You can create write-once-read-many (WORM) buckets to protect data, user-defined object metadata, and S3 object tagging. You configure the WORM buckets to allow the creation of new objects and to prevent overwrites or deletion of existing content. Use one of the approaches described here.
To ensure that overwrites are always denied, you can:
- From the Grid Manager, set the Prevent Client Modify grid option to Enabled.
- Apply the following rules and S3 policies:
- Add a PutOverwriteObject DENY operation to the S3 policy.
- Add a DeleteObject DENY operation to the S3 policy.
- Add a PUT Object ALLOW operation to the S3 policy.
CAUTION:
Setting DeleteObject to DENY in an S3 policy does not prevent ILM from deleting objects when a rule such as "zero copies after 30 days" exists.
CAUTION:
Even when all of these rules and policies are applied, they do not guard against concurrent writes (see Situation A). They do guard against sequential completed overwrites (see Situation B).
Situation A: Concurrent writes (not guarded against)
/mybucket/important.doc
PUT#1 ---> OK
PUT#2 -------> OK
Situation B: Sequential completed overwrites (guarded against)
/mybucket/important.doc
PUT#1 -------> PUT#2 ---X (denied)