Skip to content

Manage Object Lock

Prerequisites

  • Obtain SCS3 credentials through Switch Cloud Portal. Remember that each project has its own unique keys.
  • One of the S3 compatible clients (AWS CLI Version 2 - at least version 2.13), installed and configured with your SCS3 credentials. For more information about setting up CLI client with SCS3 credentials visit User Authentication.

Below you can find AWS CLI examples for Object Lock management. RClone does not support Object Lock feature.

Important

Object Lock can only be enabled at a bucket creation. After you enable Object Lock on a bucket, you can't disable Object Lock or suspend versioning for that bucket.

Create a Bucket with Object Lock Enabled

Create a new bucket with Object Lock enabled (no output, if successful):

aws s3api create-bucket --bucket <my_bucket_name> --object-lock-enabled-for-bucket

Enable Default Retention on a Bucket

Enable default retention on a bucket (no output, if successful):

aws s3api put-object-lock-configuration --bucket my-lock-bucket --object-lock-configuration \
'{
    "ObjectLockEnabled": "Enabled",
    "Rule": {
        "DefaultRetention": {
            "Mode": "GOVERNANCE",
            "Days": 30
        }
    }
}'
Explanation: This command configures the default retention for my-lock-bucket. It sets a 30-day retention period in GOVERNANCE mode for all objects uploaded to my-lock-bucket. The default retention period will be applied to any object uploaded to the bucket, unless an object-specific retention period is specified while uploading.

Check the Bucket-level Object Lock Configuration

Check the bucket-level Object Lock configuration:

aws s3api get-object-lock-configuration --bucket my-lock-bucket

Explanation: This command retrieves the Object Lock configuration for my-lock-bucket. It shows whether Object Lock is enabled for the bucket and displays the default retention if configured. It does not return information about object-specific settings, such as individual retention periods or legal holds.

Example output 
{
    "ObjectLockConfiguration": {
        "ObjectLockEnabled": "Enabled",
        "Rule": {
            "DefaultRetention": {
                "Mode": "GOVERNANCE",
                "Days": 30
            }
        }
    }
}

Upload an Object with a Specific Retention Period

Upload an object with a specific retention period:

aws s3api put-object --bucket my-lock-bucket --key locked-object.txt --body file.txt \
--object-lock-mode COMPLIANCE --object-lock-retain-until-date 2023-12-31T00:00:00Z

Explanation: This command uploads file.txt to the my-lock-bucket bucket as locked-object.txt. The object is locked in compliance mode until 2023-12-31, preventing any modifications or deletions during this period. The specified retention period will override the bucket default retention configuration.

Example output 
{
    "ETag": "\"c4ca4238a0b923820dcc509a6f75849b\"",
    "VersionId": "OBflXwdM8gqUYPdEq5PY-CqXPS.u0b5"
}

Set or Modify a Retention Period on an Object

Set or modify a retention period on an object (no output, if successful):

aws s3api put-object-retention \
    --bucket my-lock-bucket \
    --key test-file.txt \
    --retention '{"Mode": "GOVERNANCE", "RetainUntilDate": "2025-01-26T00:00:00"}' \
    --bypass-governance-retention \
    --version-id OBflXwdM8gqUYPdEq5PY-CqXPS.u0b5

Explanation: This command sets or modifies a retention period on the object test-file.txt. As a bucket owner you can use --bypass-governance-retention to override the existing GOVERNANCE mode and shorten the retention period. If you don't specify --version-id the retention period applies to the latest version of the object.

Apply or remove a legal hold to or from an object (no output, if successful):

# Apply
aws s3api put-object-legal-hold --bucket my-lock-bucket --key locked-object.txt \
--legal-hold "Status=ON"

# Remove
aws s3api put-object-legal-hold --bucket my-lock-bucket --key locked-object.txt \
--legal-hold "Status=OFF"

Explanation: Those commands applies/removes a legal hold to/from the object locked-object.txt. The legal hold ensures that the object cannot be deleted or modified until the hold is explicitly removed, regardless of any retention period. No output if successful.

Check the Object-level Object Lock Configuration

 aws s3api head-object --bucket my-lock-bucket --key justafile.txt

Explanation: The command retrieves metadata about the specified object, including Object Lock settings.

Example output 
{
    "AcceptRanges": "bytes",
    "LastModified": "2024-11-21T13:38:28+00:00",
    "ContentLength": 1,
    "ETag": "\"c4ca4238a0b923820dcc509a6f75849b\"",
    "VersionId": "wfhNLkb9BV4g9aYokC1qALjFwMQNEkF",
    "ContentType": "binary/octet-stream",
    "Metadata": {},
    "ObjectLockMode": "GOVERNANCE",
    "ObjectLockRetainUntilDate": "2024-12-08T13:38:28.718379+00:00",
    "ObjectLockLegalHoldStatus": "OFF"
}