Skip to main content

Object Lock

Last update:

Object Lock uses the WORM (Write Once Read Many) principle and allows you to lock objects to prevent them from being overwritten or deleted.

To use Object Lock, versioning must be enabled in the bucket. Object locking applies only to object versions.

Locking can be of different types and modes. Depending on the lock type, it can be applied to individual objects or to the bucket by default — the lock will be applied to new objects.

The ability to manage locks also depends on the user role and bucket policy rules; for more details, see the Managing access in S3 guide. You can work with Object Lock in the control panel (with limited capabilities), via S3 API and tools that use it, for example, AWS CLI.

To manage object locks after configuring Object Lock, use the Managing object locks guide.

If you delete a project containing locked objects, those objects will not be deleted while the lock is active. However, they will not be visible in the control panel or via API. To restore locked objects after the project is deleted, create a ticket.

Types and retention modes

Locking can be temporary or indefinite. A temporary lock has two modes: Governance and Compliance.

If both a temporary and an indefinite lock are enabled for an object, the indefinite lock takes precedence.

IndefiniteTemporary
Governance modeCompliance mode
What can it be applied toObjects
  • to objects;
  • to the default bucket — the lock will be applied to all new objects
  • to objects;
  • to the default bucket — the lock will be applied to all new objects
Possible locking actionsDisabling the lock
  • shortening the lock duration *;
  • extending the lock duration;
  • changing the locking mode to Compliance
Extending the lock duration
Ability to delete objectsNo one can while the lock is enabledYou can *No one can until the lock expiration date

* Available only to users:

Enable Object Lock in a bucket

For your information

Object Lock can be enabled by:

If you enable Object Lock, it cannot be disabled, and versioning cannot be suspended.

Enabling Object Lock does not automatically lock objects. After configuring Object Lock in a bucket, you can:

If versioning is disabled or suspended in a bucket, it will be enabled automatically when Object Lock is enabled.

  1. In the control panel, on the top menu, click Products and select S3.

  2. Go to the Buckets section.

  3. Open the bucket page → Configuration tab.

  4. In the Data protection block, in the Object Lock row, click Edit.

  5. Select the Enable Object Lock checkbox.

  6. Optional: enable default retention in the bucket:

    6.1.Select the Enable default retention checkbox.

    6.2.Select the lock mode.

    6.3.Specify the lock duration.

    You can manage the default retention lock even after enabling Object Lock.

  7. Click Save.

Managing default retention in a bucket

For your information

Default retention can be managed by:

Enable default retention

The retention lock will be applied to all new objects in the bucket.

  1. In the control panel, on the top menu, click Products and select S3.
  2. Go to the Buckets section.
  3. Open the bucket page → Configuration tab.
  4. In the Data protection block, in the Object Lock row, click Edit.
  5. Make sure the Enable Object Lock checkbox is selected.
  6. Select the Enable default retention checkbox.
  7. Select the lock mode.
  8. Specify the lock duration.
  9. Click Save.

Changing the default retention duration

If the lock mode is set to:

  • Governance — the lock duration can be shortened or extended;
  • Compliance — the lock duration can only be extended.
  1. In the control panel, on the top menu, click Products and select S3.
  2. Go to the Buckets section.
  3. Open the bucket page → Configuration tab.
  4. In the Data protection block, in the Object Lock row, click Edit.
  5. Specify the new lock duration.
  6. Click Save.

Changing the default retention mode

You can only change the lock mode from Governance to Compliance.

  1. In the control panel, on the top menu, click Products and select S3.
  2. Go to the Buckets section.
  3. Open the bucket page → Configuration tab.
  4. In the Data protection block, in the Object Lock row, click Edit.
  5. Select the Compliance lock mode.
  6. Specify the lock duration.
  7. Click Save.

Disabling default retention

You can only disable default retention in the Governance mode.

When you disable default retention, new objects will not be locked. Objects that were uploaded and automatically locked before default retention was disabled will remain locked in accordance with the lock mode. Object Lock itself will not be disabled in the bucket.

Only the account owner or a user with the member role can disable default retention in the control panel.

  1. In the control panel, on the top menu, click Products and select S3.
  2. Go to the Buckets section.
  3. Open the bucket page → Configuration tab.
  4. In the Data protection block, in the Object Lock row, click Edit.
  5. Clear the Enable default retention checkbox.
  6. Click Save.