You must enable the global S3 Object Lock setting using the Grid Manager or the Grid Management API before any S3 tenant can create a bucket with S3 Object Lock enabled.

Enabling the global S3 Object Lock setting allows all S3 tenant accounts to create buckets with S3 Object Lock enabled.

After you enable the global S3 Object Lock setting, you cannot disable the setting.

You cannot enable the global S3 Object Lock unless the default rule in the active ILM policy iscompliant (that is, the default rule must comply with the requirements of buckets with S3 Object Lock enabled).

When the global S3 Object Lock setting is enabled, you cannot create a new proposed ILM policy or activate an existing proposed ILM policy unless the default rule in the policy is compliant. After the global S3 Object Lock setting has been enabled, the ILM Rules and ILM Policies pages indicate which ILM rules are compliant.

It must create at least two replicated object copies or one erasure-coded copy.

These copies must exist on Storage Nodes for the entire duration of each line in the placement instructions.

Object copies cannot be saved in a Cloud Storage Pool.

Object copies cannot be saved on Archive Nodes.

At least one line of the placement instructions must start at day 0, using Ingest Time as the reference time.

At least one line of the placement instructions must be “forever.”

The default rule in the active or any proposed ILM policy must be compliant.

Non-compliant rules only apply to objects in buckets that do not have S3 Object Lock enabled or that do not have the legacy Compliance feature enabled.

Compliant rules can apply to objects in any bucket; S3 Object Lock or legacy Compliance does not need to be enabled for the bucket.

If the global S3 Object Lock setting is enabled for the StorageGRID system, you can use the Tenant Manager, the Tenant Management API, or the S3 REST API to create buckets with S3 Object Lock enabled.

If you plan to use S3 Object Lock, you must enable S3 Object Lock when you create the bucket. You cannot enable S3 Object Lock for an existing bucket.

Bucket versioning is required with S3 Object Lock. When S3 Object Lock is enabled for a bucket, StorageGRID automatically enables versioning for that bucket.

After you create a bucket with S3 Object Lock enabled, you cannot disable S3 Object Lock or suspend versioning for that bucket.

An StorageGRID bucket that has S3 Object Lock enabled does not have a default retention period. Instead, the S3 client application can optionally specify a retention date and legal hold setting for each object version that is added to that bucket.

Bucket lifecycle configuration is supported for S3 Object Lifecycle buckets.

CloudMirror replication is not supported for buckets with S3 Object Lock enabled.

The S3 client application must specify retention settings for each object that needs to be protected by S3 Object Lock.

You can increase the retain-until-date for an object version, but you can never decrease this value.

If you are notified of a pending legal action or regulatory investigation, you can preserve relevant information by placing a legal hold on an object version. When an object version is under a legal hold, that object cannot be deleted from StorageGRID, even if it has reached its retain-until-date. As soon as the legal hold is lifted,the object version can be deleted if the retain-until-date has been reached.

S3 Object Lock requires the use of versioned buckets. Retention settings apply to individual object versions. An object version can have both a retain-until-date and a legal hold setting, one but not the other, or neither. Specifying a retain-until-date or a legal hold setting for an object protects only the version specified in the request. You can create new versions of the object, while the previous version of the object remains locked.