Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Object Storage
    • Overview
    • Bucket
    • Object
    • Bucket versioning
    • Object lock
    • Partial object updates
    • Encryption
    • Object lifecycles
    • CORS
    • Hosting static websites
    • Pre-signed URLs
    • Multipart upload
    • Access control list (ACL)
    • Bucket policy
    • Uploading files via an HTML form
    • Storage class
    • Bucket actions logging mechanism
    • Backups
    • TLS protocol
    • Labels
    • S3 Select query language
    • Quotas and limits
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Bucket logs
  • Release notes
  • FAQ

In this article:

  • Object lock types
  • Table of roles and actions
  • Default object locks
  • How to configure object locks
  • Use cases
  1. Concepts
  2. Object lock

Object lock

Written by
Yandex Cloud
Updated at April 18, 2025
  • Object lock types
    • Table of roles and actions
  • Default object locks
  • How to configure object locks
  • Use cases

Object locks in versioned buckets allow you to prevent object version deletion or overwrites. Object locks use a WORM (write once, read many) model to store versions, and you can still upload new object versions.

To lock object versions in your bucket, enable the respective option in the bucket settings (see this guide for details).

Enabling locks does not mean locking previously uploaded object versions; if required, you can lock them manually. Similarly, if you disable the object lock feature, this will not disable the existing locks. They will still be there, and you will not be able to remove or change them.

There are different types of object locks depending on their retention period and restriction level.

You can enable object locks for specific object versions (when or after uploading them) or set default object locks for all new versions uploaded to a bucket.

Object lock typesObject lock types

There are two types of object locks that are set for a certain period, i.e., until the expiration date and time you provide:

Governance-mode retention
Users with the permission to upload objects (the storage.uploader role) can set locks.
Users with the Object Storage admin permissions (the storage.admin role) can override locks (delete or overwrite object versions), change their retention period, and remove them. Users need to explicitly confirm such actions, e.g., when sending a request via an Amazon S3-compatible REST API with the X-Amz-Bypass-Governance-Retention: true header.
Compliance-mode retention
Users with the permission to upload objects (the storage.uploader role) can set locks.
Users with the Object Storage admin permissions (the storage.admin role) can only extend the retention period.
You cannot override, shorten, or remove such locks until they expire.

There is another object lock type that has no time limit:

Legal hold
Users with the permission to upload objects (the storage.uploader role) can set and remove locks.
There is no way to override this type of lock.

Retention periods and legal holds are independent. This means you can place a retention period and a legal hold on your object version at the same time. In this case, the legal hold will take priority: you will not be able to delete and overwrite the object version even if the retention mode allows some users to do that.

Table of roles and actionsTable of roles and actions

Object lock type ⏳ Governance mode
(governance)
⏳ Compliance mode
(compliance)
♾ Legal hold
(legal hold)
Who can:
Set a lock storage.uploader storage.uploader storage.uploader
Delete or overwrite an object version storage.admin No one No one
Shorten the retention period storage.admin No one —
Extend the retention period storage.admin storage.admin —
Replace a retention period-based lock with a new one storage.admin No one —
Remove a lock storage.admin No one storage.uploader

Default object locksDefault object locks

You can set default object locks for a bucket, which will apply to all new object versions uploaded to it.

For such locks, you need to specify the following:

  • Type: Governance-mode or compliance-mode retention.
  • Retention period in days or years after an object version is uploaded. The expiry date and time are defined for each version automatically.

If you set up default object locks for your bucket, you need to calculate MD5 hash for each uploaded object version, encode it to Base64, and specify the value you get in the request. For example, in the REST API request, specify it in the Content-MD5 header.

Even if your bucket has the default object locks configured, you can change the retention settings when or after uploading a specific object version, and those new settings will take priority. In this case, however, you will not be able to upload a version without a retention-based lock or remove such a lock after the upload.

Default lock setting changes do not affect the object versions that were previously uploaded to the bucket.

How to configure object locksHow to configure object locks

For details, see these guides:

  • Configuring bucket object locks: Enabling object locks and setting up default ones
  • Uploading an object version with an object lock
  • Configuring object locks: Setting, updating, and removing a lock
  • Deleting an object version with an object lock

Use casesUse cases

  • Backing up to Yandex Object Storage with Veeam Backup

Was the article helpful?

Previous
Bucket versioning
Next
Partial object updates
© 2025 Direct Cursus Technology L.L.C.