Object lock prevents object version deletion during a user-defined retention period. Immutable S3 objects are protected using object- or bucket-level configuration of WORM and retention attributes.
The retention policy is defined using the S3 API or bucket-level defaults.
Objects are locked for the duration of the retention period, and legal hold scenarios are also supported.
There are two lock types for object lock:
Retention period: Specifies a fixed period of time during which an object version remains locked. During this period, your object version is WORM-protected and can't be overwritten or deleted.
Legal hold: Provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods.
There are two modes for the retention period:
Governance mode
Users can't overwrite or delete an object version or alter its lock settings unless they have special permissions.
With Governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary.
You can also use Governance mode to test retention-period settings before creating a compliance-mode retention period.
Users cannot overwrite or delete an object version.
Users with s3:PutObjectRetention permission can increase an object retention period.
Users with special s3:BypassGovernanceRetention permission can remove or shorten an object retention.
Users withs3:BypassGovernanceRetention permission can also delete locked objects.
Compliance mode
A protected object version can't be overwritten or deleted by any user, including the root user in your account.
When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened.
Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period.
Users cannot overwrite or delete an object version.
Users withs3:PutObjectRetention permission can increase an object retention period.
User cannot remove or shorten an object retention.
In Compliance mode, if you applied a wrong retention period (e.g 6 years instead of 6 days) cegedim.cloudhas no possibility to delete or shorten the retention period.
A good practice is to start with Governance mode to perform tests, and then switch to Compliance mode.
For more information, see:
Object Lock Requirements
Object lock requires ADO (Access During Outage) disabled at the Object Store level
Object Stores without ADO cannot be created using ITCare and must therefore be created manually by cegedim.cloudteams
Object lock only works with IAM (not legacy accounts)
Object lock works only with versioned buckets
Enabling locking on the bucket automatically makes it versioned
Once bucket locking is enabled, it is not possible to disable object lock or suspend versioning for the bucket
Object lock requires FS (File System) disabled on bucket
Object lock is only supported by S3 API
A bucket has a default configuration including a retention mode (governance or compliance) and a retention period (which is days or years)
Object locks apply to individual object versions only
Different versions of a single object can have different retention modes and periods
A lock prevents an object from being deleted or overwritten. Overwritten does not mean that new versions can't be created (new versions can be created with their own lock settings)
An object can still be deleted version-wise. It creates a delete marker and the version still exists and is locked
Compliance mode is stricter : locks can't be removed, decreased, or downgraded to governance mode
Governance mode is less strict : locks can be removed, bypassed, or even elevated to compliance mode
Updating an object version's metadata, which occurs when you place or alter an object lock, doesn't overwrite the object version or reset its Last-Modified timestamp
Retention period can be placed on an object explicitly, or implicitly through a bucket default setting
Placing a default retention setting on a bucket doesn't place any retention settings on objects that already exist in the bucket
Changing a bucket's default retention period doesn't change the existing retention period for any objects in that bucket
Object lock and traditional bucket/object retention can co-exist
Lifecycle
Objects under lock are protected from lifecycle deletions.
Lifecycle logic is made difficult because of the variety of behavior of different locks.
From a lifecycle point of view there are locks without a date, locks with date that can be extended, and locks with date that can be decreased.
For Compliance mode, the retain until date can't be decreased, but can be increased
For Governance mode, the lock date can increase, decrease, or be removed
For legal hold, the lock is indefinite
Condition Keys
Access control using IAM policies is an important part of the object lock functionality.
The s3:BypassGovernanceRetention permission is important because it is required to delete a WORM-protected object in Governance mode.
IAM policy conditions have been defined below to allow you to limit what retention period and legal hold can be specified in objects.
It is not possible to manage IAM Policies with ITCare.
These condition keys can be used inside bucket and IAM policies to control object lock behaviors.
Example: ensure the retention days does not exceed 5 years
Examples and use cases
Buckets
We use aws s3 and aws s3api command line tools from AWSCLIv2 on Linux.
${S3_ENDPOINT} and ${S3_PROFILE} are environment variables.
# List the content of the bucket, the feather.ttf is not display anymoreaws--endpoint-url=${S3_ENDPOINT}--profile=${S3_PROFILE}s3lss3://bucket-test/# No Output
Check version:
This will display all object's versions as well as the delete marker, created when we delete the object, previously.