Configuring an object lock
If versioning and object version locks are enabled in the bucket, you can configure locking for a version already uploaded to the bucket.
Put or configure a retention (governance- or compliance-mode)
Minimum required roles:
storage.uploader
: To set lock.storage.admin
: To change an existing lock.
You can only extend a compliance-mode retention. You cannot shrink it or replace with a governance-mode retention.
To put or configure a retention:
- In the management console
, select Object Storage from the list of services and go to the bucket for whose objects you want to configure a lock. - In the left-hand panel, select
Objects. - To see all versions of objects in the list, enable Show versions to the right of the object search field in the bucket.
- In the list of objects, select the one you need, click
→ Object lock. - In the window that opens, enable Retention.
- Select Default lock type:
- Governance: User with the
storage.admin
role can bypass a lock, change its expiration date, or remove it. - Compliance: User with the
storage.admin
role can only extend the lock period. You cannot bypass, shorten, or remove such a lock until it expires.
- Governance: User with the
- Specify Default lock period in days or years. It starts from the moment you upload the object version to the bucket.
- Click Save.
-
If you do not have the AWS CLI yet, install and configure it.
-
Run this command:
aws --endpoint-url=https://storage.yandexcloud.net/ \ s3api put-object-retention \ --bucket <bucket_name> \ --key <object_key> \ --version-id <version_ID> \ --retention Mode=<lock_type>,RetainUntilDate="<date_and_time>" \ --bypass-governance-retention
Where:
-
--bucket
: Name of your bucket. -
--key
: Object key. -
--version-id
: Object version ID. -
--retention
: Temporary lock settings (both parameters are required):-
Mode
: Lock type:GOVERNANCE
: Temporary managed lock. You cannot set this type if an object version is already locked in compliance mode.COMPLIANCE
: Temporary strict lock.
-
RetainUntilDate
: Lock end date and time in RFC3339 format, e.g.,2025-01-01T00:00:00
. The lock end time value is specified in the UTC±00:00 time zone. To use a different time zone, add+
or-
and a UTC±00:00 offset to the end of the record. For more information, see this example. If a version object is already locked in compliance mode, you can only extend it by setting new retain until date and time that are later than the current ones.
-
-
--bypass-governance-retention
: Flag that shows that a lock is bypassed. Select it if an object version is already locked in governance mode.
-
Use the putObjectRetention S3 API method.
Removing a governance-mode retention
The minimum required role is storage.admin
.
To remove a retention:
- In the management console
, select Object Storage from the list of services and go to the bucket you need. - In the left-hand panel, select
Objects. - To see all versions of objects in the list, enable Show versions to the right of the object search field in the bucket.
- In the list of objects, select the one you need, click
→ Object lock. - In the window that opens, disable Retention.
- Click Save.
-
If you do not have the AWS CLI yet, install and configure it.
-
Run this command:
aws --endpoint-url=https://storage.yandexcloud.net/ \ s3api put-object-retention \ --bucket <bucket_name> \ --key <object_key> \ --version-id <version_ID> \ --retention '{}' \ --bypass-governance-retention
Where:
--bucket
: Name of your bucket.--key
: Object key.--version-id
: Object version ID.--retention
: Temporary lock settings. In both parameters, empty lines are specified to remove a lock.--bypass-governance-retention
: Flag that shows that a lock is bypassed.
Use the putObjectRetention S3 API method with the X-Amz-Bypass-Governance-Retention: true
header and an empty Retention
element.
Putting or removing legal holds
The minimum required role is storage.uploader
.
To put or configure a legal hold:
- In the management console
, select Object Storage from the list of services and go to the bucket you need. - In the left-hand panel, select
Objects. - To see all versions of objects in the list, enable Show versions to the right of the object search field in the bucket.
- In the list of objects, select the one you need, click
→ Object lock. - In the window that opens, enable or disable Legal hold.
- Click Save.
-
If you do not have the AWS CLI yet, install and configure it.
-
Run this command:
aws --endpoint-url=https://storage.yandexcloud.net/ \ s3api put-object-legal-hold \ --bucket <bucket_name> \ --key <object_key> \ --version-id <version_ID> \ --legal-hold Status=<lock_status>
Where:
-
--bucket
: Name of your bucket. -
--key
: Object key. -
--version-id
: Object version ID. -
--legal-hold
: Indefinite lock settings:-
Status
: Lock status:ON
: Enabled.OFF
: Disabled.
-
-
Use the putObjectLegalHold S3 API method.
Examples
Setting up a governance-mode retention with the Moscow time offset (UTC+3)
aws --endpoint-url=https://storage.yandexcloud.net/ \ s3api put-object-retention \ --bucket test-bucket \ --key object-key/ \ --version-id 0005FA15******** \ --retention Mode=GOVERNANCE,RetainUntilDate="2025-01-01T00:00:00+03:00" \