Object Lock
Object Lock uses the WORM (Write Once Read Many) principle and allows you to lock objects to prevent them from being overwritten or deleted.
To use Object Lock, versioning must be enabled in the bucket. Object locking applies only to object versions. Once you have enabled Object Lock, it cannot be disabled, and versioning cannot be suspended.
Locking can be of different types and modes. Depending on the lock type, it can be applied to individual objects or a bucket by default — the lock will be applied to new objects.
The ability to manage locking also depends on the user role and the rules of the access policy; see the Manage access in S3 guide for more details. Object Lock can only be used via the S3 API and tools that use it.
To manage object locking after configuring Object Lock, use the Manage object locking instruction.
If you delete a project that contains locked objects, they will not be deleted as long as the lock is active. However, they will no longer be visible in the control panel or via the API. To recover locked objects after deleting a project, create a ticket.
Types and retention modes
Locking can be temporary or indefinite. A temporary lock has two modes: Governance and Compliance.
If both a temporary and an indefinite lock are enabled for an object, the indefinite lock takes precedence.
* Available only to users:
- with the
member;role; - with other roles with S3 access, if the bucket has an access policy that allows the action
s3:BypassGovernance.
Configure Object Lock in a bucket
Object Lock configuration can be performed by:
- Account owner;
- users with
member,s3.admin, andobject_storage:admin;roles; - users with
s3.bucket.user,s3.user, andobject_storage_userroles if the access policy allows them the actions3:PutBucketObjectLockConfiguration.
After configuring Object Lock in a bucket, you will be able to lock objects manually or upload objects with an active lock.
- Enable versioning.
- Enable Object Lock in the bucket.
- Optional: enable default temporary locking in the bucket.
1. Enable versioning
Use the Enable versioning section of the Versioning guide.
2. Enable Object Lock
Enabling Object Lock does not lock objects automatically, but it allows you to manage object locking.
AWS CLI
-
If you have not used the AWS CLI, configure it.
-
Open the CLI.
-
Enable Object Lock:
aws s3api put-object-lock-configuration \--bucket "<bucket_name>" \--object-lock-configuration '{"ObjectLockEnabled": "Enabled"}'Specify
<bucket_name>— the bucket name. -
Make sure Object Lock is enabled:
aws s3api get-object-lock-configuration --bucket "<bucket_name>"Specify
<bucket_name>— the bucket name.If Object Lock is enabled, the following response will be returned:
{"ObjectLockConfiguration": {"ObjectLockEnabled": "Enabled"}}
3. Optional: enable default temporary locking in a bucket
The temporary lock will be applied to all new objects in the bucket.
AWS CLI
-
Open the CLI.
-
Enable default temporary locking in a bucket:
aws s3api put-object-lock-configuration \--bucket "<bucket_name>" \--object-lock-configuration '{"ObjectLockEnabled": "Enabled","Rule": { "DefaultRetention": { "Mode": "<lock_mode>", "<time_gap>": <number> } }}'Specify:
<bucket_name>— the bucket name;<lock_mode>— locking mode. Possible values areGOVERNANCEorCOMPLIANCE;<time_gap>— the unit of time used to measure the lock duration. Possible values areDAYSorYEARS;<number>— the lock duration in days or years. Cannot exceed 100 years or 36,500 days.
-
Make sure that temporary locking is enabled in the bucket:
aws s3api get-object-lock-configuration --bucket "<bucket_name>"Specify
<bucket_name>— the bucket name.Example response when temporary locking is enabled:
{"ObjectLockConfiguration": {"ObjectLockEnabled": "Enabled","Rule": {"DefaultRetention": {"Mode": "GOVERNANCE","Days": 30}}}}