write Once Read Many) principle and allows you to lock objects to prevent them from being overwritten or deleted.

To use Object Lock, a bucket must have versioning enabled. Object Lock applies only to object versions.

Locking can be of different types and modes. Depending on the lock type, it can be applied to individual objects or to a bucket by default — the lock will then be applied to new objects.

The ability to manage a lock also depends on the user role and bucket policy rules; more details are in the Managing access in S3 guide. You can work with Object Lock in the Control Panel (with limited capabilities), via the S3 API, and tools that use it, for example, AWS CLI.

To manage object locks after configuring Object Lock, use the Managing object locks guide.

If you delete a project that contains locked objects, they will not be deleted while the lock is active. However, they will not be displayed in the Control Panel or via the API. To restore locked objects after a project has been deleted, create a ticket.

Types and retention modes

A lock can be temporary or indefinite. A temporary lock has two modes: Governance and Compliance.

If both a temporary and an indefinite lock are enabled for an object, the indefinite lock takes precedence.

IndefiniteTemporary
Governance modeCompliance mode
What can it be applied toObjects
  • to objects;
  • to the default bucket — the lock will be applied to all new objects
  • to objects;
  • to the default bucket — the lock will be applied to all new objects
Possible locking actionsDisabling the lock
  • shortening the lock duration *;
  • extending the lock duration;
  • changing the locking mode to Compliance
Extending the lock duration
Ability to delete objectsNo one can while the lock is enabledYou can *No one can until the lock expiration date

* Available only to users:

Enable Object Lock in a bucket

For your information

Object Lock can be enabled by:

If you enable Object Lock, it cannot be disabled, and versioning cannot be suspended.

Enabling Object Lock does not lock objects automatically. After configuring Object Lock in a bucket, you can:

If versioning is disabled or suspended in a bucket, it will be enabled automatically when Object Lock is enabled.

  1. In the control panel, on the top menu, click Products and select S3.

  2. Go to the Buckets section.

  3. Open the bucket page → Configuration tab.

  4. In the Data protection block, in the Object Lock row, click Edit.

  5. Select the Enable Object Lock checkbox.

  6. Optional: enable default retention in the bucket:

    6.1.Select the Enable default retention checkbox.

    6.2.Select the lock mode.

    6.3.Specify the lock duration.

    You can manage the default retention lock even after enabling Object Lock.

  7. Click Save.

Managing default retention in a bucket

For your information

Default retention can be managed by:

Enable default retention

The retention lock will be applied to all new objects in the bucket.

  1. In the control panel, on the top menu, click Products and select S3.
  2. Go to the Buckets section.
  3. Open the bucket page → Configuration tab.
  4. In the Data protection block, in the Object Lock row, click Edit.
  5. Make sure the Enable Object Lock checkbox is selected.
  6. Select the Enable default retention checkbox.
  7. Select the lock mode.
  8. Specify the lock duration.
  9. Click Save.

Changing the default retention duration

If the lock mode is set to:

  • Governance — the lock duration can be shortened or extended;
  • Compliance — the lock duration can only be extended.
  1. In the control panel, on the top menu, click Products and select S3.
  2. Go to the Buckets section.
  3. Open the bucket page → Configuration tab.
  4. In the Data protection block, in the Object Lock row, click Edit.
  5. Specify the new lock duration.
  6. Click Save.

Changing the default retention mode

You can only change the lock mode from Governance to Compliance.

  1. In the control panel, on the top menu, click Products and select S3.
  2. Go to the Buckets section.
  3. Open the bucket page → Configuration tab.
  4. In the Data protection block, in the Object Lock row, click Edit.
  5. Select the Compliance lock mode.
  6. Specify the lock duration.
  7. Click Save.

Disabling default retention

You can only disable default retention in the Governance mode.

When you disable a temporary lock, new objects will not be locked. Objects that were uploaded and automatically locked before the temporary default lock was disabled will remain locked according to the lock mode. Object Lock itself will not be disabled in the bucket.

Only the account owner or a user with the member role can disable default retention in the control panel.

  1. In the control panel, on the top menu, click Products and select S3.
  2. Go to the Buckets section.
  3. Open the bucket page → Configuration tab.
  4. In the Data protection block, in the Object Lock row, click Edit.
  5. Clear the Enable default retention checkbox.
  6. Click Save.