This document provides instructions to manage Object Lock using the command-line tool. Additionally, these tasks can also be performed using the web console and IONOS S3 Object Storage API.
Prerequisites:
Object Lock configuration is only feasible when enabled at the time of bucket creation. It cannot be activated for an existing bucket.
Set up the AWS CLI by following the installation instructions.
Make sure to consider the supported S3 Endpoints.
To create a bucket my-bucket in the de region (Frankfurt, Germany) with Object Lock:
An Object Lock with Goverance mode on a bucket provides the bucket owner with better flexibility compared to the Compliance mode. It permits the removal of the Object Lock before the designated retention period has expired, allowing for subsequent replacements or deletions of the object.
To apply Governance mode configuration to the bucket my-bucket-with-object-lock with a default retention period equal to 15 days (or use the PutObjectLockConfiguration API Call):
On applying this configuration, the newly uploaded objects adhere to this retention setting.
An Object Lock with Compliance mode on a bucket ensures strict control by enforcing a stringent retention policy on objects. Once this mode is set, the retention period for an object cannot be shortened or modified. It provides immutable protection by preventing objects from being deleted or overwritten during their retention period.
This mode is particularly suited for meeting regulatory requirements as it guarantees that objects remain unaltered. It does not allow locks to be removed before the retention period concludes, ensuring consistent data protection.
To apply Compliance mode configuration to the bucket my-bucket-with-object-lock with a default retention period equal to 15 days:
On applying this configuration, the newly uploaded objects adhere to this retention setting.
To retrieve Object Lock configuration for a bucket (the same could be achieved with the GetObjectLockConfiguration API Call):
To upload my-object.pdf to the bucket my-bucket-with-object-lock:
This task could also be achieved by using the PutObject API call.
Note: The Object Lock retention is not specified so a bucket’s default retention configuration will be applied.
To upload my-object.pdf to the bucket my-bucket-with-object-lock and override the bucket’s default Object Lock configuration:
Note: You can overwrite objects protected with Object Lock. Since Versioning is used for a bucket, it allows to keep multiple versions of the object. It also allows deleting objects because this operation only adds a deletion marker to the object’s version.
The permanent deletion of the object’s version is prohibited, and the system only creates a deletion marker for the object. But it makes IONOS S3 Object Storage behave in most ways as though the object has been deleted. You can only list the delete markers and other versions of an object by using the ListObjectVersions API call.
Note: Delete markers are not WORM-protected, regardless of any retention period or legal hold in place on the underlying object.
To apply LegalHold status to my-object.pdf in the bucket my-bucket-with-object-lock (use OFF to switch it off):
To check the Object Lock status for a particular version of an object, you can utilize either the GET Object or the HEAD Object commands. Both commands will provide information about the retention mode, the designated 'Retain Until Date' and the status of the legal hold for the chosen object version.
When multiple users have permission to upload objects to your bucket, there is a risk of overly extended retention periods being set. This can lead to increased storage costs and data management challenges. While the system allows for up to 100 years using the s3:object-lock-remaining-retention-days condition key, implementing limitations can be particularly beneficial in multi-user environments.
To establish a 10-day maximum retention limit:
Save it to the policy.json and apply using the following command:
This document provides instructions to manage using the command-line tool. Additionally, these tasks can also be performed using the and .
Prerequisites:
Set up the AWS CLI by following the .
Make sure to consider the supported .
To create a file policy.json with the JSON policy. For more information, see .
To apply a bucket policy to a bucket:
To save a bucket policy to file:
To delete the bucket policy:
IONOS S3 Object Storage supports using Amazon's AWS Command Line Interface (AWS CLI) for Windows, macOS, and Linux.
For the installation instructions, see .
Run the following command in a terminal: aws configure.
AWS Access Key ID [None]: Insert the Access Key. To get it, , go to Menu > Storage > IONOS S3 Object Storage > Key management.
AWS Secret Access Key [None]: Paste the Secret Key. It can be found in the Data Center Designer by selecting Storage > S3 Key Management.
Default region name [None]: de.
Default output format [None]: json.
For each command, be sure to include one of the endpoints in the endpoint-url parameter:
For information on the supported IONOS S3 Object Storage Service endpoints, see .
There are 2 sets of commands:
: Offers high-level commands for managing S3 buckets and for moving, copying, and synchronizing objects.
: Allows you to work with specific features such as ACL, CORS, and Versioning.
List buckets:
Option 1: Using s3 set of commands
Option 2: Using s3api set of commands
Create a bucket in the eu-central-2 region (Berlin, Germany):
Option 1: Using s3 set of commands
Option 2: Using s3api set of commands
Create a bucket in the de region (Frankfurt, Germany) with Object Lock enabled:
Upload an object from the current directory to a bucket:
Copy the object to the bucket:
Copy the contents of the local directory my-dir to the bucket my-bucket:
Copy all objects from my-source-bucket to my-dest-bucket excluding .zip files. The command doesn’t support cross-region copying for IONOS S3 Object Storage:
Download all the objects from the my-bucket bucket to the local directory my-dir:
Sync the bucket my-bucket with the contents of the local directory my-dir:
Get Cross-Origin Resource Sharing (CORS) configuration:
Set up Cross-Origin Resource Sharing (CORS) configuration:
cors.json:
Enable versioning for the bucket:
Get versioning state of the bucket:
Set up a lifetime policy for a bucket (delete objects starting with "my/prefix/" older than 5 days):
delete-after-5-days.json:
For more information, see .
For more information, see .
For more information, see .
This document provides instructions to Manage ACL for Objects using the AWS CLI command-line tool. Additionally, these tasks can also be performed using the web console and IONOS S3 Object Storage API.
Prerequisites:
Set up the AWS CLI by following the installation instructions.
Make sure to consider the supported S3 Endpoints for object upload.
Use the following keys to define access permissions:
--grant-read: Grants read-only access.
--grant-write: Grants write-only access.
--grant-read-acp: Grants permission to read the Access Control List.
--grant-write-acp: Grants permission to modify the Access Control List.
--grant-full-control: Grants full access, encompassing the permissions listed above (read, write, read ACL, and write ACL).
Use --key to specify the object for granting access:
Use the following values for the --acl key:
private removes public access.
public-read allows public read-only access.
public-read-write allows public read/write access.
authenticated-read allows read-only access to all authenticated users of IONOS S3 Object storage (including ones out of your contract).
To allow public read-only access to the object:
To remove public access to the object:
This document provides instructions to manage Versioning using the command-line tool. Additionally, these tasks can also be performed using the web console and IONOS S3 Object Storage API.
Prerequisites:
Set up the AWS CLI by following the installation instructions.
Make sure to consider the supported S3 Endpoints.
To get the versioning state of the bucket:
To enable versioning for the bucket:
To list object versions for the bucket:
To list object versions for the object my-object.txt:
This document provides instructions to Manage ACL for Buckets using the AWS CLI command-line tool. Additionally, these tasks can also be performed using the web console and IONOS S3 Object Storage API.
Prerequisites:
Set up the AWS CLI by following the installation instructions.
Make sure to consider the supported S3 Endpoints.
Use the following keys to define access permissions:
--grant-read: Grants read-only access.
--grant-write: Grants write-only access.
--grant-read-acp: Grants permission to read the Access Control List.
--grant-write-acp: Grants permission to modify the Access Control List.
--grant-full-control: Grants full access, encompassing the permissions listed above (read, write, read ACL, and write ACL).
Note: Granting access to a bucket for another IONOS user does not make the bucket appear in the user's S3 web console due to the S3 protocol's architecture. To access the bucket, the user must utilize other S3 Tools, as the granted access does not translate to interface visibility.
To grant full control of my-bucket to a user with a specific Canonical user ID:
To separate grants with a comma if you want to specify multiple IDs:
To grant full control of my-bucket to multiple users using Canonical user ID:
To grant full control of my-bucket by using an email address instead of Canonical User ID:
Retrieve the ACL of a bucket and save it to the file acl.json:
To edit the file, for example, remove or add some grants and apply updated ACL to the bucket:
Use the following values for the --acl key:
private removes public access.
public-read allows public read-only access.
public-read-write allows public read/write access.
authenticated-read allows read-only access to all authenticated users of IONOS S3 Object storage (including ones out of your contract).
To allow public read-only access to the bucket:
To remove public access to the bucket:
To set WRITE and READ_ACP permissions for the Log Delivery Group which is required before enabling the Logging feature for a bucket:
This document provides instructions to manage Logging using the command-line tool. Additionally, these tasks can also be performed using the web console and IONOS S3 Object Storage API.
Prerequisites:
Set up the AWS CLI by following the installation instructions.
Make sure to consider the supported S3 Endpoints.
Prerequisite: Grant permissions to the Log Delivery Group to the bucket where logs will be stored. We recommend using a separate bucket for logs, but it must be in the same S3 region. Log Delivery Group must be able to write objects and read ACL.
After that, you can enable Logging for a bucket:
Contents of logs-acl.json:
To retrieve bucket logging settings: