# Object Lock
This document provides instructions to manage [Object Lock](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/object-lock) using the CLI. Additionally, these tasks can also be performed using the [DCD](https://docs.ionos.com/sections-test/guides/storage-and-backup/settings/object-lock#dcd) and [API](https://api.ionos.com/docs/s3/v2/#tag/Object-Lock).
{% hint style="info" %}
**Prerequisites:**
* Object Lock configuration is only feasible when enabled at the time of bucket creation. It cannot be activated for an existing bucket.
* Set up the AWS CLI by following the [installation instructions](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools/awscli/awscli-configure).
* Make sure to consider the supported [Endpoints](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/endpoints).
{% endhint %}
## Create a bucket with an Object Lock
Create a bucket `my-bucket` in the `de` region (Frankfurt, Germany) with Object Lock:
```
aws s3api create-bucket \
--bucket my-bucket \
--object-lock-enabled-for-bucket \
--region=de --create-bucket-configuration \
LocationConstraint=de \
--endpoint-url https://s3.eu-central-1.ionoscloud.com
```
## Object Lock with Governance mode
An Object Lock with **Governance** mode on a bucket provides the bucket owner with better flexibility compared to the **Compliance** mode. It permits the removal of the Object Lock before the designated retention period has expired, allowing for subsequent replacements or deletions of the object.
Apply **Governance** mode configuration to the bucket `my-bucket-with-object-lock` with a default retention period equal to 15 days (or use the `PutObjectLockConfiguration` API Call):
```
aws s3api put-object-lock-configuration \
--bucket my-bucket-with-object-lock \
--object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "GOVERNANCE", "Days": 15 }}}' \
--endpoint-url https://s3.eu-central-1.ionoscloud.com
```
On applying this configuration, the newly uploaded objects adhere to this retention setting.
## Object Lock with Compliance mode
An Object Lock with **Compliance** mode on a bucket ensures strict control by enforcing a stringent retention policy on objects. Once this mode is set, the retention period for an object cannot be shortened or modified. It provides immutable protection by preventing objects from being deleted or overwritten during their retention period.
This mode is particularly suited for meeting regulatory requirements as it guarantees that objects remain unaltered. It does not allow locks to be removed before the retention period concludes, ensuring consistent data protection.
Apply **Compliance** mode configuration to the bucket `my-bucket-with-object-lock` with a default retention period equal to 15 days:
```
aws s3api put-object-lock-configuration \
--bucket my-bucket-with-object-lock \
--object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 15 }}}' \
--endpoint-url https://s3.eu-central-1.ionoscloud.com
```
On applying this configuration, the newly uploaded objects adhere to this retention setting.
## Retrieve Object Lock configuration
Retrieve Object Lock configuration of a bucket (the same could be achieved with the `GetObjectLockConfiguration` API Call):
```
aws s3api get-object-lock-configuration \
--bucket my-bucket-with-object-lock \
--endpoint-url https://s3.eu-central-1.ionoscloud.com
```
### Sample response
```
{
"ObjectLockConfiguration": {
"ObjectLockEnabled": "Enabled",
"Rule": {
"DefaultRetention": {
"Mode": "GOVERNANCE",
"Days": 15
}
}
}
}
```
```
aws s3api put-object-lock-configuration \
--bucket my-bucket-with-object-lock \
--object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 15 }}}' \
--endpoint-url https://s3.eu-central-1.ionoscloud.com
```
## Upload objects to a bucket with an Object Lock
Upload `my-object.pdf` to the bucket `my-bucket-with-object-lock`:
```
aws s3api put-object \
--bucket my-bucket-with-object-lock \
--key my-object.pdf \
--endpoint-url https://s3.eu-central-1.ionoscloud.com
```
### Sample response
```
{
"ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
"VersionId": "fe11c94b-d120-723f-b907-1070fde7f794"
}
```
This task could also be achieved by using the [PutObject](https://api.ionos.com/docs/s3/v2/#tag/Basic-Operations/operation/PutObject) API call.
{% hint style="info" %}
**Note:** The Object Lock retention is not specified so a bucket’s default retention configuration will be applied.
{% endhint %}
Upload `my-object.pdf` to the bucket `my-bucket-with-object-lock` and override the bucket’s default Object Lock configuration:
```
aws s3api put-object \
--bucket my-bucket-with-object-lock \
--key my-object.pdf \
--object-lock-mode GOVERNANCE \
--object-lock-retain-until-date 2023-08-09T09:01:01Z \
--endpoint-url https://s3.eu-central-1.ionoscloud.com
```
{% hint style="info" %}
**Note:** You can overwrite objects protected with Object Lock. Since Versioning is used for a bucket, it allows to keep multiple versions of the object. It also allows deleting objects because this operation only adds a deletion marker to the object’s version.
{% endhint %}
## Delete objects with Object Lock
The permanent deletion of the object’s version is prohibited, and the system only creates a deletion marker for the object. But it makes space.vars.ionos\_cloud\_object\_storage behave in most ways as though the object has been deleted. You can only list the delete markers and other versions of an object by using the [ListObjectVersions](https://api.ionos.com/docs/s3/v2/#tag/Versions/operation/ListObjectVersions) API call.
```
aws s3api list-object-versions --bucket my-bucket-with-object-lock --endpoint-url https://s3.eu-central-1.ionoscloud.com
```
{% hint style="info" %}
**Note:** Delete markers are not WORM-protected, regardless of any retention period or legal hold in place on the underlying object.
{% endhint %}
## Legal Hold
Apply `legal-hold` status to `my-object.pdf` in the bucket `my-bucket-with-object-lock`:
```
aws s3api put-object-legal-hold \
--bucket my-bucket-with-object-lock \
--key my-object.pdf \
--legal-hold Status=ON \
--endpoint-url https://s3.eu-central-1.ionoscloud.com
```
Use `Status=OFF` to turn off the `legal-hold` status.
## View lock information for an object
To check the Object Lock status for a particular version of an object, you can utilize either the `GET Object` or the `HEAD Object` commands. Both commands will provide information about the retention mode, the designated 'Retain Until Date' and the status of the legal hold for the chosen object version.
## Set retention limits
When multiple users have permission to upload objects to your bucket, there is a risk of overly extended retention periods being set. This can lead to increased storage costs and data management challenges. While the system allows for up to 100 years using the `s3:object-lock-remaining-retention-days` condition key, implementing limitations can be particularly beneficial in multi-user environments.
Establish a 10-day maximum retention limit:
```
{
"Version": "2012-10-17",
"Id": "Set Retention Limits",
"Statement": [
{
"Sid": "Set Retention Period",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObjectRetention"
],
"Resource": "arn:aws:s3:::my-bucket-with-object-lock/*",
"Condition": {
"NumericGreaterThan": {
"s3:object-lock-remaining-retention-days": "10"
}
}
}
]
}
```
Save it to the `policy.json` file and apply using the following command:
```
aws s3api put-bucket-policy --bucket my-bucket-with-object-lock --policy file://policy.json
```