Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Object Storage
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Buckets
      • Creating a bucket
      • Deleting a bucket
      • Limiting the maximum size of a bucket
      • Allowing public access to a bucket
      • Bucket encryption
      • Managing object lifecycles
      • Managing CORS configurations
      • Access policy management
      • Managing bucket versioning
      • Editing the ACL of a bucket
      • Enabling logging
      • Object lock management
    • Objects
      • Uploading an object
      • Getting information about an object
      • Downloading an object
      • Restoring an object's version
      • Getting a public link to an object
      • Configuring an object lock
      • Deleting an object
      • Deleting all objects
      • Deleting a partially uploaded object
      • Editing an object ACL
    • Static website hosting
      • Hosting setup
      • Support for your own domain
      • Support for multiple domain names
      • Configuring HTTPS
  • Tutorials
    • Getting object query statistics with S3 Select
    • Getting website traffic statistics with S3 Select
    • Generating a billing report with resource break-down using S3 Select
    • Server-side encryption
    • Integrating an L7 load balancer with the CDN and Object Storage
    • Blue-green and canary deployment of service versions
    • Analyzing logs in DataLens
    • Using initialization scripts to configure GeeseFS in Yandex Data Proc
    • Mounting a bucket as a disk on Windows
    • Migrating data from Yandex Data Streams using Yandex Data Transfer
  • Concepts
    • Overview
    • Bucket
    • Objects
    • Bucket versioning
    • Object locks
    • Encryption
    • Object lifecycles
    • CORS
    • Static website hosting
    • Pre-signed URLs
    • Multipart upload
    • Access control lists (ACLs)
    • Bucket Policy
    • Uploading files via an HTML form
    • Storage class
    • Logging actions with a bucket
    • Backups
    • TLS protocol
    • S3 Select query language
    • Quotas and limits
  • Tools
    • All tools
    • Console clients
      • AWS CLI
      • S3cmd
    • File browsers
      • CyberDuck
      • WinSCP
    • SDK
      • AWS SDK for Java
      • Python SDK (boto)
      • AWS SDK for .NET
      • AWS SDK for C++
      • AWS SDK for PHP
      • AWS SDK for Go
    • FUSE
      • GeeseFS
      • s3fs
      • goofys
    • FTP
      • Docker container for (S)FTP(S)
  • API reference
    • REST (Amazon S3-compatible)
      • How to use the API
      • Signing requests
      • REST
        • All services and methods
        • Bucket
          • All methods
          • create
          • getBucketEncryption
          • getMeta
          • listObjects
          • listBuckets
          • deleteBucket
          • deleteBucketEncryption
          • putBucketEncryption
          • putBucketVersioning
          • getBucketVersioning
          • putBucketLogging
          • getBucketLogging
          • listObjectVersions
          • putObjectLockConfiguration
          • getObjectLockConfiguration
        • Object
          • All methods
          • upload
          • get
          • copy
          • getObjectMeta
          • delete
          • deleteMultipleObjects
          • options
          • selectObjectContent
          • putObjectRetention
          • putObjectLegalHold
          • getObjectRetention
          • getObjectLegalHold
        • Multipart upload
          • General multipart upload procedure
          • startUpload
          • uploadPart
          • copyPart
          • listParts
          • abortUpload
          • completeUpload
          • listUploads
        • Static Website Hosting
          • All methods
          • upload
          • get
          • delete
          • Static website response codes
        • CORS
          • All methods
          • XML structure of CORS configuration
          • upload
          • get
          • delete
        • Lifecycles
          • All methods
          • XML structure of lifecycle configuration
          • upload
          • get
          • delete
        • ACL
          • All methods
          • XML structure of ACL configuration
          • objectGetAcl
          • objectPutAcl
          • bucketGetAcl
          • bucketPutAcl
        • Bucket Policy
          • All methods
          • GetBucketPolicy
          • PutBucketPolicy
          • DeleteBucketPolicy
          • Data schema
          • Actions
          • Conditions
        • Common request headers
        • Common response headers
        • Responses
    • gRPC and REST
      • Authentication in the API
      • gRPC
        • Overview
        • BucketService
        • OperationService
      • REST
        • Overview
        • Bucket
          • Overview
          • create
          • delete
          • deleteHTTPSConfig
          • get
          • getHTTPSConfig
          • getStats
          • list
          • setHTTPSConfig
          • update
  • Access management
  • Pricing policy
    • Current pricing policy
    • Archive
      • Before January 1, 2019
      • From January 1 to March 1, 2019
  • Questions and answers
  1. Concepts
  2. Object locks

Object locks

Written by
Yandex Cloud
  • Object lock types
    • Table of roles and actions
  • Default object locks
  • How to configure object locks

Using object locks in versioned buckets lets you prevent an object version from being deleted or overwritten. Object locks ensure version storage based on the WORM (write once, read many) technology, while you can still upload new object versions.

To be able to put locks on object versions in your bucket:

  1. Contact support and request the object lock feature for your cloud. You only need to do it once per cloud.
  2. Enable locks in your bucket settings by following the instructions.

When you enable locks, this doesn't put locks on previously uploaded object versions (you only get an option to put locks). If you disable object lock, this doesn't disable the locks that were put previously. Such locks are still in effect, and you can't remove or change them.

There are different types of object locks depending on their retention period and severity.

You can enable object locks for specific object versions (when or after uploading them) or set default object locks for all new versions uploaded to a bucket.

Object lock types

Two types of object locks are set for a certain period until the date and time you specify:

Object locks with governance-mode retention
Users with permission to upload objects (the storage.uploader role) can set a lock.
Users who are Object Storage administrators (the storage.admin role) can bypass a lock (delete or overwrite an object version), change its retention period, or remove it. The user should explicitly confirm these actions, for example, when sending a request via the Amazon S3-compatible REST API with the X-Amz-Bypass-Governance-Retention: true header.
Object locks with compliance-mode retention
Users with permission to upload objects (the storage.uploader role) can set a lock.
Users who are Object Storage administrators (the storage.admin role) can only extend a lock's retention period.
This lock can't be bypassed, shortened, or removed until it expires.

There is one more type of object lock that is set indefinitely:

Legal hold
Users with permission to upload objects (the storage.uploader role) can set and remove a lock.
This lock can't be bypassed.

Object locks set for a certain amount of time and those set indefinitely are managed independently. You can concurrently lock an object version using one lock with a retention period and one legal hold. If applied together, a legal hold takes priority: an object version can't be deleted or overwritten even if a lock with a retention period allows some users to do that.

Table of roles and actions

Type of object lock ⏳ Governance
⏳ Compliance
♾ Legal hold
Who can...
...set a lock storage.uploader storage.uploader storage.uploader
...delete or overwrite an object version storage.admin No one No one
...shorten a lock's retention period storage.admin No one —
...extend a lock's retention period storage.admin storage.admin —
...remove a lock set for a certain period and place a new one storage.admin No one —
...remove a lock storage.admin No one storage.uploader

Default object locks

You can set default object locks for a bucket: they will apply to all new object versions uploaded to it.

Specify the following for the default object locks:

  • Type: Governance-mode or compliance-mode retention.
  • Retention period in days or years after an object version is uploaded. The retain until date and time are defined for each version automatically.

If you set up the default object locks for your bucket, an MD5 hash needs to be calculated for each uploaded object version and encoded with Base64. The resulting value should be specified in a request. For example, if you send requests using the REST API, specify it in the Content-MD5 header.

Even if the bucket has the default object locks configured, you can change the settings of a lock with a retention period when or after uploading a specific object version and the new settings will take priority. In this case, you can't upload a version without a lock set for a certain period or remove it.

Changes to the default lock settings don't affect the object versions already uploaded to the bucket.

How to configure object locks

See the instructions:

  • Configuring bucket object locks: Enabling object locks and setting up default object locks.
  • Uploading an object version with an object lock.
  • Configuring object locks: setting, updating, and removing a lock.
  • Deleting an object version with an object lock.

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
In this article:
  • Object lock types
  • Table of roles and actions
  • Default object locks
  • How to configure object locks