Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Managing object locks in a bucket

Written by
Improved by
Updated at November 27, 2025

You can set up object locks in versioned buckets. With object lock enabled, you can lock an object version so that it cannot be deleted or overwritten. You can also set default object locks for a bucket that will apply to all new object versions.

Note

In buckets with disabled or suspended versioning, object version locks are not available.

When locking is disabled, you cannot pause versioning.

Enabling object locks

Enabling object locks does not automatically lock previously uploaded object versions. You can lock them manually as needed.

The minimum required role is storage.admin.

To enable object locks:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to configure locks for.
  2. In the left-hand panel, select Security.
  3. Select the Object locks tab.
  4. To enable using locks, check Enable locks.
  5. Click Save.

If you do not have the AWS CLI yet, install and configure it.

Run this command:

aws s3api put-object-lock-configuration \
  --bucket <bucket_name> \
  --object-lock-configuration ObjectLockEnabled=Enabled \
  --endpoint-url=https://storage.yandexcloud.net

Where:

  • --bucket: Bucket name.
  • --object-lock-configuration: Bucket lock settings. The ObjectLockEnabled=Enabled value enables object locks.
  • --endpoint-url: Object Storage endpoint.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and add the object_lock_configuration section to the bucket description:

    resource "yandex_storage_bucket" "b" {
  ...
  object_lock_configuration {
    object_lock_enabled = "Enabled"
  }
}

    Where:

    • object_lock_configuration: Object lock settings:
      • object_lock_enabled: Enables object locks. You must enable bucket versioning to set this property. This is an optional parameter.

    For more information about the bucket parameters you can specify using Terraform, see this Terraform provider article.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

The specified folder will now contain object locks for the bucket. You can check that object locks are now enabled using this CLI command:

yc storage bucket get <bucket_name>

Result:

name: my-bucket
folder_id: b1geoelk2fld*********
...
object_lock:
  status: OBJECT_LOCK_STATUS_ENABLED

Use the putObjectLockConfiguration S3 API method, update REST API method for the Bucket resource, or the BucketService/Update gRPC API call.

Setting up default object locks

Default locks apply to all new object versions you upload to the bucket. These settings do not affect the previously uploaded versions.

The minimum required role is storage.admin.

To set up default object locks:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to configure default locks for.
  2. In the left-hand panel, select Security.
  3. Select the Object locks tab.
  4. To enable or disable using locks, use the Enable locks option.
  5. Enable Default locks for new versions.
  6. Select Default lock type:
    • Governance: User with the storage.admin role can bypass the lock, change its expiration date, or remove it.
    • Compliance: User with the storage.admin role can only extend the retention period. You cannot override, shorten, or remove such locks until they expire.
  7. Specify Default lock period in days or years. It starts from the moment you upload the object version to the bucket.
  8. Click Save.

If you do not have the AWS CLI yet, install and configure it.

  1. Specify the configuration for default object locks in JSON format:

    {
  "ObjectLockEnabled": "Enabled",
  "Rule": {
    "DefaultRetention": {
      "Mode": "<lock_type>",
      "Days": <retention_period_in_days>,
      "Years": <retention_period_in_years>
    }
  }
}

    Where:

    • ObjectLockEnabled: Object lock status. If this property is set to Enabled, you can use object locks.

      Alert

      This is a required field. If you do not set it to Enabled, you will get the InvalidRequest error message, and the object lock will be disabled. See also Disabling object locks for details.

    • Mode: Lock type:

      • GOVERNANCE: Governance-mode retention.
      • COMPLIANCE: Compliance-mode retention.

    • Days: Retention period in days after uploading an object version. It must be a positive integer. You cannot use it together with Years.

    • Years: Retention period in years after uploading an object version. It must be a positive integer. You cannot use it together with Days.

    Once the configuration is complete, save it a file, e.g., default-object-lock.json.

  2. Upload the configuration to the bucket:

    aws s3api put-object-lock-configuration \
  --bucket <bucket_name> \
  --object-lock-configuration file://default-object-lock.json \
  --endpoint-url=https://storage.yandexcloud.net

    Where:

    • --bucket: Bucket name.
    • --object-lock-configuration: Default lock settings. In our case, they are specified in the default-object-lock.json file.
    • --endpoint-url: Object Storage endpoint.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and add the default lock settings to the object_lock_configuration section:

    ...
rule {
  default_retention {
    mode = "GOVERNANCE"
    years = 1
  }
}
...

    Where:

    • rule: Object lock rule. It contains the default_retention parameter with retention settings:
      • mode: Lock type. It can be either GOVERNANCE or COMPLIANCE. This is an optional parameter.
      • years or days: Object lock duration (retention period). Provide it as a number. This is an optional parameter.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

You can check that object locks are now enabled using this CLI command:

yc storage bucket get <bucket_name>

Result:

name: my-bucket
folder_id: b1geoelk2fld********
...
object_lock:
status: OBJECT_LOCK_STATUS_ENABLED
default_retention:
  mode: MODE_GOVERNANCE
  years: "1"

Disabling object locks

Disabling object locks only affects the lock feature itself and does not automatically remove existing locks. They will still be there, and you will not be able to remove or change them.

The minimum required role is storage.admin.

To disable object locks:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to configure locks for.
  2. In the left-hand panel, select Security.
  3. Select the Object locks tab.
  4. To disable using locks, uncheck Enable locks.
  5. Click Save.

If you do not have the AWS CLI yet, install and configure it.

Run this command:

aws s3api put-object-lock-configuration \
  --bucket <bucket_name> \
  --object-lock-configuration ObjectLockEnabled="" \
  --endpoint-url=https://storage.yandexcloud.net

Where:

  • --bucket: Bucket name.
  • --object-lock-configuration: Bucket lock settings. The ObjectLockEnabled="" value disables object locks.
  • --endpoint-url: Object Storage endpoint.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and delete the object_lock_configuration section:

    Example of specifying object locks in Terraform configuration
    ...
object_lock_configuration {
  object_lock_enabled = "Enabled"
  rule {
    default_retention {
      mode = "GOVERNANCE"
      years = 1
    }
  }
}
...

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

You can check that object locks are now disabled using this CLI command:

yc storage bucket get <bucket_name>

Result:

name: my-bucket
folder_id: b1geoelk2fld********
...
object_lock:
  status: OBJECT_LOCK_STATUS_DISABLED

To disable object locks for a bucket, use theputObjectLockConfiguration S3 API method, update REST API method for the Bucket resource, or the BucketService/Update gRPC API call.

In the request body, provide the object lock parameter with an empty value:

  • ObjectLockConfiguration: For S3 API.
  • objectLock: For REST API.
  • object_lock: For gRPC API.

Here is an example of an HTTP request body for S3 API:

<ObjectLockConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/" />
Previous
Enabling logging
Next
Managing bucket labels