To enable and configure object locking when creating the bucket, you must first ensure that versioning is enabled. Without first enabling versioning, it is NOT possible to enable object locking, which you can find under the Advanced setting in step 2 «Configure options» when creating your bucket. Legal retention is independent of retention periods. As long as the bucket that contains the object is subject to object locking, you can set and remove legal holds, regardless of whether a retention period is set to the specified object version. Legal hold of an object version does not affect the retention mode or retention period of that object version. Compatibility mode. The main difference between compliance mode and governance mode is that no user can override defined retention periods or delete an object, and this includes your AWS root account with the highest privileges. Essentially, any object added to a bucket configured for compliance mode means that the object will persist for the duration of the retention period. The bucket defaults require both a mode and a time period.
A default bucket mode is Governance or Compliance. For more information, see Retention Modes. The statutory retention obligation can also be activated for an object version. Once legal retention is enabled, the version of the object cannot be deleted until the legal retention obligation is lifted, regardless of the date of retention or the method of retention of the object. You can set a retention period for an object version explicitly or through a default bucket. When you explicitly apply a retention period to an object version, you specify a retention date for the object version. Amazon S3 stores the Keep Until Date setting in the object version metadata and protects the object version until the retention period expires. After you create your bucket, you must enable object locking on each object in your bucket. For this example, I uploaded an image to the S3 bucket I just created.
Click the object, go to the Properties tab, and then click the Lock Object box to open the following screen: Unfortunately, the AWS S3 specification does not allow object locks to be set on existing buckets. To enable the object lock flag for an existing bucket, Scality is developing a tool that will be available soon. For an example of an AWS CLI for using this operation, see Using S3 Batch Operations with S3 Object Locking. A retention period protects an object version for a specified period of time. When you set a retention period for an object version, Amazon S3 stores a timestamp in the object version`s metadata to indicate the expiration date of the retention period. After the retention period expires, the version of the object can be overwritten or deleted, unless you have also legally locked the version of the object. Enabling governance mode prevents your users from deleting or replacing versions of your objects in the bucket for the duration specified by the retention period. However, if you have very specific permissions, including s3:BypassGovernanceMode, s3:GetObjectLockConfiguration, s3:GetObjectRetention, a user can still delete an object version during the retention period or change all the retention settings specified in the bucket. Versioning and locking S3 objects must be configured on the bucket where the task runs. Two retention modes appear, and the settings you select here set the default retention of an object when it is added to the bucket and therefore apply the required protection provided by object locking. The Legal Hold element appears only for object versions and not at the bucket level and behaves similarly to a retention period and prevents deletion of the object, but legal retention periods do not have an expiration date.
Therefore, the object remains protected until a user with permission s3:PutObjectLegalHold disables the legal suspension of the object. If an object is already protected by a retention period, it can also be legally blocked. After the expiry of the retention period, the object is always protected by the legal retention period, regardless of whether the retention period has expired or not. If you are using bucket defaults, do not specify a retention date. Instead, you specify a duration, in days or years, for which to protect each object version placed in the bucket. When you place an object in the bucket, Amazon S3 calculates a retention date for the object`s version by adding the specified duration to the object`s version creation timestamp. It stores the retention date in the object`s version metadata. The object version is then protected exactly as if you had explicitly set a lock with this retention period for the object version. Setting object locking on a bucket can only be performed when the bucket is created. If you try to enable it for an existing bucket by clicking the Lock Object tile in the bucket properties, you receive the following error message. To use object lock well, you need to make sure of some things. The object lock flag must be set when you create a bucket, and versioning must be enabled for that bucket.
Additionally, object locking must be enabled on a bucket to write a lock configuration using the PUT object lock configuration API, which has the object lock flag set. Object locking can only be enabled by users for new buckets, but it can be enabled for existing buckets by contacting AWS Support. When you create a bucket, it is located under Advanced Settings, but cannot be enabled until versioning is enabled. When you set the governance mode, you are prompted to add a retention period in days and therefore set how long the object is protected by an object lock that prevents it from being deleted. When an object is added to the bucket, a timestamp is added to the metadata that reflects the retention period. After the retention period expires, the object can be deleted again. This feature is often used to satisfy a level of compliance called WORM, which stands for «Write Once Read Many.» It allows you to provide a certain level of protection against your objects in your bucket and prevents them from being deleted, either for a period of time that you define, or to prevent deletion until the end of time! The ability to add retention periods with Object Lock helps S3 comply with regulations such as FINRA, the Financial Industry Regulatory Authority.