- 19 Apr 2024
- Print
- PDF
Object Locking
- Updated on 19 Apr 2024
- Print
- PDF
The Object Locking feature prohibits modification, overwriting, or deletion of specific object versions during a configured retention period, which can be a fixed amount of time or indefinitely. Object locking is a method that can be used to achieve WORM or a form of airgapped storage. The retention setting can be specified on each object placed into a bucket. Additionally, bucket-level settings can be applied so that new objects placed in a bucket will have the default settings applied.
Object locking must be enabled on a bucket (as described below) before you can use the functionality. You can enable object locking only during bucket creation. You cannot enable object locking on an existing bucket. Enabling object locking simply enables the ability to set a locking retention mode for the bucket and specific objects within the bucket. After you enable object locking (as described below), you can set object locking modes and retention as bucket settings.
If you create a bucket and do not select Object Locking, the bucket is created with Compliance enabled by default. The Object Locking and Compliance features are referenced as immutability, and these two types of immutability are mutually exclusive. A bucket can have either Object Locking or Compliance, but not both features. For an understanding of the differences between object locking and compliance, refer to Immutability: Compliance and Object Locking.
Object Locking Features
Retention Mode
When objects are placed in a bucket that has object locking enabled, the objects are subject to retention mode defaults. The modes are:
- Governance Mode in which objects are immutable until after they reach a defined retention date. However, the Root user or any user who has the IAM permission "s3:BypassGovernanceRetention" can bypass the retention period and modify or delete files.
- Compliance Mode in which objects are immutable until after they reach a defined retention date. This cannot be reversed for any reason, by any user, regardless of user permissions. No user can modify or delete the object until the defined retention date has passed.
Retention modes are set at the bucket level or object level, as described for defining object locking modes and retention.
Legal Hold
Legal hold is an additional locking mechanism that can be placed on an object in a bucket with object locking enabled. A legal hold will prevent the modification or deletion of an object indefinitely until the legal hold has been removed. A legal hold overrides both Governance Mode and Compliance Mode retention settings, but it does not remove them. After removing the legal hold, the existing Governance Mode or Compliance Mode retention setting will be in effect.
Bucket-Level Object Locking
Bucket-level configuration for object locking allows you to automatically configure a retention mode and retention time in days or years for new objects placed into a bucket. This optional configuration (which is disabled by default) is done after enabling object locking (described below) by defining object locking modes and retention as bucket settings. Configuring object locking on a bucket does not affect objects that are already in the bucket. When an object is uploaded without an object locking configuration, the object will have the bucket-level defaults applied to it. Changing or disabling object locking default settings on the bucket will not affect any existing objects in a bucket.
Object Locking Status on a File
You can view the status of object locking on a file by checking bucket immutability (object locking).
Requirements
Versioning must be enabled on a bucket before locking can be enabled.
Enabling Object Locking
- Complete (Bucket Name) for creating a new bucket.
- Slide to enable the Bucket Versioning toggle:
- Slide to Enable Object Locking:
- Click Next.
- The bucket properties are displayed for your review. You can click Back if you need to change any information. Otherwise, click Create Bucket to accept the information and create the bucket.
- Click Create Bucket to create a bucket with object locking enabled.
Remember that enabling object locking simply enables the ability to set a locking retention mode for the bucket and specific objects within the bucket. Now, refer to the instructions to set object locking modes and retention.