Compliance Policy With the Wasabi S3 API

  • Published on Aug 14, 2025
  • 2 minute(s) read
Prev Next

Wasabi supports a compliance policy that prevents the deletion of objects and provides additional information to prove that the original data has not been modified since the time written. The compliance feature may be required for certain regulatory needs, but is also useful to prevent accidental data deletion.

Compliance is different from the object locking setting for a bucket.

You can set the compliance policy on any bucket, controlling all the objects that are stored in that bucket. Specify the bucket compliance policy with the following XML tags.

Tag

Description

Status

Either “enabled” or “disabled” to turn compliance on and off, respectively. Enabling will immediately apply to all objects in the bucket.

LockTime

The time at which the compliance settings are “locked”—the settings cannot be reduced by any API call. Once the settings are locked, they cannot be unlocked without the intervention of Wasabi Customer Support. The lock time allows you to support two use cases:  

  1. Testing that your software works properly before locking the compliance feature; or

  2. Never locking, which means that data can be deleted with an additional step of an administrator turning compliance off.

The lock time parameter may be:  

  • An ISO date (for example, 2016-11-07T15:08:05Z),

  • The string “now” to force immediate locking, or

  • The string “off to not lock the compliance settings. This is the default.

RetentionDays

An integer for the minimum number of days that objects are always retained after their creation date or release from conditional hold. You can extend the retention date for any individual object, but you may not shorten the date. This parameter is always required.

ConditionalHold

A Boolean value (“true” or “false”) indicating if newly created objects are placed on conditional hold, meaning that they cannot be deleted until the conditional hold is explicitly turned off. The default is false if this parameter is not given. Note that this setting may be changed even after the settings are locked.

The compliance settings for a bucket are specified using the “?compliance” query string along with the compliance settings as the XML body in the request. For example:

PUT http://s3.wasabisys.com/my-bucket?complianceHTTP./1.1
<BucketComplianceConfiguration>
     <Status>enabled</Status>
     <LockTime>off</LockTime>
     <RetentionDays>365</RetentionDays>
     <DeleteAfterRetention>true</DeleteAfterRetention>
</BucketComplianceConfiguration>

After compliance is enabled for a bucket, the policy is immediately applied to all objects in the bucket. An attempt to delete an object before the retention period will return an error.

The compliance settings for a bucket can be retrieved by getting the bucket with the “?compliance” query string. For example:

GET http://s3.wasabisys.com/my-buck?complianceHTTP/1.1

Response body:

<BucketComplianceConfiguration xml ns="http://s3.amazonaws.com/doc/2006-03-01/">
     <Status>enabled</Status>
     <LockTime>2016-11-07T15:08:05Z</LockTime>
     <IsLocked>false</IsLocked>
     <RetentionDays>0</RetentionDays>
     <ConditionalHold>false</ConditionalHold>
     <DeleteAfterRetention>false</DeleteAfterRetention>
</BucketComplianceConfiguration>

There are also compliance settings for each object described in Operations on Objects.