Object Locking

Updated on 19 Apr 2024

Article Summary

Share feedback

Thanks for sharing your feedback!

The Object Locking feature prohibits modification, overwriting, or deletion of specific object versions during a configured retention period, which can be a fixed amount of time or indefinitely. Object locking is a method that can be used to achieve WORM or a form of airgapped storage. The retention setting can be specified on each object placed into a bucket. Additionally, bucket-level settings can be applied so that new objects placed in a bucket will have the default settings applied.

Object locking must be enabled on a bucket (as described below) before you can use the functionality. You can enable object locking only during bucket creation. You cannot enable object locking on an existing bucket. Enabling object locking simply enables the ability to set a locking retention mode for the bucket and specific objects within the bucket. After you enable object locking (as described below), you can set object locking modes and retention as bucket settings.

If you create a bucket and do not select Object Locking, the bucket is created with Compliance enabled by default. The Object Locking and Compliance features are referenced as immutability, and these two types of immutability are mutually exclusive. A bucket can have either Object Locking or Compliance, but not both features. For an understanding of the differences between object locking and compliance, refer to Immutability: Compliance and Object Locking.

Object Locking Features

Retention Mode

When objects are placed in a bucket that has object locking enabled, the objects are subject to retention mode defaults. The modes are:

Governance Mode in which objects are immutable until after they reach a defined retention date. However, the Root user or any user who has the IAM permission "s3:BypassGovernanceRetention" can bypass the retention period and modify or delete files.
Compliance Mode in which objects are immutable until after they reach a defined retention date. This cannot be reversed for any reason, by any user, regardless of user permissions. No user can modify or delete the object until the defined retention date has passed.

Retention modes are set at the bucket level or object level, as described for defining object locking modes and retention.

Legal Hold

Legal hold is an additional locking mechanism that can be placed on an object in a bucket with object locking enabled. A legal hold will prevent the modification or deletion of an object indefinitely until the legal hold has been removed. A legal hold overrides both Governance Mode and Compliance Mode retention settings, but it does not remove them. After removing the legal hold, the existing Governance Mode or Compliance Mode retention setting will be in effect.

Bucket-Level Object Locking

Bucket-level configuration for object locking allows you to automatically configure a retention mode and retention time in days or years for new objects placed into a bucket. This optional configuration (which is disabled by default) is done after enabling object locking (described below) by defining object locking modes and retention as bucket settings. Configuring object locking on a bucket does not affect objects that are already in the bucket. When an object is uploaded without an object locking configuration, the object will have the bucket-level defaults applied to it. Changing or disabling object locking default settings on the bucket will not affect any existing objects in a bucket.

Object Locking Status on a File

You can view the status of object locking on a file by checking bucket immutability (object locking).

Requirements

Versioning must be enabled on a bucket before locking can be enabled.

Object locking can be enabled only while creating the bucket. Once enabled, the object locking feature cannot be disabled even though it may not affect anything until you set a retention mode.

When a bucket is set for a specific object locking date and an object is added to the bucket, it is not possible to overwrite or delete the object until that date. No one can override this.

If you create a bucket with object locking enabled, you will not be able to use the Compliance feature. Compliance prevents the deletion of any objects and provides additional information to prove that the original data has not been modified since the time it was stored.

Enabling Object Locking

Complete (Bucket Name) for creating a new bucket.
Slide to enable the Bucket Versioning toggle:
Slide to Enable Object Locking:
Click Next.
The bucket properties are displayed for your review. You can click Back if you need to change any information. Otherwise, click Create Bucket to accept the information and create the bucket.
Click Create Bucket to create a bucket with object locking enabled.

Versioning cannot be disabled on a bucket for which object locking is enabled. The following alert will display if you try to disable versioning.

Remember that enabling object locking simply enables the ability to set a locking retention mode for the bucket and specific objects within the bucket. Now, refer to the instructions to set object locking modes and retention.

What's Next

Objects, Folders, and Files

Table of contents

Object Locking Features
Requirements
Enabling Object Locking

WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.