Object Lock

This document provides instructions to manage Object Lock using the CLI. Additionally, these tasks can also be performed using the DCD and IONOS Object Storage API.

Prerequisites:

  • Object Lock configuration is only feasible when enabled at the time of bucket creation. It cannot be activated for an existing bucket.

  • Set up the AWS CLI by following the installation instructions.

  • Make sure to consider the supported Endpoints.

Create a bucket with an Object Lock

Create a bucket my-bucket in the de region (Frankfurt, Germany) with Object Lock:

aws s3api create-bucket \
  --bucket my-bucket \
  --object-lock-enabled-for-bucket \
  --region=de --create-bucket-configuration \
  LocationConstraint=de \
  --endpoint-url https://s3.eu-central-1.ionoscloud.com

Object Lock with Governance mode

An Object Lock with Governance mode on a bucket provides the bucket owner with better flexibility compared to the Compliance mode. It permits the removal of the Object Lock before the designated retention period has expired, allowing for subsequent replacements or deletions of the object.

Apply Governance mode configuration to the bucket my-bucket-with-object-lock with a default retention period equal to 15 days (or use the PutObjectLockConfiguration API Call):

aws s3api put-object-lock-configuration \
    --bucket my-bucket-with-object-lock \
    --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "GOVERNANCE", "Days": 15 }}}' \
    --endpoint-url https://s3.eu-central-1.ionoscloud.com

On applying this configuration, the newly uploaded objects adhere to this retention setting.

Object Lock with Compliance mode

An Object Lock with Compliance mode on a bucket ensures strict control by enforcing a stringent retention policy on objects. Once this mode is set, the retention period for an object cannot be shortened or modified. It provides immutable protection by preventing objects from being deleted or overwritten during their retention period.

This mode is particularly suited for meeting regulatory requirements as it guarantees that objects remain unaltered. It does not allow locks to be removed before the retention period concludes, ensuring consistent data protection.

Apply Compliance mode configuration to the bucket my-bucket-with-object-lock with a default retention period equal to 15 days:

aws s3api put-object-lock-configuration \
    --bucket my-bucket-with-object-lock \
    --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 15 }}}' \
    --endpoint-url https://s3.eu-central-1.ionoscloud.com

On applying this configuration, the newly uploaded objects adhere to this retention setting.

Retrieve Object Lock configuration

Retrieve Object Lock configuration of a bucket (the same could be achieved with the GetObjectLockConfiguration API Call):

aws s3api get-object-lock-configuration \
  --bucket my-bucket-with-object-lock \
  --endpoint-url https://s3.eu-central-1.ionoscloud.com 

Sample response

{
    "ObjectLockConfiguration": {
        "ObjectLockEnabled": "Enabled",
        "Rule": {
            "DefaultRetention": {
                "Mode": "GOVERNANCE",
                "Days": 15
            }
        }
    }
}
aws s3api put-object-lock-configuration \
    --bucket my-bucket-with-object-lock \
    --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 15 }}}' \
    --endpoint-url https://s3.eu-central-1.ionoscloud.com

Upload objects to a bucket with an Object Lock

Upload my-object.pdf to the bucket my-bucket-with-object-lock:

aws s3api put-object \
   --bucket my-bucket-with-object-lock \
   --key my-object.pdf \
   --endpoint-url https://s3.eu-central-1.ionoscloud.com

Sample response

{
    "ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
    "VersionId": "fe11c94b-d120-723f-b907-1070fde7f794"
}

This task could also be achieved by using the PutObject API call.

Note: The Object Lock retention is not specified so a bucket’s default retention configuration will be applied.

Upload my-object.pdf to the bucket my-bucket-with-object-lock and override the bucket’s default Object Lock configuration:

aws s3api put-object \
      --bucket my-bucket-with-object-lock \
      --key my-object.pdf \
      --object-lock-mode GOVERNANCE \
      --object-lock-retain-until-date 2023-08-09T09:01:01Z \
      --endpoint-url https://s3.eu-central-1.ionoscloud.com

Note: You can overwrite objects protected with Object Lock. Since Versioning is used for a bucket, it allows to keep multiple versions of the object. It also allows deleting objects because this operation only adds a deletion marker to the object’s version.

Delete objects with Object Lock

The permanent deletion of the object’s version is prohibited, and the system only creates a deletion marker for the object. But it makes IONOS Object Storage behave in most ways as though the object has been deleted. You can only list the delete markers and other versions of an object by using the ListObjectVersions API call.

aws s3api list-object-versions --bucket my-bucket-with-object-lock --endpoint-url https://s3.eu-central-1.ionoscloud.com

Note: Delete markers are not WORM-protected, regardless of any retention period or legal hold in place on the underlying object.

Apply legal-hold status to my-object.pdf in the bucket my-bucket-with-object-lock:

aws s3api put-object-legal-hold \
    --bucket my-bucket-with-object-lock \
    --key my-object.pdf \
    --legal-hold Status=ON \
    --endpoint-url https://s3.eu-central-1.ionoscloud.com

Use Status=OFF to turn off the legal-hold status.

View lock information for an object

To check the Object Lock status for a particular version of an object, you can utilize either the GET Object or the HEAD Object commands. Both commands will provide information about the retention mode, the designated 'Retain Until Date' and the status of the legal hold for the chosen object version.

Set retention limits

When multiple users have permission to upload objects to your bucket, there is a risk of overly extended retention periods being set. This can lead to increased storage costs and data management challenges. While the system allows for up to 100 years using the s3:object-lock-remaining-retention-days condition key, implementing limitations can be particularly beneficial in multi-user environments.

Establish a 10-day maximum retention limit:

{
    "Version": "2012-10-17",
    "Id": "Set Retention Limits",
    "Statement": [
        {
            "Sid": "Set Retention Period",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:PutObjectRetention"
            ],
            "Resource": "arn:aws:s3:::my-bucket-with-object-lock/*",
            "Condition": {
                "NumericGreaterThan": {
                    "s3:object-lock-remaining-retention-days": "10"
                }
            }
        }
    ]
}

Save it to the policy.json file and apply using the following command:

aws s3api put-bucket-policy --bucket my-bucket-with-object-lock --policy file://policy.json

Last updated