You can create write-once-read-many (WORM) buckets to protect data and metadata. You configure the WORM buckets to allow the creation of new objects and to prevent overwrites or deletion of existing content. Use one of the approaches described here.
To ensure that overwrites are always denied, you can:
- From the Grid Management Interface, set the Prevent Client Modify global option to Enabled.
- Apply the following rules and S3 policies:
- Add a PutOverwriteObject DENY operation to the S3 policy.
- Add a DeleteObject DENY operation to the S3 policy.
- Add a PUT Object ALLOW operation to the S3 policy.
CAUTION:
Setting DeleteObject to DENY in an S3 Policy does not prevent ILM from deleting objects when a rule such as "zero copies after 30 days" exists. For more information, see the Administrator Guide.
CAUTION:
Even when all of these rules and policies are applied, they do not guard against concurrent writes (see Situation A). They do guard against sequential completed overwrites (see Situation B).
Situation A — Concurrent writes (does not guard against)
/mybucket/important.doc
PUT#1 ---> OK
PUT#2 -------> OK
Situation B — Sequential completed overwrites (guards against)
/mybucket/important.doc
PUT#1 -------> PUT#2 ---X (denied)
For an example using the PutOverwriteObject permission, see Example: PutOverwriteObject permission.