Features

• S3 Compatible: Object Storage adheres to the industry-standard S3 protocol, ensuring seamless integration with S3 Tools and applications designed for S3-compatible platforms. For more information, see S3 API Compatibility.

• Data Management: The data storage pool comprising of objects and buckets in a flat data environment is well manageable with the following data management functions:

  • Replication: Safeguards your data by duplicating it across multiple locations, providing redundancy and ensuring high availability. You can replicate data within user-owned buckets of the same user as well as replication to contract-owned buckets in the eu-central-3 region.

  • Versioning: Tracks and manages multiple versions of an object, enabling easy rollback of objects and buckets to the previous states and preserving historical versions of objects and buckets.

  • Lifecycle: Archives or deletes objects based on predefined criteria, optimizing costs and managing data efficiently.

  • Object Lock: Secures your data by implementing retention policies or legal holds, ensuring that data objects remain immutable for a specified duration or indefinitely. This way, the data meets the Write Once Read Many (WORM) data storage technology and prevents the data from being erased or modified.

• Access Management: The following functions allow users to set access permissions to other Object Storage users, defining who can access their objects and buckets.

  • Access Control List (ACL): A granular permissions for objects and buckets, controlling who can access and modify your data.

  • Bucket Policy: You can set overarching access policies for a bucket that provides additional security and control over how data is accessed and used.

  • Logging: Monitors and records access requests to your objects and buckets, providing a clear audit trail and helping identify suspicious activities. This feature is currently not supported for contract-owned buckets.

  • Cross-Origin Resource Sharing (CORS): Defines rules for client web applications from different domains to access the data resources stored in your buckets.

• Public Access: The data in the IONOS Object Storage are well managed by allowing or blocking access permissions to be public access wherever needed with the following functions:

  • Block Public Access: Ensures data privacy by blocking all public access at the bucket or account level. Currently, this feature is available only via the IONOS Object Storage API.

  • Static Website Hosting: Using Object Storage, you can host static websites directly, eliminating the need for additional web servers, thus simplifying deployment. You can enable the objects in these buckets with public read access, allowing users to view all the content on these static websites.

• Security: Data object protection is achieved through the following:

  • Encryption in Transit: Secures data as it travels to and from the Object Storage using robust TLS 1.2/1.3 encryption protocol.

  • Server-Side Encryption: Protects stored data by encrypting it on the server side with IONOS Object Storage managed keys (SSE-S3) and customer-managed keys (SSE-C) using AES256 encryption algorithm. The storage objects are decrypted automatically when downloaded.

  • Features: IONOS Object Storage secures your data in the storage pool through Versioning, Block Public Access, Object Lock, and Replication features.

  • Security Certification: The solution adheres to the ISO 27001 certificate based on IT-Grundschutz and complies with the European Union's (EU's) General Data Protection Regulation (GDPR).

Benefits

• Large Data Volume: Data in the Object Storage are stored as objects, which include metadata and a unique identifier, making object retrieval easier for large volumes of unstructured data.

• Cost-Effective Billing: A straightforward pay-as-you-go Pricing Model, eliminating upfront costs. You are charged solely based on storage utilization and outbound data transfer per gigabyte. Additionally, we do not impose charges for requests.

• Highly Scalable: With Object Storage, you can start with small data storage and expand data storage as your application needs at any time, offering the utmost flexibility with data storage.

• Georedundant Hosting: Using Replication, you can replicate objects and buckets in the Object Storage to multiple data centers in different geographical locations, guaranteeing high availability and data durability even during primary site failures or outages. For Replication support based on the bucket types, see Feature Comparison.

• Compliance Standards: IONOS Object Storage infrastructure and processes comply with IT-Grundschutz, GDPR, and ISO-27001 standards, offering peak data protection and robust privacy policies.

• Write Once Read Many (WORM): The Object Lock on the data stored in the Object Storage is protected and prevents the data from being erased or modified.

• Data Protection: With access control lists and Object Lock features, multiple layers of data protection can be enforced on data objects and define permissions for who can access the data in the Object Storage. With advanced data encryption algorithms, secure data storage is achieved.

• Lifecycle Management: With Object Storage Lifecycle rules, you can enforce the data deletion process for historical data and save the storage cost.

Based on IONOS Object Storage features and benefits, the following use cases are derived that meet your business demands:

• Data Backup and Restore: IONOS Object Storage backs up critical databases and data with ease. With replication and resilience features along with versioning of buckets, the data security and access are enhanced.

• Website Asset Storage: You can store specific website assets like images or downloadable files on Object Storage even if you do not host the whole site, helping in cost-saving and server space optimization.

• Static Website Hosting: Utilize Object Storage for hosting static websites that load quickly as Object Storage does not require server-side processing.

• Multimedia Asset Hosting: Storing static multimedia files like images, videos, audio, and documents, which seldom change, is easier in IONOS Object Storage and does not need block storage volumes. With a dedicated URL to each object, you can easily embed or host these assets on a Static Website without needing a server.

• Private File Storage: Safely store private data with default settings, making objects inaccessible through regular HTTP. You get the flexibility to modify object access permissions whenever needed.

• Storing Unstructured Data: A flat data structure is ideal for storing and managing large datasets outside of traditional databases. You can customize the metadata of objects to classify and retrieve data such as images, videos, audio, documents, and Big Data more efficiently.

• Artifact Storage: Storing and sharing development artifacts such as log data via Object Storage URL is an ideal solution for developers. Using access keys, you can safely share artifacts with intended users only. Developers can also store software applications as objects in the Object Storage.

• Software Hosting and Distribution: Developers can upload software applications as objects in the buckets and easily provide access to their software via unique URLs, making it a go-to solution for hosting and distributing software.

• Periodic Data Retention: For periodic logs that need to be accessed only for a certain period and removed after a specific duration, Object Storage Lifecycle Rules make it possible to retain data and delete data objects on the specified data expiration date; thus it is ideal for periodic data storage.

IONOS Object Storage is a secure, scalable storage solution that offers high data availability and performance. The product adheres to the S3 API standards, enabling the storage of vast amounts of unstructured data and seamless integration into S3-compatible applications and infrastructures.

Unlike traditional hierarchical systems like block storage volumes or disk file systems, Object Storage utilizes a flat structure that is ideal for storing large chunks of unstructured, static data that you want to keep ‘as is’ for later access. Businesses of all sizes can use IONOS Object Storage to store files (objects) for varied Use Cases.

Service availability

The IONOS Object Storage service is available in the following locations:

For the list of available points of access, see Endpoints.

How does IONOS Object Storage work?

In IONOS Object Storage, the data that you want to store in the Object Storage is called Objects. The data types could be archives, backups, log files, documents, images, and media assets. Each object is allocated a unique URL for direct access. Further, you can group these objects within a folder to help organize and manage these objects within a bucket. For more information, see Objects and Folders.

To begin with Object Storage, you need to generate a key, which is a unique identifier that allows you access to buckets and objects. This key is a combination of Access Key and Secret Key, listed in the Key Management section. For more information, see Key Management.

To upload objects into the Object Storage, you need to create containers known as Buckets by choosing the region and a unique bucket name. The objects are stored in these buckets which are accompanied by rich metadata. For more information, see Buckets and Bucket Types.

Based on access permissions, buckets, and objects can be publicly accessible or kept private and shared with only intended users. Use the Access Control List (ACL) or Bucket Policy settings to manage access.

When you log on to the Object Storage using the , the DCD manages authentication and authorization so that you can access the object storage with just one click.

Enable Object Storage access

1. In the DCD, go to Menu > Management, and click Users & Groups.

2. or open an existing group from the Groups drop-down list.

3. In the Privileges, select the Use Object Storage checkbox to enable Object Storage permission.

4. In the Members tab, add users to the group that you wish to authorize for the use of the object storage.

Set Up Object Storage from the DCD

You need to create a bucket or an Object Storage access key to start using the IONOS Object Storage.

To set up Object Storage through the DCD, follow these steps:

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

The Buckets and Key Management section are shown on the IONOS Object Storage Home page.

2. Click Create a bucket. Creating a new bucket also creates an access key if it does not exist already. For more information, see .

3. In the Key management, click Generate a key to create a new access key.

Accessing other users' Object Storage

Contract owners and administrators may use this functionality to access buckets and objects stored in the IONOS Object Storage accounts of users who are no longer active members of their contracts.

To access other user's Object Storage, follow these steps:

1. In the DCD, go to Menu > Management, and click Users & Groups.

2. Select the required user from the Users drop-down list.

3.In the Object Storage Keys, click Manage.

IONOS Object Storage is a service offered by IONOS for storing and accessing unstructured data. The Object Storage is fully S3-compliant, which means that it can be used to manage buckets and objects using existing S3 clients.

Product Overview

User Guide

Developer Tools

Frequently Asked Questions (FAQs)

To get answers to the most commonly encountered questions about IONOS Object Storage, see .

When creating a bucket, you must carefully consider the following settings:

• The .

• Supported regions.

• To enable or not for the bucket.

The Object Storage bucket can be created through one of the following methods:

DCD

The easiest way to create a bucket is by using the DCD. You must create a bucket before you can start uploading objects to the Object Storage.

You can create either a contract-owned bucket or a user-owned bucket but the shift towards a contract-owned bucket model will be the primary focus for future Object Storage updates.

IONOS Object Storage API

CLI tool

IONOS Object Storage provides a range of access options, including DCD, desktop applications, CLI tools, and an option to develop your application using API and SDKs.

DCD

In the DCD, go to Menu > Storage > IONOS Object Storage to access IONOS Object Storage via the DCD. Here you can manage buckets, and objects, set access controls, and much more. To set up Object Storage, see Enable Object Storage access.

S3 Tools

The Object Storage is fully compatible with S3, using which users can establish seamless integration of Object Storage with existing S3-compatible tools. A few of the popular GUI tools are Postman, Cyberduck, and S3 Browser; and CLI tools are AWS CLI, S3cmd, and rclone. For more information, see S3 Tools.

API and SDKs

Being S3 compatible means you can use standard S3 API calls and SDKs with our storage solution. For more information, see IONOS Object Storage API Reference.

When you upload a file to IONOS Object Storage, it is stored as an Object and can be stored in buckets and folders in the Object Storage.

You can upload objects to buckets through one of the following methods:

• DCD

• API

• CLI

DCD

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket to which objects must be uploaded.

4. Click Upload objects which opens an overlay screen.

5. Click Browse files or drag and drop the files to be uploaded. You can choose to upload multiple files.

5. Review the selected files to be uploaded. Use the Remove and Remove all options to remove any files from being uploaded.

6. Click Start upload to confirm the files to be uploaded.

Limitations

A few of the limitations to consider while using object upload through the DCD are:

• Multi-part upload is not supported.

• The Server-side Encryption with Customer Provided Keys (SSE-C) is not supported.

• A maximum of 4,65 GiB upload size for a single object applies.

Other applications or the SDKs and APIs are not subject to these limitations.

API

Using the Object Storage API, you can perform object upload and manage objects in a bucket.

CLI

To upload an object from the current directory to a bucket:

aws s3 cp filename.txt s3://my-bucket --endpoint-url https://s3-eu-central-2.ionoscloud.com

To copy the contents of the local directory my-dir to the bucket my-bucket:

aws s3 cp my-dir s3://my-bucket/ --recursive --endpoint-url https://s3-eu-central-2.ionoscloud.com

To copy all objects from my-source-bucket to my-dest-bucket, excluding .zip files:

aws s3 cp s3://my-source-bucket/ s3://my-dest-bucket/ --recursive --exclude "*.zip" --endpoint-url https://s3.eu-central-2.ionoscloud.com

To sync the bucket my-bucket with the contents of the local directory my-dir:

aws s3 sync my-dir s3://my-bucket --endpoint-url https://s3.eu-central-2.ionoscloud.com

Multi-part upload

You can upload and copy objects using the multi-part upload feature that allows you to break down a single object into smaller parts and upload these object parts in parallel, maximizing the upload speed. While the DCD does not support multi-part upload due to the upload size limit of 4,65 GiB per object, the Object Storage API and many S3 Tools offer this functionality, allowing users to take advantage of efficiency through parallel uploads.

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket in which the folder must be created.

4. Click Create a folder which opens an overlay screen.

5. Enter a name in the Prefix field. The prefix must contain only alphanumeric characters, dashes and hyphens.

6. Click Create to continue with folder creation.

Next steps:

• Create subfolders within a folder by following the steps in Create a folder.

• Upload objects to a folder and subfolders.

• Search for folders and objects within folders using the Search by Prefix option within a bucket.

An object in the Object Storage can be viewed and downloaded to your local computer. On downloading, the SSE-S3 encryption applied to that object is automatically decrypted before the download process begins. In the case of SSE-C, you need to provide the encryption keys for download. This feature is unavailable in the DCD. You can use the CLI tools, SDK, or API methods to download the objects protected with SSE-C encryption.

You can download objects through one of the following methods:

• DCD

• IONOS Object Storage API

• CLI

For large objects, you may not need to download the entire file. You can perform a partial download of objects using the Object Storage API. The API allows you to specify a byte range in your request, enabling you to download only a portion of the object data.

DCD

Using the DCD, you can download one object at a time. For downloading multiple objects, consider using CLI tools, SDKs, or REST API.

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket from which you want to download the object. The list of objects in the bucket is listed.

4. Choose the object to download and click on the respective object's action menu (three dots). The Download option is also available from the respective object's properties page.

5. Click Download. If an object has been shared through a public URL, click the URL to download the object.

IONOS Object Storage API

Using the Object Storage API, you can download objects from a bucket.

CLI

To download my-object.txt to a specified file locally:

aws s3 cp s3://my-bucket/my-object.txt my-object.txt  --endpoint-url https://s3.eu-central-2.ionoscloud.com

To download a specified version of the my-object.txt to a specified file locally:

aws s3api get-object --bucket my-bucket --key some-prefix/my-object.txt my-object.txt --version-id fe11a12a-870b-050f-bc9d-3cecefb1f7c4 --endpoint-url https://s3.eu-central-2.ionoscloud.com

To download all the objects from the my-bucket bucket to the local directory my-dir:

aws s3 cp s3://my-bucket my-dir --recursive --endpoint-url https://s3.eu-central-2.ionoscloud.com

To recursively copy all objects with the /my-dir/ prefix from my-bucket-1 to my-bucket-2:

aws s3 cp s3://my-bucket-1/my-dir/ s3://my-bucket-2/my-dir/ --recursive --exclude "*.log" --endpoint-url https://s3.eu-central-2.ionoscloud.com

To get the object’s metadata without downloading an object:

aws s3api head-object --bucket my-bucket --key myobject.txt --endpoint-url https://s3.eu-central-2.ionoscloud.com

For more information, see the cp, get-object, and head-object command references.

An Object Storage key must be generated manually through the DCD or Object Storage Management API. Only upon generating the first key, the Canonical User ID is displayed in the Object Storage Credentials and Users & Groups > Users > Object Storage Keys > IDs section.

Generate a key for your account

To create an access key, follow these steps:

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. In the Key management tab, go to the Access keys section and click the Generate key.

3. Confirm key generation by clicking Generate. The keys generated since April 2024 will have access to both contract-owned buckets and user-owned buckets. It works with all Endpoints.

To deactivate or delete keys, see Manage Keys.

Generate a key for other users

1. In the DCD, go to Menu > Management > Users & Groups.

2. Select the user from the Users list and click the Object Storage Keys tab.

3. Click + Generate Key and confirm key generation by clicking OK.

Next steps:

• To deactivate or delete keys, see Manage Keys.

The pricing model for IONOS Object Storage is as follows:

• 1 Gigabyte (GB) ​is equal to 1024 Megabytes (MB).

• Storage space is charged per GB per hour.

• Data transfer is charged in GB. Inbound data transfer is free, but it will be counted as outbound data transfer for your Virtual Machine (VM) if you upload data from it. Outbound data transfer can be paid or free, depending on the conditions outlined in Outbound data transfer from IONOS Object Storage.

• Using the IONOS Object Storage API is free of charge.

Prices are listed in the respective price lists:

• IONOS SE – International, including Austria, France, Germany and Italy (English and German versions).

• IONOS Ltd. – United Kingdom.

• IONOS Inc. – United States and Canada.

Outbound data transfer from IONOS Object Storage

Inbound data transfer to IONOS Object Storage

No charges are imposed on inbound data transfer to IONOS Object Storage. It is essential to know that when uploading data to IONOS Object Storage, the same data transfer may be billed as an outbound data transfer for your VM.

While calculating network costs for data transfer from a VM to IONOS Object Storage, the following distinctions are made in the billing based on the traffic type:

Objects

IONOS Object Storage organizes data as objects. The data could range from documents, pictures, videos, backups, and other types of content. You can store these objects within the buckets and each object can be a maximum of 5 TB in size. An object consists of a key that represents the name given to the object. This key acts like a unique identifier, which you can use to retrieve the object.

Properties and metadata

Every object uploaded to a bucket includes Object properties and Object metadata.

The properties refer to object details and the metadata are key-value pairs that store additional information about the object. The maximum size of metadata is 2 KB (keys+values). For instance, an object of type 'image' can include metadata such as its photographer, capture date, or camera used. Properly defined metadata aids in filtering and pinpointing objects using specific criteria.

In the Object Settings, you can retrieve the object's properties and metadata alongside the object.

From the Object Properties page, you can also perform the following actions:

• Download an object.

• Copy the object URL to the clipboard.

• Generate a Pre-Signed URL.

• Delete an object.

Object Functions

Folders

Folders, also known as Prefixes are containers that help to organize the objects within a bucket. You can create folders within a bucket and upload objects to folders. Object Storage offers a flat data structure instead of a hierarchy such as a file system. Hence, to support the organization of data in a well-structured way, the creation of Folders is allowed within a bucket. You can also create subfolders within a folder and upload objects to subfolders.

Emulating folders with prefixes

Unlike traditional file systems with nested folders, IONOS Object Storage maintains a flat environment without a hierarchy of folders or directories; hence you can emulate folders using key naming conventions with slashes (/).

You can use prefix names that contain alphanumeric characters, slashes, and hyphens only.

Example: Instead of saving a report as Annual_Report_2023.pdf, using a key such as reports/2023/Annual_Report.pdf gives the semblance of a folder structure. These virtual folders through prefixes aid in logically grouping related objects.

Following are a few examples of using prefixes for objects to emulate folder structure:

• user_profiles/john_doe/avatar.jpg

• data/backups/June/backup.zip

In IONOS Object Storage, a bucket is the primary container for data. Think of it like a directory in a file system where you can store files known as objects. Each object is stored in a bucket and is identified by a unique key, allowing easy retrieval. You can store any number of objects in a bucket and can create up to 500 buckets in a user account.

Bucket region

A region corresponds to a geographical location where the data inside the buckets will be stored. Different regions have different , which are URLs to access the Object Storage.

IONOS Object Storage is currently available in four regions:

• Berlin, Germany in eu-central-2 and eu-central-3

• Frankfurt, Germany in de

• Logroño, Spain in eu-south-2

Choosing the right bucket region is crucial for optimizing your Cloud storage. Consider the following:

• Proximity: Select a region that is close to your application or user base to reduce latency and costs.

• Redundancy: For backups, consider a region geographically separate from your primary location to ensure data safety during local outages or disasters.

For information on supported regions based on the , see .

Naming conventions

When naming buckets and folders, the name must adhere to the following rules:

• Be unique throughout the entire .

• Consists of 3 to 63 characters.

• Starts with a letter or a number.

• Consists of lowercase letters (a-z) and numbers (0-9).

• The use of hyphens (-), periods (.), and underscores (_) is conditional.

Following are a few examples of correct bucket naming:

• data-storage-2023

• userphotos123

• backup-archive

• 1234

Following are a few examples of incorrect bucket naming:

IONOS Object Storage authenticates users by using a pair of keys — Access Key and Secret Key.

An Object Storage key must be generated manually using or . Only upon generating the first key, the Canonical User ID is displayed in the and Users & Groups > Users > Object Storage Keys > IDs section.

You will need the keys to work with Object Storage through supported applications or develop your own using . Using the Key management, you can view and share your and manage .

Object Storage Credentials

There are two forms of user identification: Contract User ID and Canonical User ID. Depending on the to get access to, use the appropriate user ID as follows:

• Share your Contract User ID with other users to get access to the contract-owned buckets and objects.

• Share your Canonical User ID with other users to get access to the user-owned buckets and objects. This is the ID assigned to a user by the IONOS Object Storage.

For more information, see .

Access keys

In the Access keys list,

• Each key shows whether it is valid for all buckets (contract-owned buckets and user-owned buckets) or valid only for user-owned buckets.

• The ADMIN KEY refers to the key valid for all the buckets and provides the same access permissions as the contract owner or administrator.

Access Key and Secret Key Length: To prepare new functionalities of IONOS Object Storage, effective April 25, 2024, the key character length is modified as follows:

• Access Key: The key length is increased from 20 to 92 characters.

  • Previous format example: 23cbca2790edd9f62100

  • New format example: EAAAAAFaSZEvg5hC2IoZ0EuXHRB4UNMpLkvzWdKvecNpEUF-YgAAAAEB41A3AAAAAAHnUDl-h_Lwot1NVP6F_MARJv_o

• Secret Key: The key length is increased from 40 to 64 characters.

  • Previous format example: 0Q1YOGKz3z6Nwv8KkkWiButqx4sVmSJW4bTGwbzO

  • New format example: Opdxr7mG09tK4wX4s6J3nrl1Z4EJgYRui/rldkgiPmrI5bavWHuThswRqPwgbeLP

Generate object storage keys: A user can have multiple Object Storage keys, which can be given to other users or automated scripts. Users using such an additional Object Storage key to access the IONOS Object Storage automatically inherit the credentials and access rights of the user.

Delete: If a key is no longer needed or if it should no longer be possible to gain access to the IONOS Object Storage with this key, it can be deleted. This cannot be undone.

The following are a few limitations to consider while using IONOS Object Storage:

• Access keys: A user can have up to five access keys.

• Storage size: The minimum storage size available is 1 Byte of data and is extendable to a maximum storage of petabytes.

• Bucket naming conventions: Only buckets for static website hosting can use dots (.) in the bucket names. For more information, see bucket .

• Bucket count: A user can create up to 1000 contract-owned buckets and 500 user-owned buckets. For more information, see .

• Bucket Policy size: The maximum allowed Bucket Policy size for a contract-owned bucket is 1 MiB, and for a user-owned bucket is 20 KiB.

• Object size: The maximum allowed object size is 5 TiB.

• Object name length: The maximum allowed length of the folder path, including the file name, is 1024 characters.

• File upload size: A file upload size cannot exceed 5 GiB (5368709120 bytes) for contract-owned buckets and 4,65 GiB (5000000000 bytes) for user-owned buckets. If you have a single file exceeding this limit, you can bypass it using multi-part uploads. CLI tools such as and graphical tools such as automatically handle larger files by breaking them into parts during uploading.

• Bandwidth: Each connection is theoretically capped at approximately 10 G per region. However, remember that this is a shared environment. Based on our operational data, achieving peak loads up to 2x7 G is feasible by leveraging parallel connections. However, this is on a best-effort basis and without any guaranteed Service Level Agreement (SLA).

Learn about the key components of IONOS Object Storage, its functions, and capabilities to manage your Object Storage.

To manage your buckets, objects, and keys in your Object Storage, refer to the following How-Tos that guide you with step-by-step instructions to complete the tasks.

The S3 (Simple Storage Service) API has been the global standard for object storage for many years. It provides interoperability and compatibility of various object storage systems that adhere to this standard. IONOS Object Storage has one of the highest levels of S3 API support.

IONOS Object Storage lets users create the following two types of buckets:

1. Contract-owned buckets

2. User-owned buckets

Each of these bucket types offers a different feature set. For more information, see .

Starting May 30, 2024, all the newly launched have a contract owner as a bucket owner, and the administrator also holds the same set of permissions as a contract owner. You can continue creating user-owned buckets using specific endpoints, but the shift towards a contract-owned bucket model will be our primary focus for future features.

For more information, see documentation.

For each user, an Object Storage key must be generated manually using .

Activate or deactivate a key

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. In the Key management tab, go to the Access keys section that lists all keys present in your account.

3. Select the key and toggle on or off the Active option to activate or deactivate the key respectively.

Activate or deactivate keys of other users

1. In the DCD, go to Menu > Management > Users & Groups.

2. Select the user from the Users list and click the Object Storage Keys tab.

3. Select the checkbox Active against the Key you want to set as active. Uncheck the checkbox if you want to deactivate the key.

Delete a key

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. In the Key management tab, go to the Access keys section that lists all keys present in your account.

3. Select the key to be deleted and click Delete.

4. To confirm the deletion of the key, click Delete.

Delete key of other users

1. In the DCD, go to Menu > Management > Users & Groups.

2. Select the user from the Users list and click the Object Storage Keys tab.

3. Select the key to be deleted from the list of keys and click Delete.

4. To confirm the deletion of the key, click OK.

IONOS Cloud API

Search objects

Using the DCD, you can search for objects in buckets if the prefix or full name is known. For technical reasons, it is not possible to search for objects across buckets or folders.

To search for an object, follow these steps:

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket in which you want to search for objects.

4. In the Search by Prefix field, enter the prefix or file name to search for.

Version objects

If you have enabled versioning for your Object Storage bucket, you have the flexibility to download non-current versions of objects. Toggle the Show versions option to view objects that are versioned. Objects that were already uploaded to the object storage before versioning was activated are identified by ID null. If versioning is deactivated, existing object versions are retained.

Download objects

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket or folder from which you want to download an object.

4. (Optional) To view the object's versions, toggle on Show versions. This option is available only if Versioning is enabled for the bucket.

5. Choose the object or object's version to download and click on the respective object's action menu (three dots).

6. Click Download.

7. (Optional) Use the Copy URL option to copy the object's URL to the clipboard.

Delete objects

If you no longer want to keep the objects in the IONOS Object Storage, these objects can be deleted. Deleted objects are not physically removed from the Object Storage, but receive a 'delete marker' and then have a size of 0 KB. These markers are deleted at an interval specified by the user or by the system.

There are two ways to delete objects from the IONOS Object Storage using the DCD - manually and automatically.

Delete an object manually

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket from which you want to delete an object.

4. Choose the object to delete and click on the respective object's action menu (three dots). Alternatively, you can also select the object to delete and click Delete selected objects.

6. Click Delete.

6. Confirm the deletion of the object by choosing Delete.

Delete a folder

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket from which you want to delete a folder.

4. Choose the folder to delete and click on the respective folder's action menu (three dots). Alternatively, you can also select the folder to delete and click Delete selected objects.

5. Click Delete.

6. Confirm the deletion of the folder by choosing Delete. If the folder contains objects, you see an option to Empty and delete which deletes all the objects within the folder and then deletes the folder.

Delete multiple objects and folders

You can delete multiple objects and folders in a bucket at a time by following these steps:

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket from which you want to delete objects and folders.

4. Select the checkboxes next to the names of the objects and folders to be deleted.

5. (Optional) To delete all objects and folders, select the checkbox next to the names of the objects and folders.

6. Click Delete selected objects.

7. Confirm the deletion of selected objects and folders by choosing Delete. If the folder contains objects, you see an option to Empty and delete which deletes all the objects within the folder and then deletes the folder.

IONOS Object Storage allows users to create the following two types of buckets:

1. Contract-owned buckets

2. User-owned buckets

Each bucket type has a different feature set to cater to your business needs. For more information, see .

Contract-owned buckets

This bucket type is recommended for users within a single organization. Contract-owned buckets are the new bucket types supported in the Object Storage starting May 30, 2024.

Following are the key highlights of this bucket type:

• The contract owner is the bucket owner of all the contract buckets. The contract owner or an administrator can create and manage buckets by default and define permissions in the Bucket Policy settings for other users to manage the buckets.

• Every user in the contract can view the list of all buckets within their contract, even if they do not have permission to access the content.

• Only the contract owner or an administrator can grant users access to view the bucket objects or manage these buckets.

You can create contract-owned buckets only in the following region:

Limitations

• Currently, cross-regional bucket replication is not possible for contract-owned buckets since this bucket type is supported only in the eu-central-3 region. However, you can replicate user-owned buckets to contract-owned buckets in the eu-central-3 and this function is supported both via the DCD and the API.

• Logging bucket setting is not supported at the moment.

User-owned buckets

This bucket type is recommended if the users of the contract are separate entities and does not require viewing or accessing buckets of other users in the contract. The bucket type supported before the launch of contract-owned buckets is now termed user-owned buckets.

Every contract user independently owns their buckets and has the autonomy to create and manage them without seeking approval from the contract owner. A combined list of all user-owned buckets under the contract is not available, and the contract owner must individually check the bucket list of the users to view the buckets a user owns.

Users under the contract can only have visibility to their buckets, with no access to other user's bucket lists in the contract.

You can create user-owned buckets only in the following regions:

Feature comparison

The user-owned bucket and contract-owned bucket offer a wide range of operations with the following differences in their feature set:

IONOS Object Storage provides multiple features to manage access to your buckets and objects effectively. This allows you to define precisely who may access what.

By default, newly created user-owned buckets and objects are private, and only the bucket owner can access them. In the case of the newly created contract-owned buckets, the buckets and objects are private, and both the contract owner and administrators can access and manage them.

Share access

Use the following options to share access to a bucket and to all or specific objects in a bucket:

• : This policy is applied at the bucket level and it offers a robust framework for setting fine-grained access controls to your Object Storage buckets and objects. It is useful for restricting access based on certain conditions like IP addresses or time of access. With Bucket Policy, you can manage access to specific objects or prefixes within a bucket. However, the size of the policy is limited, which could be a consideration if you have extensive access control requirements. You can use Bucket Policy to make a bucket or object public, or to share access with specific authorized users by defining the necessary permissions within the policy.

• : Provides a simpler mechanism for controlling access and can be specified for every object if needed, making them more flexible on a per-object basis. You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. ACLs do not offer the ability to restrict access based on conditions like IP address.

Grant access

There are two roles involved in granting access: Owner and Grantee. Their definitions depend on the .

Additional access management functions

Manage your Object Storage buckets, objects, and their access permissions effectively using the data management, access management, and public access settings.

An Access Control List (ACL) is a mechanism that defines who can access or modify specific resources, such as buckets and objects. ACLs allow resource owners to grant varying levels of permissions such as read, write, or full control to different users or groups.

Manage ACLs

You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. IONOS Object Storage offers the following ACL management methods:

• Manage ACL for Buckets

• Manage ACL for Objects

The feature functions in the IONOS Object Storage Service Availability regions and supports both contract-owned buckets and user-owned buckets.

ACL alternatives

Use Bucket Policy instead of ACLs which offers the following additional capabilities:

• Manage access to prefixes like /folder/* or *.jpg.

• Use conditions to grant access, for example, IP address.

• Allow or deny certain actions like listing the object list.

We recommend using Share Objects with Pre-Signed URLs instead of ACL for granting temporary access to authorized users for a specified period, after which the URL expires.

Related feature

Block Public Access

If you have defined ACLs granting public access, activating the Block Public Access revokes these permissions, ensuring your data remains private. This feature is invaluable in scenarios where ensuring data privacy is paramount, or when you want to enforce a blanket no-public-access rule, irrespective of ACL settings. Currently, Block Public Access is available only via the IONOS Object Storage API.

Bucket Policy is a JSON-based access policy language that allows you to create fine-grained permissions for your Object Storage buckets. With Bucket Policy, you can specify which users or services can access specific objects and what actions users can perform.

Use cases

• Use this feature to grant access to a specific user or group to only a subset of the objects in your bucket.

• Restrict access to certain operations on your bucket, for example, list objects or remove object lock.

• Using Bucket Policy, you can grant access based on conditions, such as the IP address of the user.

• Create fine-grained access control rules to allow a user to put objects to a specific prefix in your bucket, but not to get objects from that prefix.

Bucket Policy alternatives

• Use Bucket ACL and Object ACL instead of Bucket Policy if you need to define different sets of permissions such as READ, WRITE, or FULL CONTROL to many objects.

• Use Share Objects with Pre-Signed URLs to grant temporary access to authorized users for a specified period, after which the URL and the access to the object expire.

Policy format

A JSON-formatted bucket policy contains one or more policy statements. Within a policy's statement blocks, IONOS Object Storage support for policy statement elements and their values is as follows:

• Id (optional): A unique identifier for the policy. Example: SamplePolicyID.

• Version (required): Specifies the policy language version. The current version is 2012-10-17.

• Statement (required): An array of individual statements, each specifying a permission.

• Sid (optional): Custom string identifying the statement. For example, Delegate certain actions to another user.

• Action (required): Specifies the action(s) that are allowed or denied by the statement. See the Action section in the Request for the supported values. Example: s3:GetObject for allowing read access to objects.

• Effect (required): Specifies the effect of the statement. Possible values: Allow, Deny.

• Resource (required): Must be one of the following:

  • arn:aws:s3:::<bucketName> – For bucket actions (such as s3:ListBucket) and bucket subresource actions (such as s3:GetBucketAcl).

  • arn:aws:s3:::<bucketName>/* or arn:aws:s3:::<bucketName>/<objectName> – For object actions (such as s3:PutObject).

• Condition (optional): Specifies conditions for when the statement is in effect. See the Condition section in the Request for the supported values. Example: {"aws:SourceIp": "123.123.123.0/24"} restricts access to the specified IP range. For the list of supported bucket and object actions and condition values, see Supported Action Values.

• Principal (required): Specifies the user, account, service, or other entity to which the statement applies. For information specific to the bucket types, see the following:

Request

{

 "Id": "Delegate certain actions to another user",
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "Delegate certain actions to another user",
     "Action": [
       "s3:ListBucket",
       "s3:PutObject",
       "s3:GetObject"
     ],
     "Effect": "Allow",
     "Resource": [
       "arn:aws:s3:::my-bucket",
       "arn:aws:s3:::my-bucket/*"
     ],
     "Condition": {
       "IpAddress": {
         "aws:SourceIp": [
           "123.123.123.123/32"
         ]
       }
     },
     "Principal": {
        "AWS": "arn:aws:iam:::user/31000000:9acd8251-2857-410e-b1fd-ca86462bdcec"
     }
   }
 ]
}

{
  "Id": "Delegate certain actions to another user",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Delegate certain actions to another user",
      "Action": [
        "s3:ListBucket",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "123.123.123.123/32"
          ]
        }
      },
      "Principal": {
        "CanonicalUser": "783fa49356820b211a4283526fe24343"
      }
    }
  ]
}

For more information, see Bucket Policy Examples and supported bucket and object actions and condition values.

DCD

Apply a Bucket Policy

You can apply Bucket Policy using the DCD by following these steps:

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the required bucket and click the Bucket settings.

4. Go to the Bucket Policy setting under the Access management section and click Edit.

5. Copy and paste the provided JSON policy by replacing BUCKET_NAME and USER_ID with the actual values. Depending on the Bucket Types, replace the USER_ID as follows:

• Use Contract user ID for contract-owned buckets.

• Use Canonical user ID for user-owned buckets.

6. Click Save.

{

 "Id": "Share access to the bucket",
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "Share access to the bucket",
     "Action": [
       "s3:*"
     ],
     "Effect": "Allow",
     "Resource": [
       "arn:aws:s3:::BUCKET_NAME",
       "arn:aws:s3:::BUCKET_NAME/*"
     ],
     "Principal": {
       "AWS": "arn:aws:iam:::user/31000000:9acd8251-2857-410e-b1fd-ca86462bdcec"
     }
   }
 ]

}

{
  "Id": "Share access to the bucket",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Share access to the bucket",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME",
        "arn:aws:s3:::BUCKET_NAME/*"
      ],
      "Principal": {
        "CanonicalUser": "CANONICAL_USER_ID"
      }
    }
  ]
}

Delete a Bucket Policy

You can delete a Bucket Policy at any time using the Bucket Policy section in the Bucket settings and click Delete.

IONOS Object Storage API

Use the API to manage the Bucket Policy configuration.

CLI

Use the CLI to manage Bucket Policy.

Related feature

Block Public Access

If you have defined a bucket policy to grant public access, activating the Block Public Access feature will revoke these permissions, ensuring your data remains private. This feature is invaluable in scenarios where ensuring data privacy is paramount, or when you want to enforce a blanket no-public-access rule, irrespective of Bucket Policy settings. Currently, Block Public Access is available only via the IONOS Object Storage API.

Following are a few examples of common use cases and their corresponding bucket policy configurations.

Grant full control of the bucket to other users

To grant full control over a contract-owned bucket or a user-owned bucket and its objects to other IONOS Object Storage users:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "Grant Full Control",
     "Effect": "Allow",
     "Principal": {
                "AWS": [
                    "arn:aws:iam:::user/CONTRACT_USER_ID1",
                    "arn:aws:iam:::user/CONTRACT_USER_ID2"
                ]
            },
     "Action": "s3:*",
     "Resource": [
       "arn:aws:s3:::my-bucket",
       "arn:aws:s3:::my-bucket/*"
     ]
   }
 ]
}

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "Grant Full Control",
     "Effect": "Allow",
     "Principal": {
       "CanonicalUser": ["CANONICAL_USER_ID_1", "CANONICAL_USER_ID_2"]
     },
     "Action": "s3:*",
     "Resource": [
       "arn:aws:s3:::my-bucket",
       "arn:aws:s3:::my-bucket/*"
     ]
   }
 ]
}

Grant read-only access to a specific prefix

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GrantReadOnlyAccessToPrefix",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam:::user/CONTRACT_USER_ID1",
                    "arn:aws:iam:::user/CONTRACT_USER_ID2"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/prefix/*",
                "arn:aws:s3:::my-bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "prefix/*"
                    ]
                }
            }
        }
    ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GrantReadOnlyAccessToPrefix",
      "Effect": "Allow",
      "Principal": {
         "CanonicalUser": ["CANONICAL_USER_ID_1", "CANONICAL_USER_ID_2"]
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket/prefix/*",
        "arn:aws:s3:::my-bucket"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "prefix/*"
          ]
        }
      }
    }
  ]
}

Public read access

To allow read access to certain objects within a contract-owned bucket or a user-owned bucket while keeping other objects private:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicRead",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/public/*"
    }
  ]
}

Restrict access to specific IP addresses

To restrict all users from performing any S3 operations within the designated bucket type, unless the request is initiated from the specified range of IP addresses:

{
    "Id": "SourceIp",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SourceIp",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "123.123.123.0/24"
                    ]
                }
            }
        }
    ]
}

For more information on bucket policy configurations, see Bucket Policy, supported bucket and object actions and condition values, and Retrieve user ID.

Using an Object Storage endpoint with a Managed Network Load Balancer (NLB) creates a secure connection to use IONOS Object Storage within your work environment.

To access Object Storage from a private LAN using NLB, follow these steps:

1. In the DCD, select the NLB element to open its properties in the Inspector pane on the right.

2. In the Settings, provide the information such as Name, Primary IPv4, and Add IP settings. Adding one or more additional Listener IPs is optional. For more information, see Settings.

3. In the Private IPs, add the private IP. To do so, follow the steps in Add and delete IPs.

4. In the Forwarding rules, add a forwarding rule as follows:

• Select the Private IP as the Listener IP of the forwarding rule.

• Choose any algorithm.

• The protocol can be used as TCP, which is the default value.

For more information, see Create a rule.

5. Add target by using these values:

• Target IP: Select a corresponding Target IP value that is the public IP address of the desired endpoint.

Following is the example of IP address values obtained for the endpoints:

• Target Port: Use the value 443. This is the specific port on which a service or application is running on a server.

• Weight: Enter a target weight from 1 to 256.

• Proxy Protocol: Choose none for disabling the proxy protocol.

For more information, see the steps in Create a target.

6. Click PROVISION CHANGES to save the configurations and apply them.

7. Configure /etc/hosts on the backend server. For example, run the following command to open the file with sudo privileges:sudo nano /etc/hosts.

• Edit the file /etc/hosts by adding a new line with a private listener IP address followed by the endpoint. This will map a specific domain to the private IP address of your NLB.

Example:

10.10.0.1 s3.eu-central-3.ionoscloud.com

By default, objects in the IONOS Object Storage are private and only the bucket owner has permission to access them. Only the bucket owner can generate a pre-signed URL for objects and grant time-bound permission to other users to access these objects. It is a secure and user-friendly way to share private objects stored in your Object Storage with other users.

This way, the objects are made publically available for users with the object's pre-signed URL; however, you could limit the period of access to the object.

Use cases

• Pre-signed URLs are ideal for providing temporary access to a specific object without needing to change the object's permissions or share your credentials with other users.

• Allows other users to upload objects directly to your Object Storage bucket without needing to provide them with access and secret keys.

You can generate a pre-signed URL to share objects through one of the following methods:

• DCD

• CLI

• API and SDKs

DCD

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either to Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket from which you want to share the objects. The list of objects in the bucket is listed.

4. Select the object to share and click Generate Pre-Signed URL.

5. Enter the expiration time for the URL and choose whether the specified time refers to seconds, minutes, hours, or days.

6. Click Generate.

7. Copy the generated pre-signed URL and share it with users who require access to this object.

CLI

Generate a pre-signed URL for my-object.txt in the my-bucket bucket which will expire in 3600 seconds:

aws s3 presign s3://MY-BUCKET/my-object.txt --expires-in 3600 --endpoint-url https://s3-eu-central-2.ionoscloud.com

API and SDKs

The creation of pre-signed URLs does not involve a dedicated API by design. These URLs are generated locally via a signing algorithm using your credentials without relying on the S3 API. To create these URLs, use the appropriate SDK for your programming language.

IONOS Object Storage is S3-compatible, allowing seamless integration with any SDK supporting the S3 protocol for tasks like generating pre-signed URLs. For generating pre-signed URLs using SDKs, see the following AWS methods: Python, Go, Java 2.x., JavaScript 2.x., JavaScript v3, and PHP Version 3.

Replication allows you to create and manage replicas of your data across Endpoints.

Use cases

• Disaster Recovery: In the event of a regional outage, your data remains accessible from another region.

• Compliance Requirements: Meet legal and compliance mandates by storing copies of data in different geographical locations.

• Latency Reduction: Serve data from the nearest region to your users, minimizing latency and improving performance.

• Data Aggregation: Aggregate logs or other data from multiple buckets to a central bucket, where they can be analyzed.

How Replication works

• Only objects directly uploaded into a bucket by a client application are replicated.

• Replication traffic, including cross-region replication, is not counted towards data usage; thus, Object Storage offers free data transfer.

• Objects are not replicated if they are themselves replicas from another source bucket.

• In the case of an object deletion request specifying the object version, the object version is deleted from the source bucket but not from the destination bucket.

• If an object deletion request does not specify the object version, the deletion marker added to the source bucket is replicated to the destination bucket.

Bi-directional Replication

With bi-directional replication, you can configure two buckets to replicate each other. For example, objects directly uploaded into bucket1 can be copied to bucket2, and objects directly uploaded into bucket2 are replicated to bucket1. It is possible to replicate objects uploaded from one bucket into another bucket. Still, objects will not be copied back into the source bucket, thus avoiding an endless replication loop.

Manage Replication

You can manage Replication using the DCD, API, and CLI.

DCD

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the Buckets list, choose the bucket for which the Replication rule must be added and click Bucket settings.

3. Go to the Replication setting under the Data management section and click Add a rule.

4. Enter a Rule name.

5. Choose the Replication scope. You can either apply the replication rule to all objects in the bucket or limit to objects filtered by prefix.

6. Browse Object Storage to choose the Destination bucket.

7. Click Add a rule.

IONOS Object Storage API

Use the API to manage the replication of objects.

CLI tool

Use the CLI to manage Replication.

Limitations

• Replication configuration is possible only if Versioning is enabled for both source and destination buckets participating in Replication.

• Each Replication rule serves to identify a specific prefix for replication, and it must be unique.

• Version 2 of the AWS S3 specification for Replication configuration XML is not supported. Only the version 1 is currently supported.

• The following options are not supported: DeleteMarkerReplication, EncryptionConfiguration, ReplicationTime, ExistingObjectReplication, Filter (use Prefix instead), Priority, SourceSelectionCriteria, AccessControlTranslation, Account, and Metrics.

• Replication is not possible in the following cases:

  • A source bucket that has Object Lock enabled. However, an Object Lock enabled bucket can be a destination bucket for Replication.

  • A source bucket that has Lifecycle for auto-tiering enabled.

  • Objects uploaded before enabling Replication.

  • Objects encrypted by the SSE-C method.

  • Objects that are themselves replicas from other source buckets. For example, if you configure bucket1 to replicate to bucket2, and you configure bucket2 to copy to bucket3, then an object that you upload to bucket1 will get replicated to bucket2 but will not get reproduced from there on to bucket3. Only objects you directly upload into bucket2 will be copied to bucket3.

Related feature

Versioning

Versioning allows you to keep multiple versions of the same object and it must be set up for both the source and the target bucket before enabling the replication.

Versioning allows you to keep multiple versions of the same object. Upon enabling Versioning for your bucket, each version of an object is considered a separate entity contributing to your storage space usage. Every version represents the full object, not just the differences from its predecessor. This aspect will be evident in your usage reports and will influence your usage-based billing.

Use cases

• Data Recovery: Versioning can be used as a backup solution for your data. If you accidentally overwrite or delete an object, you can restore it to a previous version.

• Tracking Changes: Versioning can be used to track changes to your data over time. This can be useful for debugging purposes or auditing changes to your data.

Version states

Buckets can exist in one of three states:

• Unversioned: Represents the default state. No versioning is applied to objects in a bucket.

• Versioning - enabled: In this state, each object version is preserved.

• Versioning - disabled: No new versions are created, but existing versions are retained.

Objects residing in your bucket before the activation of versioning possess a version ID of null. Once versioning is enabled, it cannot be disabled but can be suspended. During suspension:

• New object versions are not created.

• Existing object versions are retained.

You can resume Versioning anytime, with new versions being created henceforth.

Version IDs

Upon enabling Versioning for a bucket, every object version is assigned a unique, immutable Version ID, serving as a reliable reference for different object versions. New object versions are generated exclusively through PUT operations, with actions such as COP entailing a PUT operation, thus spawning a new version.

Notably, a new Version ID is allocated for each version, even if the object content remains unaltered. Objects residing in the bucket before the activation of versioning bear a Version ID of null.

When an object is deleted, all its versions persist in the bucket, while Object Storage introduces a delete marker, which is also assigned its Version ID.

Manage Versioning

You can manage Versioning using the DCD, API, and CLI.

DCD

Enable or disable Versioning

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket to which you want to manage Versioning.

4. Click Bucket settings and go to the Versioning setting under the Data management section.

5. In the Versioning, click Enable to have object versions. On choosing the Disable option, it suspends object versioning but preserves existing object versions.

Manage object versions

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either to Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket in which the desired object exists.

4. Click the object name within the bucket listing.

5. Navigate to the object's Versions tab by clicking the object name or clicking the three dots against the object name.

6. Copy Version IDs or download non-current versions of the object. You can also select and delete non-current object versions.

IONOS Object Storage API

Use the API to configure and manage Versioning for a bucket.

CLI

Use the CLI to manage Versioning.

Limitations

• For a bucket with Object Lock enabled, Versioning is automatically enabled and cannot be suspended.

• For Bucket Replication to function correctly, Versioning must be enabled.

Related feature

Lifecycle Management

IONOS Object Storage allows the setup of lifecycle rules for managing both current and non-current versions of objects in versioning-enabled buckets. For instance, you can automate the deletion of non-current object versions after a specified number of days after they transition to a non-current status. For more information, see Lifecycle.

Object Lock is a feature that enables you to apply WORM protection to objects, preventing them from being deleted or modified for a specified duration. It provides robust, programmable safeguards for storing critical data that must remain immutable. Enabling Object Lock automatically enables bucket Versioning.

Use cases

• Data Preservation: Protects critical data from accidental or malicious alteration and deletion, ensuring integrity and consistency.

• Regulatory Compliance: Aligns with European regulations such as GDPR, Markets in Financial Instruments Directive (MiFID) II, and the Electronic ID and Trust Services (eIDAS) regulation, maintaining records in an unalterable state.

• Legal Holds and Audits: Facilitates legal holds and audits that offer immutable data preservation, providing a transparent data record. It also offers an auditable trail of when and why the data is placed on hold, which is essential for legal and regulatory audits.

Modes

Object lock can be applied in two different modes:

• Governance: Allows specific users with special permissions to override the lock settings. Ideal for flexible control.

• Compliance: Enforces a strict lock without any possibility of an override. Suited for regulatory and legal mandates.

These two lock modes require configuring the duration for which the object will remain locked. The period can range from days to years, depending on the object's compliance needs.

The Retention period refers to the duration for which the objects stored in a particular Object Storage bucket are protected from deletion or modification. You can set the retention period to a maximum of 365 days via the DCD. To set a longer retention period, use the API.

The retention configuration can be modified or removed for the objects under Governance mode by including a specific header variable in the API request. However, for objects in Compliance mode, reducing the retention period or removing the retention configuration is not possible.

However, the delete markers on the objects are not subject to protection from deletion, irrespective of any retention period or legal hold on the underlying object. Deleting the delete markers restores the previous version of the objects.

Legal Hold

An additional setting called Legal Hold can place a hold on an object, enforceable without specifying a retention period. It could be applied both to objects with or without Object Lock. The Legal Hold will continue to be applied till manual removal even if the object’s retention period for Governance or compliance mode is over.

Manage Object Lock

When a bucket is created with Object Lock enabled, you can set up Object Lock configurations. These configurations determine the default mode and retention period for newly uploaded objects. Alternatively, Object Lock settings can be explicitly defined for each object during its creation, overriding the bucket's default settings.

DCD

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. Depending on the Bucket Types you want to create, follow the steps in Create a bucket and enable Object Lock.

3. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you created.

4. From the Buckets list, choose the bucket for which the Object Lock is enabled.

5. Click Bucket settings and go to the Object Lock setting under the Data management section.

6. Modify the Object Lock mode applied on the bucket and the Retention period as needed.

7. Click SAVE.

IONOS Object Storage API

Use the API to manage the Object Lock configuration on the specified buckets.

CLI tool

Use the CLI to manage Object Lock.

Limitations

The following are a few limitations to consider while using Object Lock:

• Once the Object Lock is enabled during bucket creation, both Object Lock and Versioning cannot be disabled afterward.

• When you place or modify an Object Lock, updating the object version's metadata does not overwrite the object version or change its Last-Modified timestamp.

• A bucket with Object Lock enabled cannot be chosen as a source for replication or tiering, but it could be a destination for replication or tiering.

• In the Compliance mode, an object is immutable until its retention date has passed. It is not possible to disable this mode for the object or shorten the retention period. This setting could not be changed either by the bucket owner or IONOS.

Logging in IONOS Object Storage enables the tracking and storage of requests made to your bucket. When you enable Logging, Object Storage automatically records access requests, such as the requester, bucket name, request time, request action, response status, and error codes, if any. By default, Logging is disabled for a bucket.

Use cases

• Security Monitoring: Tracks access patterns and identifies unauthorized or suspicious access to your data. In the event of a security breach, logs provide vital information for investigating the incident, such as IP addresses, request times, and the actions that were performed.

• Auditing: Many industries require compliance with specific regulatory standards that mandate the monitoring and logging of access to data. Logging facilitates compliance with regulations like HIPAA, GDPR, or SOX by providing a detailed record of who accessed what data and when.

• Troubleshooting: If there are issues with how applications are accessing your Object Storage data, logs can provide detailed information to help diagnose and resolve these issues. Logs show errors and the context in which they occurred, aiding in quick troubleshooting.

Manage Logging

You can manage Logging using the DCD, API, and CLI.

DCD

Activate Logging

To activate Logging, follow these steps:

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the Buckets list, choose the bucket and click Bucket settings.

3. Go to the Logging setting under the Access management section and click Browse Object Storage to select the destination bucket in the same region to store logs.

4. (Optional) Specify the prefix for log storage, providing flexibility in organizing and accessing your log data. If no prefix is entered, the log file name is derived from its time stamp alone.

5. Click Save.

Deactivate Logging

You can modify or deactivate Logging at any time with no effect on existing log files. Log files are handled like any other object. Using the Logging section in the Bucket settings, you can click Disable Logging to stop collecting log data for a bucket.

Grant access permission for Logging

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the Buckets list, choose the bucket for which the logging must be enabled.

3. Click Bucket settings and go to the Access Control List (ACL).

4. For Logging, select the OBJECTS:WRITE and BUCKET ACL:READ checkboxes.

5. Click Save.

IONOS Object Storage API

Use the API to configure and manage Logging for a bucket.

CLI

Use CLI to manage Logging for buckets.

Limitations

Logs can only be stored in the same-region buckets.

Related feature

Lifecycle Management

Use Lifecycle Management in conjunction with Logging to manage and automate the lifecycle of log files. For instance, you can set up a lifecycle policy to permanently delete logs that are no longer needed after a certain period.

Lifecycle management allows you to automate the deletion of objects and their versions to optimize costs and adhere to compliance requirements.

The Lifecycle comprises rules with actions applied to objects within a bucket. These policies help automate processes that manage the lifecycle of your data.

Use cases

• Object Expiration: Automatically deletes objects no longer needed after a certain period, such as temporary files, logs, or other transient data. It helps to declutter the storage and reduce costs.

• Regulatory Compliance: Assists in meeting legal and compliance requirements by deleting objects according to the defined Lifecycle rules.

• Version Control: Manages multiple versions of objects by automatically deleting the non-current object versions and saves storage costs.

• Temporary Storage: Stores data generated from batch processing or other workloads and deletes these provisional data when no longer needed using the object expiration Lifecycle actions.

Lifecycle actions

A Lifecycle rule supports the following actions:

• Expire current versions.

• Permanently delete noncurrent versions of objects.

• Delete expired object delete markers.

• Delete incomplete multipart uploads.

Expire current versions

With this action, you can specify a period after which the object's current version must expire. Depending on whether the Versioning is enabled for a bucket or not, the action Expire current versions of the object impacts in the following ways:

• If the Versioning is enabled for the bucket, then the expiration of the current version of an object does not result in the deletion of the object data from the storage. Instead, when the object's current version reaches its expiration date, a "delete marker" is created for this object and retained as its "current version"; the object data transitions to a non-current object version.

• If the Versioning is not enabled for the bucket, then the current versions are the only versions of objects in your bucket. When the object reaches its expiration date, it is permanently deleted from the storage.

When the Expire current versions action is set for a bucket that uses Versioning, the system automatically deletes the expired delete markers as part of the lifecycle processing. An expired delete marker is a delete marker for which there is no corresponding object data because all non-current versions of the object have been deleted. This functionality aids in maintaining a clean and organized bucket and retains only necessary data.

Permanently delete non-current version of objects

This action is applicable only if the bucket uses Versioning. Permanently deleting non-current versions of objects takes place after the specified retention period, and it helps to ensure the removal of outdated versions of objects from the storage.

A non-current object version refers to those that are superseded by a newer object version or a delete marker. When a non-current version of an object reaches its scheduled expiration, it is permanently deleted from the storage. The expiration scheduling for non-current versions of objects is based on the number of days since the objects became non-current, which is the number of days since being superseded by a newer version or a "delete marker."

If the bucket has Object Lock enabled, then the non-current object versions are not deleted before their defined retention period is completed. Suppose the expiration date of a non-current object version (based on your configured expiration schedule) comes before the end of the object version's lock period, then the Object Lock setting overpowers. The system retains the non-current object version until the end of its lock period. Shortly after the lock period concludes, the system automatically deletes the non-current object version, ensuring adherence to expiration and retention policies.

Delete expired objects delete markers

This action is applicable only if the bucket uses Versioning and the Expire current versions schedule has been set. In a versioning-enabled bucket, when you delete the current version of an object, a "delete marker" replaces that object version and becomes the new current object version. All the older versions of the object are retained in the system and remain retrievable.

However, if all older versions subsequently expire (through the execution of the expiration rule for non-current versions), an orphaned delete marker remains. With the Delete expired object delete markers action, you enable the system to automatically remove a delete marker after a few hours of all the older object versions have expired or been deleted.

Delete incomplete multi-part uploads

This action stops all incomplete multi-part uploads and allows the automatic deletion of incomplete multi-part uploads, freeing up storage space and ensuring the bucket remains clean and organized. The Multi-part upload facilitates the uploading of large objects in parts. However, if an upload is incomplete, it consumes storage space.

Manage Lifecycle

You can manage the Lifecycle using the DCD, API, and CLI.

DCD

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket to which you want to perform Lifecycle Management.

4. Click Bucket settings, go to the Lifecycle setting under the Data management section and click Add a rule.

5. Enter the following details to configure the Lifecycle rule:

• Lifecycle Rule name: Enter a name to identify the rule uniquely.

• Set Rule Scope: Choose whether to apply the Lifecycle rule to all objects in the bucket or limit to objects filtered by the prefix. The prefix is subject to a single Lifecycle rule.

• Select an action: Choose one or more from the following Lifecycle actions to apply to the objects in the bucket:

  • Expire current versions: You can choose to enter the number of days after object creation should the current object version expire or select a date from the calendar shown, after which the current object version must expire. The rule application varies depending on whether the bucket is versioned or not.

  • Permanently delete noncurrent versions of objects: Mention the number of days after the object version becomes non-current should it be permanently deleted.

  • Delete expired object delete markers: Select this action to remove all object delete markers and improve performance. You cannot apply this action if the Expire current versions action is selected.

  • Delete incomplete multipart uploads: Mention the number of days after upload initiation should the incomplete multipart uploads be deleted.

For more information, see Lifecycle actions.

6. Click Save.

IONOS Object Storage API

Use the API to manage the Lifecycle rules.

CLI tool

Use the CLI to manage Lifecycle configuration.

Limitations

• Currently, IONOS Object Storage only supports Standard storage class. You cannot use lifecycle rules to transition objects to another storage class.

• A maximum of 1,000 rules can be set in the Lifecycle configuration.

• Multiple Lifecycle rules can be created for a bucket, each applying to a different object prefix. However, more than one Lifecycle rule cannot be set for the same object prefix.

• If the bucket uses Object Lock, non-current object versions cannot be deleted before the completion of their defined retention period.

• The NewerNoncurrentVersions setting is not supported for the NoncurrentVersionExpiration option.

Related feature

Versioning

Versioning allows you to keep multiple versions of the same object. For more information, see Versioning.

Static Website Hosting enables the hosting of static content, including HTML, CSS, JavaScript, and images, directly, eliminating the need for an external web server. You can specify both an index page and an error page. Additionally, there is an option to link a custom domain.

Depending on the region of your Object Storage bucket, the static website URL varies. For more information on the static website endpoint, see Endpoints.

Use cases

• Static Content Hosting: Directly serve HTML, CSS, JavaScript, and media files statically on a website.

• Publish Landing Pages: Host promotional or event-specific landing pages with high availability.

• Documentation Sites: Host product documentation or manuals with easy access to the users.

Manage Static Website Hosting

You can manage Versioning using the DCD, API, and CLI.

DCD

Enable Static Website Hosting

1. In the DCD, go to Menu > Storage > IONOS Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket for which you want to manage Static Website Hosting.

4. Click Bucket settings and go to the Static Website Hosting setting under the Public access section.

5. Click Edit and add the following details:

• Index document: Enter the file name that serves as an index document. Example: index.html. An index document is a default webpage that IONOS Object Storage returns upon receiving a request to the root of a website or a subfolder.

• Error document: Enter the file name of the HTML error document that is uploaded to the Object Storage bucket. An error document is a default HTML file with details you want the user to view when an error occurs.

6. Click Enable.

IONOS Object Storage API

Use the API to configure and manage Static Website Hosting for a bucket.

CLI

Use the CLI to manage Static Website Hosting.

Limitations

Static Website Hosting is unsuitable for hosting websites that require server-side processing, such as PHP and Python.

Depending on the Bucket Types access you want to share with the user, learn how to retrieve the required user ID.

Retrieve your user ID

For another user to share the content of their IONOS Object Storage with you, they need your user ID, which you will find in the Object Storage Key Management section.

1. In the DCD, go to Menu > Storage and click the IONOS Object Storage.

2. Select the Key management tab.

3. In the Object Storage Credentials, click Copy against the user's ID as follows:

• Copy the Contract User ID to grant access to contract-owned buckets.

• Copy the Canonical User ID to grant access to user-owned buckets.

Retrieve the user ID of a grantee

The grantee is the user under the same contract at IONOS, but it also could be the user under another contract. You need the user ID to share access to the bucket or object using Share access methods.