Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Configuring an object lock

Written by
Updated at November 5, 2024

If versioning and object version locks are enabled in the bucket, you can configure locking for a version already uploaded to the bucket.

Put or configure a retention (governance- or compliance-mode)

Minimum required roles:

  • storage.uploader: To set lock.
  • storage.admin: To change an existing lock.

You can only extend a compliance-mode retention. You cannot shrink it or replace with a governance-mode retention.

To put or configure a retention:

  1. In the management console, select Object Storage from the list of services and go to the bucket for whose objects you want to configure a lock.
  2. In the left-hand panel, select Objects.
  3. To see all versions of objects in the list, enable Show versions to the right of the object search field in the bucket.
  4. In the list of objects, select the one you need, click Object lock.
  5. In the window that opens, enable Retention.
  6. Select Default lock type:
    • Governance: User with the storage.admin role can bypass a lock, change its expiration date, or remove it.
    • Compliance: User with the storage.admin role can only extend the lock period. You cannot bypass, shorten, or remove such a lock until it expires.
  7. Specify Default lock period in days or years. It starts from the moment you upload the object version to the bucket.
  8. Click Save.

  1. If you do not have the AWS CLI yet, install and configure it.

  2. Run this command:

    aws --endpoint-url=https://storage.yandexcloud.net/ \
  s3api put-object-retention \
  --bucket <bucket_name> \
  --key <object_key> \
  --version-id <version_ID> \
  --retention Mode=<lock_type>,RetainUntilDate="<date_and_time>" \
  --bypass-governance-retention

    Where:

    • --bucket: Name of your bucket.

    • --key: Object key.

    • --version-id: Object version ID.

    • --retention: Temporary lock settings (both parameters are required):

      • Mode: Lock type:

        • GOVERNANCE: Temporary managed lock. You cannot set this type if an object version is already locked in compliance mode.
        • COMPLIANCE: Temporary strict lock.

      • RetainUntilDate: Lock end date and time in RFC3339 format, e.g., 2025-01-01T00:00:00. The lock end time value is specified in the UTC±00:00 time zone. To use a different time zone, add + or - and a UTC±00:00 offset to the end of the record. For more information, see this example. If a version object is already locked in compliance mode, you can only extend it by setting new retain until date and time that are later than the current ones.

    • --bypass-governance-retention: Flag that shows that a lock is bypassed. Select it if an object version is already locked in governance mode.

Use the putObjectRetention S3 API method.

Removing a governance-mode retention

The minimum required role is storage.admin.

To remove a retention:

  1. In the management console, select Object Storage from the list of services and go to the bucket you need.
  2. In the left-hand panel, select Objects.
  3. To see all versions of objects in the list, enable Show versions to the right of the object search field in the bucket.
  4. In the list of objects, select the one you need, click Object lock.
  5. In the window that opens, disable Retention.
  6. Click Save.

  1. If you do not have the AWS CLI yet, install and configure it.

  2. Run this command:

    aws --endpoint-url=https://storage.yandexcloud.net/ \
  s3api put-object-retention \
  --bucket <bucket_name> \
  --key <object_key> \
  --version-id <version_ID> \
  --retention '{}' \
  --bypass-governance-retention

    Where:

    • --bucket: Name of your bucket.
    • --key: Object key.
    • --version-id: Object version ID.
    • --retention: Temporary lock settings. In both parameters, empty lines are specified to remove a lock.
    • --bypass-governance-retention: Flag that shows that a lock is bypassed.

Use the putObjectRetention S3 API method with the X-Amz-Bypass-Governance-Retention: true header and an empty Retention element.

The minimum required role is storage.uploader.

To put or configure a legal hold:

  1. In the management console, select Object Storage from the list of services and go to the bucket you need.
  2. In the left-hand panel, select Objects.
  3. To see all versions of objects in the list, enable Show versions to the right of the object search field in the bucket.
  4. In the list of objects, select the one you need, click Object lock.
  5. In the window that opens, enable or disable Legal hold.
  6. Click Save.

  1. If you do not have the AWS CLI yet, install and configure it.

  2. Run this command:

    aws --endpoint-url=https://storage.yandexcloud.net/ \
  s3api put-object-legal-hold \
  --bucket <bucket_name> \
  --key <object_key> \
  --version-id <version_ID> \
  --legal-hold Status=<lock_status>

    Where:

    • --bucket: Name of your bucket.

    • --key: Object key.

    • --version-id: Object version ID.

    • --legal-hold: Indefinite lock settings:

      • Status: Lock status:

        • ON: Enabled.
        • OFF: Disabled.

Use the putObjectLegalHold S3 API method.

Examples

Setting up a governance-mode retention with the Moscow time offset (UTC+3)

aws --endpoint-url=https://storage.yandexcloud.net/ \
  s3api put-object-retention \
  --bucket test-bucket \
  --key object-key/ \
  --version-id 0005FA15******** \
  --retention Mode=GOVERNANCE,RetainUntilDate="2025-01-01T00:00:00+03:00" \
Previous
Getting a public link to an object
Next
Deleting an object