Immutability: Compliance and Object Lock
    • 01 Jul 2024
    • 5 Minutes to read
    • PDF

    Immutability: Compliance and Object Lock

    • PDF

    Article summary

    Immutability prevents the modification or deletion of objects, throughout the storage lifetime. You can define immutability in Wasabi using the Compliance or Object Lock feature.

    The Compliance and Object Lock immutability features are mutually exclusive. A bucket can have either Compliance or Object Lock, but not both features.

    Either feature, Compliance or Object Lock, must be first enabled and then set (described below).

    Compliance Overview

    The compliance feature prevents the deletion of any objects and provides additional information to prove that the original data is not modified since the time it was stored. The compliance feature may be required for certain regulatory needs, but it is also useful to prevent accidental deletion. You can lock compliance mode on to prevent disabling it. However, once it is locked on, compliance mode cannot be unlocked without the intervention of Wasabi Customer Support. This restriction is for your data protection as part of Wasabi’s immutable bucket feature.

    Use the compliance feature cautiously. Inappropriate use of this feature will restrict your ability to delete storage buckets and associated files, which will result in storage charges for these objects.

    Object Lock Overview

    The Object Lock feature prohibits modification, overwriting, or deletion of specific object versions during a configured retention period, which can be a fixed amount of time or indefinitely. Object lock is a method that can be used to achieve WORM or a form of airgapped storage. The retention setting can be specified on each object placed into a bucket. Additionally, bucket-level settings can be applied so that new objects placed in a bucket will have the default settings applied. 

    Object locking must be enabled on a bucket (as described below) before you can use the functionality. You can enable object locking only during bucket creation. You cannot enable object locking on an existing bucket. Enabling object locking simply enables the ability to set a locking retention mode for the bucket and specific objects within the bucket. After you enable object locking (as described below), you can set object locking modes and retention as bucket settings.

    If you create a bucket and do not select Object Locking, the bucket is created with Compliance enabled by default. The Object Locking and Compliance features are referenced as immutability, and these two types of immutability are mutually exclusive. A bucket can have either Object Locking or Compliance, but not both features. 

    Enabling and Setting Immutability Features

    Either feature, Compliance or Object Lock, must be first enabled and then set. Enabling either feature simply enables the ability to set the feature for the bucket. When the feature is enabled, you can set the feature with bucket settings.

    Refer also to Checking for Immutability (below).
    You may also want to refer to immutability for Third-Party Integrations (below).

    Compliance and Object Lock Differences

    ComplianceObject Lock
    The Compliance feature is used to achieve bucket immutability, and prevents any change or deletion of objects (all objects) in a bucket, until a specified retention time passes.Object lock prohibits the modification or deletion of individual objects during a configured retention time.

    Compliance is a bucket-level setting.

    It takes effect across an ENTIRE bucket, across ALL the objects in that bucket.

    Object lock is an object-level setting.

    It takes effect at an individual object level, not across the entire bucket.

    • The retention policy can be specified on each object placed into a bucket.
    • Bucket-level settings may be applied so that new objects placed in a bucket will have a default setting applied. Be sure to check that your backup application either allows or restricts that setting before you use it. 

    Compliance works with versioning enabled or disabled.

    If versioning is disabled and you try to upload the same object again before the retention time elapses, you will get an Access Denied error through the Console.

    Versioning must be enabled for object lock.
    Compliance can be enabled at any time, even after the bucket has been created.

    Enabling the Object Lock feature MUST be done during bucket creation.

    You cannot enable object lock on existing buckets.

    When working with a third-party application, there is no third-party application dependency.

    The Compliance setting is controlled by the Wasabi bucket settings.

    When working with a third-party application, the third-party application must support the use of object lock when uploading objects. 

    When writing the individual objects, the parameters for object lock must be specified (such as for Veeam Object Lock Integration, Kasten K10, Commvault, Arq Backup, and MSP360).

    Checking for Immutability

    Remember that either feature, Compliance or Object Lock, must be first enabled and then set. Enabling either feature simply enables the ability to set the feature for the bucket. When the feature is enabled, you can set the feature with bucket settings.

    Determining If Compliance is Enabled

    A bucket is created with Compliance enabled by default (unless the Object Lock feature was selected while creating the bucket).

    1. In the Wasabi Console, navigate to your bucket.

      If compliance is enabled, you will see this in the Bucket Details:

    2. Click the gear icon for Settings:

    When compliance is enabled, bucket settings will have a Compliance tab:

    Instructions to set the Compliance feature are provided in Compliance: Enabling and Locking Compliance Mode.

    Determining If Object Lock is Enabled

    1. In the Wasabi Console, navigate to your bucket.

      If object lock is enabled, you will see this in the Bucket Details:

    2. Click the gear icon for Settings:

    When object lock is enabled, bucket settings will have an Object Lock tab:

     Instructions to set the feature are provided in Bucket Settings: Object Lock.

     Checking Object Lock for a Specific Object

    1. In the Wasabi Console, navigate to your bucket. 
    2. Click the toggle to show versions.

    3. Click on the object name. For example:

    You can check the object lock status in the File Details. For example:

    Third-Party Integrations



    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence