Object Lock
Object Lock is a S3 feature for versioned buckets which is supported by Cubbit. This feature provides an added layer of protection for your data, allowing you to lock objects to prevent accidental or unauthorized deletion or overwrite. Object Lock is especially useful when it comes to data retention and regulatory compliance, which is why it has become increasingly important for many businesses to implement it.
Cubbit supports both duration based object retention and indefinite Legal Hold retention. However, it only supports Compliance mode and not Governance mode, for the time being.
Some docs may also refer to WORM immutability, which stands for Write-Once Read-Many. It means that once data is written, it cannot be modified, which is what object locking is all about.
Retention periods and legal holds
Object Lock allows you to apply two different methods of preventing object deletion or modification: retention periods and legal holds.
Retention periods
Retention periods are time-based policies that prevent objects from being deleted or modified until a specific date or time has been reached. You can set retention periods on individual objects or on an entire bucket.
In a bucket, you can set the default retention period to apply to all objects in the bucket, or you can set a retention period on individual objects. When a retention period is in effect, the object cannot be deleted or modified until the retention period has expired.
To work with retention periods, you can use the S3 APIs PutObjectLockConfiguration to set the default retention configuration on a bucket, which will be applied to all objects which will be upload into it.
Otherwise, you can set a retention period on individual objects using the S3 API PutObjectRetention. This overrides the default bucket retention configuration for that specific object.
Legal Holds
Legal holds are another method of preventing object deletion or modification, but they are not time-based. Instead, legal holds are designed to keep objects preserved indefinitely until the legal hold is removed. You can set a legal hold on individual objects, but not on an entire bucket.
When a legal hold is in effect, the object cannot be deleted or modified until the hold is removed. Legal holds can be used for legal or regulatory compliance purposes.
To set a legal hold on an object, you can use the S3 API PutObjectLegalHold.
Compliance and Governance modes
Object Lock has two modes: compliance and governance. Compliance mode is designed for regulatory compliance purposes, while governance mode is designed for general object management.
Cubbit supports only compliance mode, which enforces the retention period or legal hold for the specified time and ensures that the object cannot be deleted or modified during that time. Governance mode, on the other hand, allows you to specify a retention period or legal hold, but it does not enforce it.
Locked objects cannot be deleted
Cubbit blocks any attempt to delete a specific object version which is locked, either through a legal hold or a retention period which is still not expired.
However, normal delete operations without specifying the version ID, still follow the normal behavior in versioned buckets and a delete marker is created.
Requirements for Object Lock
There are a few requirements to remember when working with this feature, which are strictly related to bucket versioning.
- You can only turn on object locking during bucket creation. You cannot enable it later.
- When you create a bucket with Object Lock enabled, bucket versioning is automatically enabled.
- You cannot turn off Object Lock or suspend versioning for a bucket that you created with Object Lock enabled.
Usage
The following section explains how to work with this feature, either using the Cubbit Console or the AWS s3api CLI commands.
Create a bucket with object locking enabled
Let's start enabling object locking on a brand new bucket.
- Cubbit Console
- AWS S3 API
As we just said, according to the S3 protocol, the only way to enable locking on a bucket is during its creation.
- Sign in with the Cubbit Console.
- Click on the "Create bucket" button on the top right.
- Insert a bucket name in the top section called "Bucket name".
- In the section "Object Lock" on the bottom, click on "Object Lock enabled" button and finally confirm by clicking on the "Create bucket" button.
You should see a brand new bucket, with both versioning and object locking enabled.
It's a CreateBucket API where you also specify --object-lock-enabled-for-bucket:
aws s3api create-bucket --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --object-lock-enabled-for-bucket
Set a default retention period on the bucket
You can then set a default retention period on the bucket, either by days or years.
- Cubbit Console
- AWS S3 API
You can access this menu either at the bucket creation stage or afterwards, simply opening the bucket menu by clicking on the three dots icon on the right and clicking on the "Manage" button:
It's a PutObjectLockConfiguration API:
aws s3api put-object-lock-configuration --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --object-lock-configuration "ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=COMPLIANCE,Days=30}}"
Lock a specific object up to a retention date
You can then set a retention period on a specific object.
- Cubbit Console
- AWS S3 API
You can access this menu opening the object menu by clicking on the three dots icon on the right and clicking on the "Object details" button:
It's a PutObjectRetention API:
aws s3api put-object-retention --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --retention "Mode=COMPLIANCE,RetainUntilDate=2024-02-16T00:00:00+00:00"
Lock a specific object indefinitely with a legal hold
You can then set a legal hold on a specific object.
- Cubbit Console
- AWS S3 API
As above, you can access this menu opening the object menu by clicking on the three dots icon on the right and clicking on the "Object details" button:
It's a PutObjectLegalHold API:
aws s3api put-object-legal-hold --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --legal-hold "Status=ON"