Skip to main content

Object Lock overview

S3 Object Lock prevents objects from being deleted or modified for a specified retention period. It works via the S3 protocol, not the Gcore API. Object Lock must be enabled at bucket creation time — it cannot be activated on an existing bucket. Enabling Object Lock also enables versioning on the bucket automatically, so each object version can have its own retention period. Object Lock supports two retention modes:
  • Compliance — no user can delete or overwrite a protected object until its retention period expires, including account administrators.
  • Governance — users with special IAM permissions can override or remove retention settings before the period expires.
Object Lock is currently supported on S3 Standard locations. Support for S3 Fast locations is not yet confirmed.

Create a bucket with Object Lock enabled

Run the following command to create a bucket with Object Lock enabled: 
aws s3api create-bucket \
  --bucket my-bucket \
  --object-lock-enabled-for-bucket \
  --endpoint-url=https://luxembourg-2.storage.gcore.dev
Replace:

Set a retention policy

A default retention policy automatically applies to all new objects uploaded to the bucket. To set one, run: 
aws s3api put-object-lock-configuration \
  --bucket my-bucket \
  --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":30}}}' \
  --endpoint-url=https://luxembourg-2.storage.gcore.dev
Replace:
  • my-bucket with the bucket name.
  • COMPLIANCE with GOVERNANCE to use the governance retention mode instead.
  • 30 with the number of days objects should be retained.
  • https://luxembourg-2.storage.gcore.dev with the storage endpoint.