Object lock
Object lock is a feature in S3 that enables you to lock your objects to prevent them from being deleted or overwritten. This feature can be helpful when you want to maintain data integrity, comply with regulations, or retain data for a specific period.
Note that this feature is distinct from object expiry, which is covered in a separate guide.
You should also keep in mind that object lock offers two methods for managing object retention: Retention periods and Legal hold.
Prerequisites
In order to manage object lock, you must install aws or mc, and configure it with working credentials.
You cannot (reliably) use s3cmd to manage this functionality.
Enabling object lock
To use the object lock feature, you must first create a new bucket.
Existing buckets cannot have object lock enabled. To enable object lock on existing data, you must first create a new bucket with object lock, and then sync your pre-existing objects into that bucket.
aws --profile fra1 \
  s3api create-bucket \
  --bucket <bucket-name> \
  --object-lock-enabled-for-bucket
mc mb fra1/<bucket> \
  --with-lock
Note that this will enable bucket versioning as well.
Configure the default object lock mode and retention period for a bucket
To configure your bucket to use the Compliance mode, use one of the following commands:
aws --profile fra1 \
  s3api put-object-lock-configuration \
  --bucket <bucket-name> \
  --object-lock-configuration \
  '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 30 }}}'
mc retention set \
  --default compliance 30d \
  fra1/<bucket>
The
--defaultparameter sets the default object lock settings for new objects, and is optional.To specify a duration, use a string formatted as
Ndfor days orNyfor years. For example, use30dto indicate 30 days after the object creation, or use1yto indicate 1 year after the object creation.
Configure the object lock mode and retention period for a single object
If you want to set a specific retention period for an object, instead of using the default retention period, use one of the following commands. You can also use these commands to update the retention period for an object:
aws --profile fra1 \
  s3api put-object-retention \
  --bucket <bucket-name> \
  --key <object-name> \
  --retention '{ "Mode": "COMPLIANCE", "RetainUntilDate": "2023-01-01T12:00:00.00Z" }'
For the value of the
RetainUntilDateparameter, use the ISO 8601 date-time representation format.
mc retention set \
  COMPLIANCE 30d \
  fra1/<bucket>/<object-name>
To specify a duration, use a string formatted as
Ndfor days orNyfor years. For example, use30dto indicate 30 days after the object creation, or use1yto indicate 1 year after the object creation.
Retrieve the object lock mode and retention period
Bucket-level
To view the default object lock mode and retention period set on a bucket, use the following command:
aws --profile fra1 \
  s3api get-object-lock-configuration \
  --bucket <bucket-name>
{
  "ObjectLockConfiguration": {
    "ObjectLockEnabled": "Enabled",
    "Rule": {
      "DefaultRetention": {
        "Mode": "COMPLIANCE",
        "Days": 2
      }
    }
  }
}
mc retention info --json --default fra1/<bucket>
{
  "op": "info",
  "enabled": "Enabled",
  "mode": "COMPLIANCE",
  "validity": "2DAYS",
  "status": "success"
}
Object-level
To view the default object lock mode and retention period set on an object, use the following command:
aws --profile fra1 \
  s3api get-object-retention \
  --bucket <bucket-name> \
  --key <object-name>
{
  "Retention": {
    "Mode": "COMPLIANCE",
    "RetainUntilDate": "2023-02-25T20:04:23.383915+00:00"
  }
}
For the value of the
RetainUntilDateparameter, use the ISO 8601 date-time representation format.
mc retention info --json fra1/<bucket>/<object-name>
{
  "mode": "COMPLIANCE",
  "until": "2023-02-25T20:04:23.383915502Z",
  "urlpath": "region/bucket/object",
  "versionID": "",
  "status": "success",
  "error": null
}
Configure the object lock legal hold for an object
Legal hold requires that the specified bucket has object locking enabled.
Per bucket
To configure the legal hold for all objects in a bucket, use the following command:
The aws s3api command can only set the legal hold for a single object at a time.
However, you can use the ls command along with --recursive to list all objects in a bucket, and then set the legal hold for each object in your bucket.
aws --profile fra1 \
  s3api list-objects \
  --bucket <bucket-name \
  | jq .Contents[].Key \
  | xargs -n1 aws --profile fra1 s3api put-object-legal-hold --legal-hold Status=ON --bucket <bucket-name> --key
mc legalhold set \
  --recursive \
  fra1/<bucket>
Per object
To configure the legal hold for a single object, use the following command:
aws --profile fra1 \
  s3api put-object-legal-hold \
  --bucket <bucket-name> \
  --key <object-name> \
  --version-id <version-id> \
  --legal-hold Status=ON
Note that if you don’t specify a version ID, the legal hold will be applied to the latest version of the object.
mc legalhold set \
  fra1/<bucket>/<object-name>
To remove the legal hold, use the
clearcommand instead ofset.
Retrieve the legal hold status for an object
To display the legal hold status for an object, use the following command:
aws --profile fra1 \
  s3api get-object-legal-hold \
  --bucket <bucket-name> \
  --key <object-name>
{
  "LegalHold": {
    "Status": "ON"
  }
}
mc legalhold info \
  --json fra1/<bucket>/<object-name>
{
  "legalhold": "ON",
  "urlpath": "https://s3-fra1.citycloud.com/<bucket>/<object-name>",
  "key": "<object-name>",
  "versionID": "",
  "status": "success"
}