Object Lock
Estimated time to read: 2 minutes
With the Object Lock feature you can prevent objects from being deleted or modified before a specified period. It is often used for compliance and data protection against accidental or malicious deletions.
bucket retention period object retention period object legal hold
Key features of Object Locking
Object Lock offers a way to protect objects from being deleted or changed for a set period or indefinitely. It helps meet compliance requirements and prevents accidental or malicious deletions.
Object Lock has two key features: Retention Period and Legal Hold. Retention Period ensures an object stays unchanged for a fixed time, while Legal Hold prevents deletion until it is manually removed. These features help keep data secure and tamper-proof.
| Feature | Legal Hold | Retention Period |
|---|---|---|
| Time-bound? | No (remains until removed) | Yes (expires after set time) |
| Who can remove? | Authorized users with IAM permissions | Cannot be removed until expiry (except in Governance Mode) |
| Use case | Legal or litigation holds | Regulatory compliance retention |
| Effect | Prevents deletion/modification | Prevents deletion/modification |
Retention period
There are two retention modes to be used.
| Mode | Description |
|---|---|
| Governance | Users with special permissions can update or delete objects before the retention period ends. |
| Compliance | No one can delete or modify objects until the retention period expires. This restriction cannot be bypassed. |
Enable Object Lock
To create a bucket with Object Lock it is required to also enable versioning.
Danger
When enabling Object Lock on a bucket, you can not disable Object Lock or suspend versioning for that bucket.
Create a bucket with Object Lock:
Then enable versioning to make the Object Lock functionality working:
For setting up your bucket with Object Lock retention period or legal hold see:
bucket retention period object retention period object legal hold
Disable Object Lock
It is not possible to disable Object Lock after enabling it on a bucket.
Delete a bucket with Object Lock enabled
When Object Lock is enabled on a bucket, you cannot delete the bucket as long as it contains objects that are locked under retention or legal hold. Here's how it works:
| Condition | Action |
|---|---|
| Object Lock is enabled on the bucket | You cannot delete the bucket if it still contains objects under retention or legal hold. |
| Retention Period or Legal Hold | Objects can only be deleted when the retention period is over, changed, or overruled. |
To delete the bucket, you must first ensure that all objects are no longer protected by Object Lock.