Configuring a Specific Object Lock on an Object

You can apply specific lock settings to individual objects within a bucket that has Object Lock enabled.

Configuring a Specific Object Lock on an Object using AWS CLI (s3api)

Locking an Object Using Retention Settings

Before you begin:

Install and configure AWS CLI and set up your profile. For more information, see Installing and Configuring AWS CLI.
Configure a default Object Lock on your bucket. For more information, see Configuring a Default Object Lock on Your Bucket.

To lock an object using retention settings, use the put-object-retention command following this syntax:

Request sample

aws s3api put-object-retention \
    --profile YOUR_PROFILE \
    --bucket BUCKET \
    --key integer \
    --retention '{ "Mode": "string", "RetainUntilDate": "date"}' \
    --endpoint https://oos.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

(optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.
bucket: The name of the bucket where the object you want to lock is located.
key: The name of the object you want to lock.

retention: The retention rule for the object you want to lock.

You can also specify this parameter as a JSON file, using the file://path/to/configuration/file format.

Mode: The retention mode for the bucket. The value is always COMPLIANCE, which prevents any user, including the root user, from deleting or modifying objects within the bucket until the retention period expires.

OUTSCALE Object Storage currently does not support GOVERNANCE mode.

RetainUntilDate: The date, in ISO 8601 format, until which the object will be locked. For example, if set to 2050-01-01T00:00:00Z, the object will remain locked until the very start of January 1, 2050, at midnight UTC.

Keep in mind that in COMPLIANCE mode:

You cannot bypass the retention period until its expiration. This means you will be billed for the entire retention period you set.
The retention period cannot be earlier than the default Object Lock of the bucket.

endpoint: The endpoint corresponding to the Region you want to send the request to.

Your object is locked according to the settings you configured.

Since versioning is automatically enabled on a bucket where Object Lock has been enabled, deleting a locked object will only create a delete marker.

This is because versioning ensures that every version of an object is preserved, while Object Lock specifically safeguards certain versions from being altered or deleted.

This means that when a delete operation is attempted on a locked object, the object actually remains stored and protected, even if the delete marker makes it seem as if the object has been deleted. Also note that a delete marker cannot be WORM-protected and can thus be removed.

Getting Information About the Retention Settings of an Object

To get information about the settings on your locked object, use the get-object-retention command following this syntax:

Request sample

aws s3api get-object-retention \
    --profile YOUR_PROFILE \
    --bucket BUCKET \
    --version-id integer \
    --key integer \
    --endpoint https://oos.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

(optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.
bucket: The name of the bucket where the object you locked is located.
version-id: The ID of a version of the object whose retention settings you want to retrieve.
key: The name of the object you locked.
endpoint: The endpoint corresponding to the Region you want to send the request to.

The get-object-retention returns the following elements:

Result sample

{
    "Retention": {
        "Mode": "integer",
        "RetainUntilDate": "date"
    }
}

Retention: The retention rule applied to your object.
- Mode: The retention mode for the bucket. The value is always COMPLIANCE, which prevents any user, including the root user, from deleting or modifying objects within the bucket until the retention period expires.
  
  OUTSCALE Object Storage currently does not support GOVERNANCE mode.
- RetainUntilDate: RetainUntilDate: The date, in ISO 8601 format, until which the object will be locked. For example, if set to 2050-01-01T00:00:00Z, the object will remain locked until the very start of January 1, 2050, at midnight UTC.

Related Pages

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.