Object Lock
Object Lock is a feature that enables you to apply WORM protection to objects, preventing them from being deleted or modified for a specified duration. It provides robust, programmable safeguards for storing critical data that must remain immutable. Enabling Object Lock automatically enables bucket Versioning.
Warning: Once a bucket is created without an object lock, you cannot add it later.
Note: Object Lock is supported for both contract-owned buckets and user-owned buckets. For more information, see Bucket Types.
Use cases
Data Preservation: Protects critical data from accidental or malicious alteration and deletion, ensuring integrity and consistency.
Regulatory Compliance: Aligns with European regulations such as GDPR, Markets in Financial Instruments Directive (MiFID) II, and the Electronic ID and Trust Services (eIDAS) regulation, maintaining records in an unalterable state.
Legal Holds and Audits: Facilitates legal holds and audits that offer immutable data preservation, providing a transparent data record. It also offers an auditable trail of when and why the data is placed on hold, which is essential for legal and regulatory audits.
Modes
Object lock can be applied in two different modes:
Governance: Allows specific users with special permissions to override the lock settings. Ideal for flexible control.
Compliance: Enforces a strict lock without any possibility of an override. Suited for regulatory and legal mandates.
These two lock modes require configuring the duration for which the object will remain locked. The period can range from days to years, depending on the object's compliance needs.
The Retention period refers to the duration for which the objects stored in a particular Object Storage bucket are protected from deletion or modification. You can set the retention period to a maximum of 365 days via the DCD. To set a longer retention period, use the API.
The retention configuration can be modified or removed for the objects under Governance mode by including a specific header variable in the API request. However, for objects in Compliance mode, reducing the retention period or removing the retention configuration is not possible.
Note: Under Object Lock or Object Hold, permanent deletion of an object's version is not permissible. Instead, a deletion marker is generated for the object, causing IONOS S3 Object Storage to consider that the object has been deleted.
However, the delete markers on the objects are not subject to protection from deletion, irrespective of any retention period or legal hold on the underlying object. Deleting the delete markers restores the previous version of the objects.
Legal Hold
An additional setting called Legal Hold can place a hold on an object, enforceable without specifying a retention period. It could be applied both to objects with or without Object Lock. The Legal Hold will continue to be applied till manual removal even if the object’s retention period for Governance or compliance mode is over.
Manage Object Lock
Note: Object Lock configuration can only be enabled during the initial creation of a bucket and cannot be applied to an existing bucket.
When a bucket is created with Object Lock enabled, you can set up Object Lock configurations. These configurations determine the default mode and retention period for newly uploaded objects. Alternatively, Object Lock settings can be explicitly defined for each object during its creation, overriding the bucket's default settings.
DCD
Prerequisite: Ensure you create a new bucket to enable Object Lock.
1. In the DCD, go to Menu > Storage > IONOS S3 Object Storage.
2. Depending on the Bucket Types you want to create, follow the steps in Create a bucket and enable Object Lock.
3. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you created.
4. From the Buckets list, choose the bucket for which the Object Lock is enabled.
5. Click Bucket settings and go to the Object Lock setting under the Data management section.
6. Modify the Object Lock mode applied on the bucket and the Retention period as needed.
7. Click SAVE.
Note: The modified Object Lock settings apply to the newly uploaded objects to the bucket. The existing objects adhere to the Object Lock settings applied during the bucket creation.
Result: The Object Lock settings are successfully updated and applied to the bucket.
IONOS S3 Object Storage API
Use the API to manage the Object Lock configuration on the specified buckets.
CLI tool
Use the CLI to manage Object Lock.
Limitations
The following are a few limitations to consider while using Object Lock:
Once the Object Lock is enabled during bucket creation, both Object Lock and Versioning cannot be disabled afterward.
When you place or modify an Object Lock, updating the object version's metadata does not overwrite the object version or change its Last-Modified timestamp.
A bucket with Object Lock enabled cannot be chosen as a source for replication or tiering, but it could be a destination for replication or tiering.
In the Compliance mode, an object is immutable until its retention date has passed. It is not possible to disable this mode for the object or shorten the retention period. This setting could not be changed either by the bucket owner or IONOS.
Last updated