Configuring a Default Object Lock on Your Bucket

You can use the Object Lock feature to prevent objects in a bucket from being deleted or modified for a fixed period of time.

Object Lock enables you to implement a write once read many (WORM) model. You can use Object Lock to meet certain regulatory compliance needs or security needs.

Once you apply an Object Lock configuration to a bucket, the default lock is applied to any future object uploaded to the bucket. However, you can also apply specific locks to specific objects in the bucket. For more information, see Configuring a Specific Object Lock on an Object.

Configuring a Default Object Lock on Your Bucket Using AWS CLI (s3api)

Enabling Object Lock on a Bucket

Before you begin: Install and configure AWS CLI. For more information, see Installing and Configuring AWS CLI.

To enable Object Lock on a bucket, you need to use the create-bucket command with the object-lock-enabled-for-bucket attribute. You can only enable Object Lock on new buckets. For more information, see Creating a Bucket.

When you create a bucket with Object Lock enabled, bucket versioning is also automatically enabled, and cannot be disabled. For more information on bucket versioning, see Using Bucket Versioning.

Request Sample
$ aws s3api create-bucket \
    --profile YOUR_PROFILE \
    --bucket BUCKET \
    --object-lock-enabled-for-bucket \
    --endpoint https://oos.eu-west-2.outscale.com

The bucket with Object Lock enabled is created.

Since versioning is automatically enabled on a bucket where Object Lock has been enabled, deleting a locked object will only create a delete marker.

This is because versioning ensures that every version of an object is preserved, while Object Lock specifically safeguards certain versions from being altered or deleted.

This means that when a delete operation is attempted on a locked object, the object actually remains stored and protected, even if the delete marker makes it seem as if the object has been deleted. Also note that a delete marker cannot be WORM-protected and can thus be removed. For more information, see About Delete Markers.

Applying an Object Lock Configuration to a Bucket

To apply a default Object Lock configuration to any future object uploaded to your bucket, use the put-object-lock-configuration command following this syntax:

Request sample
$ aws s3api put-object-lock-configuration \
    --profile YOUR_PROFILE \
    --bucket BUCKET \
    --object-lock-configuration file://path/to/configuration/file \
    --endpoint https://oos.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • bucket: The name of the bucket to which you want to add the Object Lock configuration.

  • object-lock-configuration: The path to the JSON configuration file containing the Object Lock rules to apply to your objects. For more information on how to write this file, see Object Lock Configuration Reference.

    You can also specify these rules as an inline JSON string.

  • endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.

The Object Lock configuration is applied to new objects placed in your bucket.

You can change the default Object Lock configuration of your bucket using the same command. However, keep in mind that the new configuration will only apply to objects uploaded after the configuration change. Objects uploaded before the change will retain the previous configuration.

Getting Information About an Object Lock Configuration

To get information about the Object Lock configuration of your bucket, use the get-object-lock-configuration command following this syntax:

Request sample
$ aws s3api get-object-lock-configuration \
    --profile YOUR_PROFILE \
    --bucket BUCKET \
    --endpoint https://oos.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • bucket: The name of the bucket with Object Lock enabled.

  • endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.

The get-object-lock-configuration command returns the following elements:

Result sample
{
    "ObjectLockConfiguration": {
        "ObjectLockEnabled": "Enabled",
        "Rule": {
            "DefaultRetention": {
                "Mode": "COMPLIANCE",
                "Days": 2
            }
        }
    }
}
  • ObjectLockEnabled: Indicates that Object Lock has been enabled on the bucket.

  • Rule: The specific retention rule applied as default for objects placed in the buckets.

  • DefaultRetention: Defines the default retention parameters for new objects placed in the bucket.

  • Mode: The retention mode for the bucket. The value is always COMPLIANCE, which prevents any user, including the root user, from deleting or modifying objects within the bucket until the retention period expires.

    OUTSCALE Object Storage currently does not support GOVERNANCE mode.

  • Days or Years: The retention period, in days or years, after which the objects are no longer protected.

    Keep in mind that in COMPLIANCE mode, it is not possible to bypass the retention period until its expiration. This means you will be billed for the entire retention period you set.

Related Pages

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.