Object Lock
Object Lock uses the WORM (Write Once Read Many) principle and allows you to lock objects to prevent them from being overwritten or deleted.
To use Object Lock, versioning must be enabled in the bucket. Object locking applies only to object versions.
Locking can be of different types and modes. Depending on the lock type, it can be applied to individual objects or to the bucket by default — the lock will be applied to new objects.
The ability to manage locks also depends on the user role and bucket policy rules; for more details, see the Managing access in S3 guide. You can work with Object Lock in the control panel (with limited capabilities), via S3 API and tools that use it, for example, AWS CLI.
To manage object locks after configuring Object Lock, use the Managing object locks guide.
If you delete a project containing locked objects, those objects will not be deleted while the lock is active. However, they will not be visible in the control panel or via API. To restore locked objects after the project is deleted, create a ticket.
Types and retention modes
Locking can be temporary or indefinite. A temporary lock has two modes: Governance and Compliance.
If both a temporary and an indefinite lock are enabled for an object, the indefinite lock takes precedence.
* Available only to users:
- with the
memberrole; - with other roles with S3 access, if the bucket has a bucket policy that allows the action
s3:BypassGovernance.
Enable Object Lock in a bucket
Object Lock can be enabled by:
- The account owner;
- users with the
member,s3.adminandobject_storage:admin;roles; - users with the
s3.bucket.user,s3.userandobject_storage_userroles, if the bucket policy allows them the actions3:PutBucketObjectLockConfiguration.
If you enable Object Lock, it cannot be disabled, and versioning cannot be suspended.
Enabling Object Lock does not automatically lock objects. After configuring Object Lock in a bucket, you can:
- manage object locks;
- upload objects with an active lock (using only S3 API and tools that use it);
- manage the default retention lock in the bucket.
Control panel
AWS CLI
If versioning is disabled or suspended in a bucket, it will be enabled automatically when Object Lock is enabled.
-
In the control panel, on the top menu, click Products and select S3.
-
Go to the Buckets section.
-
Open the bucket page → Configuration tab.
-
In the Data protection block, in the Object Lock row, click Edit.
-
Select the Enable Object Lock checkbox.
-
Optional: enable default retention in the bucket:
6.1.Select the Enable default retention checkbox.
6.2.Select the lock mode.
6.3.Specify the lock duration.
You can manage the default retention lock even after enabling Object Lock.
-
Click Save.
Managing default retention in a bucket
Default retention can be managed by:
- The account owner;
- users with the
member,s3.adminandobject_storage:admin;roles; - users with the
s3.bucket.user,s3.userandobject_storage_userroles, if the bucket policy allows them the appropriate actions.
Enable default retention
The retention lock will be applied to all new objects in the bucket.
Control panel
AWS CLI
- In the control panel, on the top menu, click Products and select S3.
- Go to the Buckets section.
- Open the bucket page → Configuration tab.
- In the Data protection block, in the Object Lock row, click Edit.
- Make sure the Enable Object Lock checkbox is selected.
- Select the Enable default retention checkbox.
- Select the lock mode.
- Specify the lock duration.
- Click Save.
Changing the default retention duration
If the lock mode is set to:
- Governance — the lock duration can be shortened or extended;
- Compliance — the lock duration can only be extended.
Control panel
AWS CLI
- In the control panel, on the top menu, click Products and select S3.
- Go to the Buckets section.
- Open the bucket page → Configuration tab.
- In the Data protection block, in the Object Lock row, click Edit.
- Specify the new lock duration.
- Click Save.
Changing the default retention mode
You can only change the lock mode from Governance to Compliance.
Control panel
AWS CLI
- In the control panel, on the top menu, click Products and select S3.
- Go to the Buckets section.
- Open the bucket page → Configuration tab.
- In the Data protection block, in the Object Lock row, click Edit.
- Select the Compliance lock mode.
- Specify the lock duration.
- Click Save.
Disabling default retention
You can only disable default retention in the Governance mode.
When you disable default retention, new objects will not be locked. Objects that were uploaded and automatically locked before default retention was disabled will remain locked in accordance with the lock mode. Object Lock itself will not be disabled in the bucket.
Control panel
AWS CLI
Only the account owner or a user with the member role can disable default retention in the control panel.
- In the control panel, on the top menu, click Products and select S3.
- Go to the Buckets section.
- Open the bucket page → Configuration tab.
- In the Data protection block, in the Object Lock row, click Edit.
- Clear the Enable default retention checkbox.
- Click Save.