Object lock

Object lock is a feature in S3 that enables you to lock your objects to prevent them from being deleted or overwritten. This feature can be helpful when you want to maintain data integrity, comply with regulations, or retain data for a specific period.

Note that this feature is distinct from object expiry, which is covered in a separate guide.

Object lock modes

Object lock offers two methods for managing object retention: Retention periods and Legal hold.

Retention periods

Retention periods specify the length of time that an object remains locked and protected from being overwritten or deleted. When you set a retention period, the object is safeguarded for the specified time period. You can set the retention period in either days or years, with a minimum of one day and no maximum limit.

In addition to retention periods, you can choose the retention mode that applies to your objects (either Governance or Compliance). In Cleura Cloud, the only supported retention mode is Compliance.

Compliance mode is recommended when storing compliant data, as it prevents objects from being overwritten or deleted by any user. If you configure an object with this mode, you cannot shorten or change its retention period, ensuring that the data remains secure and compliant with regulatory requirements.

Legal hold

Legal hold is a feature designed for situations when you are uncertain about the length of time you need to retain an object. It can be enabled/disabled for any object in a locked bucket, regardless of the lock configuration, object retention, or age.

This feature provides the same level of protection as a retention period but with no fixed expiration date. Instead, a legal hold will remain in effect until you remove it explicitly.

Prerequisites

In order to manage object lock, you must install aws or mc, and configure it with working credentials.

You cannot (reliably) use s3cmd to manage this functionality.

Enabling object lock

To use the object lock feature, you must first create a new bucket.

Existing buckets cannot have object lock enabled. To enable object lock on existing data, you must first create a new bucket with object lock, and then sync your pre-existing objects into that bucket.

awsmc

aws --profile <region> \
  s3api create-bucket \
  --bucket <bucket-name> \
  --object-lock-enabled-for-bucket

mc mb <region>/<bucket> \
  --with-lock

Note that this will enable bucket versioning as well.

Configure the default object lock mode and retention period for a bucket

To configure your bucket to use the Compliance mode, use one of the following commands:

awsmc

aws --profile <region> \
  s3api put-object-retention \
  --bucket <bucket-name> \
  --key <object-name> \
  --retention \
  '{ "Mode": "COMPLIANCE", "RetainUntilDate": "2023-12-31T00:00:00Z" }'

For the value of the RetainUntilDate parameter, use the ISO 8601 date-time representation format.

mc retention set \
  <region>/<bucket> \
  --default compliance "2d"

--default sets the default object lock settings for new objects and is optional.

To specify a duration, use a string formatted as Nd for days or Ny for years. For example, use 30d to indicate 30 days after the object creation, or use 1y to indicate 1 year after the object creation.

Retrieve the object lock mode and retention period

Bucket-level

To view the default object lock mode and retention period set on a bucket, use the following command:

awsmc

aws --profile <region> \
  s3api get-object-lock-configuration \
  --bucket <bucket-name>

Example output:

{
  "ObjectLockConfiguration": {
    "ObjectLockEnabled": "Enabled",
    "Rule": {
      "DefaultRetention": {
        "Mode": "COMPLIANCE",
        "Days": 2
      }
    }
  }
}

mc retention info --json --default <region>/<bucket>

Example output:

{
  "op": "info",
  "enabled": "Enabled",
  "mode": "COMPLIANCE",
  "validity": "2DAYS",
  "status": "success"
}

Object-level

To view the default object lock mode and retention period set on an object, use the following command:

awsmc

aws --profile <region> \
  s3api get-object-retention \
  --bucket <bucket-name> \
  --key <object-name>

Example output:

{
  "Retention": {
    "Mode": "COMPLIANCE",
    "RetainUntilDate": "2023-02-25T20:04:23.383915+00:00"
  }
}

mc retention info --json <region>/<bucket>/<object-name>

Example output:

{
  "mode": "COMPLIANCE",
  "until": "2023-02-25T20:04:23.383915502Z",
  "urlpath": "region/bucket/object",
  "versionID": "",
  "status": "success",
  "error": null
}

Configure the object lock legal hold for an object

Legal hold requires that the specified bucket has object locking enabled.

Per bucket

To configure the legal hold for all objects in a bucket, use the following command:

awsmc

In contrast to the mc command, which can recursively set the legal hold for all objects in a bucket, the aws command can only set the legal hold for a single object at a time.

aws --profile <region> \
  s3api put-legal-hold \
  --bucket <bucket-name> \
  --key <object-name> \
  --legal-hold Status=ON

mc legalhold set \
  --recursive \
  <region>/<bucket>

Per object

To configure the legal hold for a single object, use the following command:

awsmc

aws --profile <region> \
  s3api put-legal-hold \
  --bucket <bucket-name> \
  --key <object-name> \
  --legal-hold Status=ON

mc legalhold set \
  <region>/<bucket>/<object-name>

Retrieve the legal hold status for an object

To display the legal hold status for an object, use the following command:

awsmc

aws --profile <region> \
  s3api get-object-legal-hold \
  --bucket <bucket-name> \
  --key <object-name>

Example output:

{
  "LegalHold": {
    "Status": "ON"
  }
}

mc legalhold info \
  --json <region>/<bucket>/<object-name>

Example output:

{
  "legalhold": "ON",
  "urlpath": "https://s3-<region>.citycloud.com/<bucket>/<object-name>",
  "key": "<object-name>",
  "versionID": "",
  "status": "success"
}