Object Lock
Object Lock is not available for buckets in the ru-1 pool.
Object Lock works on the WORM (Write Once Read Many) principle and allows you to lock objects to prevent them from being overwritten or deleted.
To use Object Lock, versioning must be enabled in the bucket. Object Lock applies only to object versions. If you have enabled Object Lock, it cannot be disabled and versioning cannot be paused.
Locking can be of different types and modes. Depending on the type of locking, it can be set to individual objects or to the default buckets - the locking will be applied to new objects.
The ability to manage the lock also depends on the user role and access policy rules, more details in the Managing Access in S3 tutorial . You can work with Object Lock only through the S3 API and tools that use it.
To manage object locking after setting up Object Lock, use the Manage Object Lock instructions.
If you delete a project that has objects with active locking, they will not be deleted while the locking is active. At the same time, they will not be displayed in the control panel and through the API. To restore locked objects after deleting a project, create a ticket.
Types and modes of interlocking
Blocking can be temporary or indefinite. A temporary lockout has two modes - Governance and Compliance.
If an object has both temporary and permanent locking enabled at the same time, the permanent locking will take precedence.
* Available to users only:
- as
member; - with other roles with access to S3, if the bucket has an access policy that allows the action s3
:BypassGovernance.
Customize Object Lock in the baket
Customizing Object Lock can:
- Account Owner;
- role users member and
object_storage:admin; - users with roles object_storage_user and
s3.bucket.userif the access policy allows them the action s3:PutBucketObjectLockConfiguration.
Once Object Lock is configured in baket, you will be able to lock objects manually or load objects immediately with the lock active.
- If you don't have versioning enabled, enable it.
- Enable Object Lock in the baquette.
- Optional: enable temporary default locking in the baket.
1. Enable versioning
Use the Enable Versioning subsection of the Versioning instructions.
2. Enable Object Lock
Enabling Object Lock itself does not automatically lock objects.
AWS CLI
-
If you haven't used the AWS CLI, configure it.
-
Open the CLI.
-
Enable Object Lock:
aws s3api put-object-lock-configuration \
--bucket "<bucket_name>" \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled" \Specify
<bucket_name>is the name of the bucket. -
Make sure Object Lock is enabled:
aws s3api get-object-lock-configuration --bucket "<bucket_name>"Specify
<bucket_name>is the name of the bucket.If Object Lock is enabled, a response will be returned:
{
"ObjectLockConfiguration": {
"ObjectLockEnabled": "Enabled"
}
}
3. Optional: enable temporary default locking in the baquette
The temporary lock will be applied to all new objects in the baquette.
AWS CLI
-
Open the CLI.
-
Enable temporary locking in the default baket:
aws s3api put-object-lock-configuration \
--bucket "<bucket_name>" \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled",
"Rule": { "DefaultRetention": { "Mode": "<lock_mode>", "<time_gap>": <number> } }
}'Specify:
<bucket_name>- bucket name;<lock_mode>- lock mode. Possible values areGOVERNANCEorCOMPLIANCE;<time_gap>- The unit of time in which the lock time will be measured. Possible values are.DAYSorYEARS;<number>- the blocking period in days or years. Can't be more than 100 years or 36500 days.
-
Make sure that the temporary lock in the buckboard is enabled:
aws s3api get-object-lock-configuration --bucket "<bucket_name>"Specify
<bucket_name>is the name of the bucket.Example of a response with time lock enabled:
{
"ObjectLockConfiguration": {
"ObjectLockEnabled": "Enabled",
"Rule": {
"DefaultRetention": {
"Mode": "GOVERNANCE",
"Days": 30
}
}
}
}