Functionality overview
The Object Lock functionality allows to store objects using a WORM model (write once read many).
It prevents objects from being modified or deleted for some time. Duration is either limited (retention period) or unlimited (legal hold).
Typical use cases: regulatory requirement or better protect your data (for instance, immutable backup).
Some notes :
- the retention period feature implements 2 modes that change its behavior
- the 2 features can be used together or separately
- the functionality (Object Lock) must be activated when the bucket is created
- it also requires to activate the bucket versioning (automatic)
Caveat :
- because versioning is enabled, you can always delete an object
- it creates a delete marker as the current version
- the initial object stays unchanged (and protected)
Retention Period feature
The retention period can be configured:
- as default for a bucket (in days or years, applying to new objects)
- explicitly for an object (using a timestamp limit RetainUntilDate)
- independently from the legal hold feature
The retention mode must be configured at the same time:
- governance mode can be overridden with specific permissions (reduce,increase or delete retention)
- compliance mode can’t be overridden (including by the account owner)
Legal Hold feature
The legal hold can be configured:
- explicitly for an object
- independently from the retention period feature
Use cases with AWS CLI
AWS CLI (Command Line Interface) is an open source tool that enables you to configure and use object storage with commands in a text interface (Linux shell or Windows command line).
A user guide is available at https://docs.aws.amazon.com/cli/latest/userguide/.
Prerequisite : Object Lock activation
It’s only possible when you create the bucket with --object-lock-enabled-for-bucket
.
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api create-bucket --bucket mydemobucket --object-lock-enabled-for-bucket
{
"Location": "/mydemobucket"
}
Bucket’s default retention
The setup requires both a mode (GOVERNANCE
or COMPLIANCE
) and a period (Days
or Years
).
Warning : COMPLIANCE mode can not be bypassed (even using an account’s root Access Key).
Mode GOVERNANCE et période de 1 jour:
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api put-object-lock-configuration --bucket mydemobucket --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "GOVERNANCE", "Days": 1 }}}'
After setup, any new object (PUT) gets automatically a retain until date metadata (ObjectLockRetainUntilDate
) :
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api head-object --bucket mydemobucket --key object1
{
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T09:34:28+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343639353331313637393939393939524730303120203134372e3431323138303532392e333032",
"Metadata": {},
"ObjectLockMode": "GOVERNANCE",
"ObjectLockRetainUntilDate": "2022-10-01T09:34:28.810000+00:00"
}
You can’t delete the object until the date is passed :
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api delete-object --bucket mydemobucket --key object1 --version-id 3938333335343639353331313637393939393939524730303120203134372e3431323138303532392e333032
An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
However in GOVERNANCE mode, you can bypass retention period with --bypass-governance-retention
:
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api delete-object --bucket mydemobucket --key object1 --version-id 3938333335343639353331313637393939393939524730303120203134372e3431323138303532392e333032 --bypass-governance-retention
{
"VersionId": "3938333335343639353331313637393939393939524730303120203134372e3431323138303532392e333032"
}
Extending an object’s retention period
You can extend an object’s retention period (by changing the RetainUntilDate
timestamp). You can’t reduce it.
The new timestamp must be later than the current one.
Extending in GOVERNANCE mode (with --bypass-governance-retention
) :
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api head-object --bucket mydemobucket --key object1 {
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T09:52:37+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343638343432383535393939393939524730303120203134372e3431323139393337322e333034",
"Metadata": {},
"ObjectLockMode": "GOVERNANCE",
"ObjectLockRetainUntilDate": "2022-10-01T09:52:37.122000+00:00"
}
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api put-object-retention --bucket mydemobucket --key object1 --version-id 3938333335343638343432383535393939393939524730303120203134372e3431323139393337322e333034 --retention Mode=GOVERNANCE,RetainUntilDate="2022-10-02T09:30:00.000000+00:00" --bypass-governance-retention
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api head-object --bucket mydemobucket --key object1
{
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T09:52:37+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343638343432383535393939393939524730303120203134372e3431323139393337322e333034",
"Metadata": {},
"ObjectLockMode": "GOVERNANCE",
"ObjectLockRetainUntilDate": "2022-10-02T09:30:00+00:00"
}
Extending in COMPLIANCE mode :
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api head-object --bucket mydemobucket2 --key object2
{
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T12:30:07+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343538393932373232393939393939524730303120203232362e3832343831353033362e3533",
"Metadata": {},
"ObjectLockMode": "COMPLIANCE",
"ObjectLockRetainUntilDate": "2022-10-01T12:30:07.274000+00:00"
}
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api put-object-retention --bucket mydemobucket2 --key object2 --version-id 3938333335343538393932373232393939393939524730303120203232362e3832343831353033362e3533 --retention Mode=COMPLIANCE,RetainUntilDate="2022-10-02T08:00:00.000000+00:00"
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api head-object --bucket mydemobucket2 --key object2 {
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T12:30:07+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343538393932373232393939393939524730303120203232362e3832343831353033362e3533",
"Metadata": {},
"ObjectLockMode": "COMPLIANCE",
"ObjectLockRetainUntilDate": "2022-10-02T08:00:00+00:00"
}
Enable an object’s legal hold
Legal hold ON :
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api put-object-legal-hold --bucket mydemobucket3 --key object3 --legal-hold Status=ON
After setup, the object gets a legal hold status metadata (ObjectLockLegalHoldStatus
) :
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api head-object --bucket mydemobucket3 --key object3
{
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T13:17:51+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343536313238383333393939393939524730303120203232322e33343330313235352e37373735",
"Metadata": {},
"ObjectLockLegalHoldStatus": "ON"
}
Legal hold OFF :
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api put-object-legal-hold --bucket mydemobucket3 --key object3 --legal-hold Status=OFF
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api head-object --bucket mydemobucket3 --key object3 {
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T13:17:51+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343536313238383333393939393939524730303120203232322e33343330313235352e37373735",
"Metadata": {},
"ObjectLockLegalHoldStatus": "OFF"
}
Getting object lock information
The most simple is to get object’s metadata. They contain both retention period and legal hold information (if configured).
It’s also possible to request specifically retention period or legal hold.
Object’s metadata :
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api head-object --bucket mydemobucket3 --key object3
{
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T13:17:51+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343536313238383333393939393939524730303120203232322e33343330313235352e37373735",
"Metadata": {},
"ObjectLockLegalHoldStatus": "ON"
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api get-object-retention --bucket mydemobucket2 --key object2
{
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T13:17:51+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343536313238383333393939393939524730303120203232322e33343330313235352e37373735",
"Metadata": {},
"ObjectLockLegalHoldStatus": "ON"
}
Retention period only :
aws --endpoint-url https://s3.flexible-datastore.orange-business.com s3api get-object-retention --bucket mydemobucket2 --key object2
{
"Retention": {
"Mode": "COMPLIANCE",
"RetainUntilDate": "2022-10-02T08:00:00+00:00"
}
}
Legal hold only :
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api get-object-legal-hold --bucket mydemobucket3 --key object3 {
"LegalHold": {
"Status": "OFF"
}
}
Mixing retention period and legal hold
An object can have a retention period and a legal hold.
Each feature prevents object’s removal independently.
[root@mytest ~]# aws --endpoint-url https://s3-region01.cloudavenue.orange-business.com s3api head-object --bucket mydemobucket3 --key object3
{
"AcceptRanges": "bytes",
"LastModified": "2022-09-30T13:17:51+00:00",
"ContentLength": 1048576,
"ETag": "\"2bd0a7886355c628b78b0052673d7789\"",
"VersionId": "3938333335343536313238383333393939393939524730303120203232322e33343330313235352e37373735",
"Metadata": {},
"ObjectLockMode": "GOVERNANCE",
"ObjectLockRetainUntilDate": "2023-01-01T00:00:00+00:00",
"ObjectLockLegalHoldStatus": "ON"
}
To remove this object, you must:
- disable legal hold (if permitted)
- (and) wait until 2023
- (or) bypass retention period (if permitted)
About security
Never use a root Access Key
With a root AK, you can bypass retention GOVERNANCE mode and disable legal hold.
Only COMPLIANCE mode can’t be bypassed.
Restrict permissions
For everyday use (PUT objects in a bucket), you should apply a policy removing the following permissions :
- s3:BypassGovernanceRetention
- s3:PutObjectLegalHold
- s3:PutObjectRetention