Managing object locks in buckets
You can set up object locks in versioned buckets. When object lock is enabled, you can lock an object version so that it would not be deleted or overwritten. You can also set default object locks for a bucket that will apply to all new object versions.
Note
In buckets with paused versioning, object lock is not available.
Enabling an object lock
Enabling locks does not mean locking previously uploaded object versions. If required, you can lock them manually.
The minimum required role is storage.admin
.
To enable object locks:
If you do not have the AWS CLI yet, install and configure it.
Run the following command:
aws s3api put-object-lock-configuration \
--bucket <bucket_name> \
--object-lock-configuration ObjectLockEnabled=Enabled \
--endpoint-url=https://storage.yandexcloud.net
Where:
--bucket
: Bucket name.--object-lock-configuration
: Lock configuration in the bucket. TheObjectLockEnabled=Enabled
value enables object lock.--endpoint-url
: Object Storage endpoint.
Use the putObjectLockConfiguration S3 API method, update REST API method for the Bucket resource, or the BucketService/Update gRPC API call.
Setting up default object locks
Default locks are set for all new object versions uploaded to the bucket. These settings don't affect previously uploaded versions.
The minimum required role is storage.admin
.
To set up default object locks:
If you do not have the AWS CLI yet, install and configure it.
-
Specify a configuration for default object locks in JSON format:
{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "<lock_type>", "Days": <lock_period_in_days>, "Years": <lock_period_in_years> } } }
Where:
-
ObjectLockEnabled
Object lock status:Enabled
: Object lock is enabled.Alert
This is a required field. If you omit
Enabled
in this parameter, you'll see theInvalidRequest
error message, and object lock will not be enabled. See also Disabling object locks. -
Mode
is the type of object lock:GOVERNANCE
: Object lock with a predefined retention period that can be managed.COMPLIANCE
: Object lock with a predefined retention period with strict compliance.
-
Days
: The retention period in days after uploading an object version. It must be a positive integer. You can't set it simultaneously withYears
. -
Years
: The retention period in years after uploading an object version. It must be a positive integer. You can't set it simultaneously withDays
.
When you're done, you can save your configuration as a file, like
default-object-lock.json
. -
-
Upload the configuration to the bucket:
aws s3api put-object-lock-configuration \ --bucket <bucket_name> \ --object-lock-configuration file://default-object-lock.json \ --endpoint-url=https://storage.yandexcloud.net
Where:
--bucket
: Bucket name.--object-lock-configuration
: Default object lock configuration. In this case, specified in thedefault-object-lock.json
file.--endpoint-url
: Object Storage endpoint.
Disabling object locks
If you disable the object lock feature, this will not disable existing locks. They will still be there, and you will not be able to remove or change them.
The minimum required role is storage.admin
.
To disable object locks:
If you do not have the AWS CLI yet, install and configure it.
Run the following command:
aws s3api put-object-lock-configuration \
--bucket <bucket_name> \
--object-lock-configuration ObjectLockEnabled="" \
--endpoint-url=https://storage.yandexcloud.net
Where:
--bucket
: Bucket name.--object-lock-configuration
: Lock configuration in the bucket. TheObjectLockEnabled=""
value disables object lock.--endpoint-url
: Object Storage endpoint.
To disable object lock for a bucket, use theputObjectLockConfiguration S3 API method, update REST API method for the Bucket resource, or the BucketService/Update gRPC API call.
In the request body, send the object lock parameter with an empty value:
ObjectLockConfiguration
: For S3 API.objectLock
: For REST API.object_lock
: For gRPC API.
Example of the HTTP request body for S3 API:
<ObjectLockConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/" />