Manage object locking

If you have Object Lock configured in your bucket, you can control the locking of objects. The available lock actions depend on the lock type and mode.

The locking of the object can be controlled by:

Account Owner;
role users member and object_storage:admin;
users with roles object_storage_user and s3.bucket.user if the access policy allows them to perform the corresponding actions.

Temporary lockout

Check if there is a time lock

AWS CLI

Open the CLI.
If you want to check the locking of a particular version of an object:

2.1 Get the version ID of the object:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket.
2.2 Copy the identifier of the desired version of the object, which is specified in the VersionId field.
Check to see if there is a lockout:
```
aws s3api get-object-retention \
--bucket <bucket_name> \
--key <path_to_object> \
--version-id <version_id>
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket;
- --version-id <version_id> - Optional: specify to check if a particular version of an object is locked. Here <version_id> - is the version identifier you copied in step 2.2. If you do not specify, locking will be checked against the current version of the object. the current version of the object.

Enable temporary lockout

If an object has both temporary and indefinite locking enabled at the same time, the indefinite locking will have priority.

To make the temporary default lock apply to all new objects in the bucket, use the Enable temporary default locking in the bucket subsection of the Object Lock instruction.

To load an object immediately with a lock, use the AWS CLI, see the Load Object subsection of the AWS CLI instructions for details.

AWS CLI

Open the CLI.
If you want to lock a particular version of an object:

2.1 Get the version ID of the object:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket.
2.2 Copy the identifier of the desired version of the object, which is specified in the VersionId field.
Lock the object:
```
aws s3api put-object-retention \
--bucket <bucket_name> \
--key <path_to_object> \
--version-id <version_id> \
--retention '{"Mode":"<lock_mode>","RetainUntilDate":"<date>"}'
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket;
- --version-id <version_id> - Optional: specify to lock a specific version of an object. Here <version_id> - is the version identifier you copied in step 2.2. If not specified, the locking will be applied to the the current version of the object;
- <lock_mode> - lock mode. Possible values are GOVERNANCE or COMPLIANCE;
- <date> - the date until which the object will be locked, in ISO 8601 format, e.g. 2025-09-06-06T00:00:00Z. The object locking period cannot be longer than 100 years or 36,500 days.

Change the temporary lockout period

When the lock mode is set:

Governance - the lockout period can be shortened or extended;
Compliance - the lockout period can only be extended.

To change the lockout period, use the Enable Temporary Lockout subsection and specify a new value in the RetainUntilDate field.

Change the time lock mode

You can only change the Governance locking mode to Compliance.

To change the lock mode, use the Enable Temporary Lock subsection and specify COMPLIANCE in the Mode field.

Disable temporary lockout

Only the Governance mode temporary lock can be disabled.

It can only be disabled by a user with the role of member or a user with another role with access to S3, if the access policy allows him the action s3:BypassGovernanceRetention.

AWS CLI

Open the CLI.
If you want to disable the locking of a particular version of an object:

2.1 Get the version ID of the object:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket.
2.2 Copy the identifier of the desired version of the object, which is specified in the VersionId field.
Disable the lockout:
```
aws s3api put-object-retention \
    --bucket <bucket_name> \
    --key "<path_to_object>" \
    --version-id <version_id> \
    --retention '{}' \
    --bypass-governance-retention
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket;
- --version-id <version_id> - Optional: specify to disable locking of a particular version of an object. Here <version_id> - is the version identifier you copied in step 2.2. If you do not specify, locking will be disabled for the current version of the object. the current version of the object.

Indefinite lockout

Check for indefinite lockout

AWS CLI

Open the CLI.
If you want to check the locking of a particular version of an object:

2.1 Get the version ID of the object:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket.
2.2 Copy the identifier of the desired version of the object, which is specified in the VersionId field.
Check to see if there is a lockout:
```
aws s3api get-object-legal-hold \
    --bucket <bucket_name> \
    --key <path_to_object> \
    --version-id <version_id>
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket;
- --version-id <version_id> - Optional: specify to check if a particular version of an object is locked. Here <version_id> - is the version identifier you copied in step 2.2. If you do not specify, locking will be checked against the current version of the object. the current version of the object.

Enable indefinite lockout

If an object has both temporary and indefinite locking enabled at the same time, the indefinite locking will have priority.

AWS CLI

Open the CLI.
If you want to lock a version of an object that is not the current version:

2.1 Get the version ID of the object:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket.
2.2 Copy the identifier of the desired version of the object, which is specified in the VersionId field.
Lock the object:
```
aws s3api put-object-legal-hold \
    --bucket <bucket_name> \
    --key <path_to_object> \
    --version-id <version_id> \
    --legal-hold '{"Status": "ON"}'
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket;
- --version-id <version_id> - Optional: specify if you are blocking a version other than the current version of the object. Here <version_id> - is the version identifier you copied in step 2.2. If not specified, the locking will be applied to the the current version of the object.

Disable indefinite lockout

AWS CLI

Open the CLI.
To unlock a non-current version of an object:

2.1 Get the ID of the locked version of the object:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket.
2.2 Copy the identifier of the desired version of the object, which is specified in the VersionId field.
Unlock the facility:
```
aws s3api put-object-legal-hold \
    --bucket <bucket_name> \
    --key <path_to_object> \
    --version-id <version_id> \
    --legal-hold '{"Status": "OFF"}'
```
Specify:
- <bucket_name> - bucket name;
- <path_to_object> - path to the object in the baket;
- --version-id <version_id> - Optional: specify if you are unlocking a particular version of an object. Here <version_id> - is the version identifier you copied in step 2.2. If not specified, the lock will be unlocked from the the current version of the object.