Object lock
Intro
Object Lock is a S3 feature for versioned buckets supported by Cubbit. This feature provides an added layer of protection for your data, allowing you to lock objects to prevent accidental or unauthorized deletion or overwrites. Object Lock is especially useful when it comes to data retention and regulatory compliance, which is why it has become increasingly important for many businesses.
Cubbit supports both duration-based object retention and indefinite Legal Hold retention.
Retention periods and legal holds
Object Lock allows you to apply two different methods of preventing object deletion or modification: retention periods and legal holds.
Retention periods
Retention periods are time-based policies that prevent objects from being deleted or modified until a specific date or time has been reached. You can set retention periods on individual objects or on an entire bucket.
In a bucket, you can set the default retention period to apply to all objects in the bucket, or you can set a retention period on individual objects. When a retention period is in effect, the object cannot be deleted or modified until the retention period has expired.
To work with retention periods, you can use the S3 APIs PutObjectLockConfiguration to set the default retention configuration on a bucket, which will be applied to all objects which will be upload into it.
Otherwise, you can set a retention period on individual objects using the S3 API PutObjectRetention. This overrides the default bucket retention configuration for that specific object.
Legal Holds
Legal holds are another method of preventing object deletion or modification, but they are not time-based. Instead, legal holds are designed to keep objects preserved indefinitely until the legal hold is removed. You can set a legal hold on individual objects, but not on an entire bucket.
When a legal hold is in effect, the object cannot be deleted or modified until the hold is removed. Legal holds can be used for legal or regulatory compliance purposes.
To set a legal hold on an object, you can use the S3 API PutObjectLegalHold.
Compliance and Governance modes
Object Lock has two retention modes: compliance and governance. Compliance mode is designed for regulatory compliance purposes, while governance mode is designed for general object management.
In both modes of Object Lock, the primary function remains the same: to prevent any deletion or modification of object versions. When it comes to updating existing retention settings, it is only permitted to extend the retention period.
Difference between the two modes is that the governance mode may allow for Object Lock to be bypassed, if user has some special permissions: either user has the s3:BypassGovernanceRetention permission or is an ROOT user. Moreover, the bypassing request needs to have the x-amz-bypass-governance-retention:true header set. Bypassing Object Lock means that, the object version may be deleted or modified and the retention may be updated in any way.
Locked objects
Cubbit blocks any attempt to delete a specific object version which is locked, either through a legal hold or a retention period which is still not expired.
However, normal delete operations without specifying the version ID, still follow the normal behavior in versioned buckets and a delete marker is created.
Requirements for Object Lock
There are a few requirements to remember when working with this feature, which are strictly related to bucket versioning.
- You can only turn on object locking during bucket creation. You cannot enable it later.
- When you create a bucket with Object Lock enabled, bucket versioning is automatically enabled.
- You cannot turn off Object Lock or suspend versioning for a bucket that you created with Object Lock enabled.
How to
The following section explains how to work with this feature, either using the Cubbit Console or the AWS s3api CLI commands.
Create a bucket with object locking enabled
Let's start enabling object locking on a brand new bucket.
- Cubbit Console
- AWS S3 API
As we just said, according to the S3 protocol, the only way to enable locking on a bucket is during its creation.
- Sign in with the Cubbit Console.
- Click on the "Create bucket" button on the top right.
- Insert a bucket name in the top section called "Bucket name".
- In the section "Object Lock" on the bottom, click on "Object Lock enabled" button and finally confirm by clicking on the "Create bucket" button.
You should see a brand new bucket, with both versioning and object locking enabled.
It's a CreateBucket API where you also specify --object-lock-enabled-for-bucket:
aws s3api create-bucket --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --object-lock-enabled-for-bucket
Set a default retention period on the bucket
You can then set a default retention period on the bucket, either by days or years.
- Cubbit Console
- AWS S3 API
You can access this menu either at the bucket creation stage or afterwards, simply opening the bucket menu by clicking on the three dots icon on the right and clicking on the "Manage" button:
It's a PutObjectLockConfiguration API:
aws s3api put-object-lock-configuration --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --object-lock-configuration "ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=COMPLIANCE,Days=30}}"
Lock a specific object up to a retention date
You can then set a retention period on a specific object.
- Cubbit Console
- AWS S3 API
You can access this menu opening the object menu by clicking on the three dots icon on the right and clicking on the "Object details" button:
It's a PutObjectRetention API:
aws s3api put-object-retention --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --retention "Mode=COMPLIANCE,RetainUntilDate=2024-02-16T00:00:00+00:00"
Lock a specific object indefinitely with a legal hold
You can then set a legal hold on a specific object.
- Cubbit Console
- AWS S3 API
As above, you can access this menu opening the object menu by clicking on the three dots icon on the right and clicking on the "Object details" button:
It's a PutObjectLegalHold API:
aws s3api put-object-legal-hold --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --legal-hold "Status=ON"
Set a default retention period on the bucket in Governance mode
As above, you can set a default retention period for the bucket, in days or years, this time with GOVERNANCE mode. As indicated in the description, users with specific IAM permissions can overwrite or delete protected object versions during the retention period.
- Cubbit Console
- AWS S3 API
You can access this menu either at the bucket creation stage or afterwards, simply opening the bucket menu by clicking on the three dots icon on the right and clicking on the "Manage" button:
Bypassing governance mode doesn't affect an object version's legal hold status. If an object version has a legal hold enabled, the legal hold remains and prevents requests to overwrite or delete the object version.
Bypassing a Governance Retention configuration requires the s3:BypassGovernanceRetention permission.
It's a PutObjectLockConfiguration API:
aws s3api put-object-lock-configuration --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --object-lock-configuration "ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=GOVERNANCE,Days=30}}"