Object Lock: Enabling

For an overview of the Object Lock feature and an understanding of the differences between compliance and object lock, refer to Immutability: Compliance and Object Lock. The difference is important to understand because if you create a bucket that has object lock enabled, compliance is automatically disabled.

Object Lock Features

Retention Mode

When objects are placed in a bucket that has object lock enabled, the objects are subject to retention mode defaults. The modes are:

• Governance Mode in which objects are immutable until after they reach a defined retention date. However, the Root user or any user who has the IAM permission "s3:BypassGovernanceRetention" can bypass the retention period and modify or delete files.
• Compliance Mode in which objects are immutable until after they reach a defined retention date. This cannot be reversed for any reason, by any user, regardless of user permissions. No user can modify or delete the object until the defined retention date has passed.

Retention modes are set at the bucket level or object level, as described for defining object lock modes and retention.

Legal Hold

Legal hold is an additional lock mechanism that can be placed on an object in a bucket with object lock enabled. A legal hold will prevent the modification or deletion of an object indefinitely until the legal hold has been removed. A legal hold overrides both Governance Mode and Compliance Mode retention settings, but it does not remove them. After removing the legal hold, the existing Governance Mode or Compliance Mode retention setting will be in effect.

Bucket-Level Object Lock

Bucket-level configuration for object lock allows you to automatically configure a retention mode and retention time in days or years for new objects placed into a bucket. This optional configuration (which is disabled by default) is done after enabling object lock (described below) by defining object lock modes and retention as bucket settings. Configuring object lock on a bucket does not affect objects that are already in the bucket. When an object is uploaded without an object lock configuration, the object will have the bucket-level defaults applied to it. Changing or disabling object lock default settings on the bucket will not affect any existing objects in a bucket.

Object Loc Status on a File

You can view the status of object lock on a file by checking bucket immutability (object lock).

Requirements

Versioning must be enabled on a bucket before lock can be enabled. 

Enabling Object Lock

1. Complete the Bucket Name section for creating a new bucket—enter a bucket name and select a region for storage. Click Next.
2. In the Set Properties section, slide to enable the Bucket Versioning toggle:
3. Slide to enable Object Lock:

   Bucket versioning must be enabled to use object lock.

   

4. Click Next.
5. Optionally, set Logging, Replication, and Tags. Or, click Next until you reach the Review panel, as shown below.
6. The bucket settings and properties are displayed for your review. Notice that Object Lock is permanently enabled.

   You can click Back if you need to change any information. Otherwise, click Create Bucket to accept the information and create the bucket.

   

7. Click Create Bucket to create a bucket with object lock enabled.

Versioning cannot be disabled on a bucket for which object lock is enabled. The following alert will display if you try to disable versioning.

Remember that enabling object lock simply enables the ability to set a lock retention mode for the bucket and specific objects within the bucket. Now, refer to the instructions to set object lock modes and retention.