Skip to main content
A newer release of this product is available.

Manage objects with S3 Object Lock

Contributors netapp-madkat netapp-perveilerk

As a grid administrator, you can enable S3 Object Lock for your StorageGRID system and implement a compliant ILM policy to help ensure that objects in specific S3 buckets are not deleted or overwritten for a specified amount of time.

What is S3 Object Lock?

The StorageGRID S3 Object Lock feature is an object-protection solution that is equivalent to S3 Object Lock in Amazon Simple Storage Service (Amazon S3).

As shown in the figure, when the global S3 Object Lock setting is enabled for a StorageGRID system, an S3 tenant account can create buckets with or without S3 Object Lock enabled. If a bucket has S3 Object Lock enabled, S3 client applications can optionally specify retention settings for any object version in that bucket. An object version must have retention settings specified to be protected by S3 Object Lock. In addition, each bucket that has S3 Object Lock enabled can optionally have a default retention mode and retention period, which apply if objects are added to the bucket without their own retention settings.

S3 Object Lock Architecture

The StorageGRID S3 Object Lock feature provides a single retention mode that is equivalent to the Amazon S3 compliance mode. By default, a protected object version cannot be overwritten or deleted by any user. The StorageGRID S3 Object Lock feature does not support a governance mode, and it does not allow users with special permissions to bypass retention settings or to delete protected objects.

If a bucket has S3 Object Lock enabled, the S3 client application can optionally specify either or both of the following object-level retention settings when creating or updating an object:

  • Retain-until-date: If an object version's retain-until-date is in the future, the object can be retrieved, but it cannot be modified or deleted. As required, an object's retain-until-date can be increased, but this date cannot be decreased.

  • Legal hold: Applying a legal hold to an object version immediately locks that object. For example, you might need to put a legal hold on an object that is related to an investigation or legal dispute. A legal hold has no expiration date, but remains in place until it is explicitly removed. Legal holds are independent of the retain-until-date.

For details about object retention settings, go to Use S3 Object Lock.

For details about default bucket retention settings, go to Use S3 Object Lock default bucket retention.

Comparing S3 Object Lock to legacy Compliance

The S3 Object Lock replaces the Compliance feature that was available in earlier StorageGRID versions. Because the S3 Object Lock feature conforms to Amazon S3 requirements, it deprecates the proprietary StorageGRID Compliance feature, which is now referred to as “legacy Compliance.”

If you previously enabled the global Compliance setting, the global S3 Object Lock setting was enabled automatically. Tenant users are no longer be able to create new buckets with Compliance enabled; however, as required, tenant users can continue to use and manage any existing legacy Compliant buckets, which includes performing the following tasks:

  • Ingesting new objects into an existing bucket that has legacy Compliance enabled.

  • Increasing the retention period of an existing bucket that has legacy Compliance enabled.

  • Changing the auto-delete setting for an existing bucket that has legacy Compliance enabled.

  • Placing a legal hold on an existing bucket that has legacy Compliance enabled.

  • Lifting a legal hold.

If you used the legacy Compliance feature in a previous version of StorageGRID, refer to the following table to learn how it compares to the S3 Object Lock feature in StorageGRID.

S3 Object Lock (new) Compliance (legacy)

How is the feature enabled globally?

From the Grid Manager, select CONFIGURATION > System > S3 Object Lock.

No longer supported.

Note: If you enabled the global Compliance setting using a previous version of StorageGRID, the S3 Object Lock setting is enabled in StorageGRID 11.6. You can continue to use StorageGRID to manage the settings of existing compliant buckets; however, you cannot create new compliant buckets.

How is the feature enabled for a bucket?

Users must enable S3 Object Lock when creating a new bucket using the Tenant Manager, the Tenant Management API, or the S3 REST API.

Users can no longer create new buckets with Compliance enabled; however, they can continue to add new objects to existing Compliant buckets.

Is bucket versioning supported?

Yes. Bucket versioning is required and is enabled automatically when S3 Object Lock is enabled for the bucket.

No. The legacy Compliance feature does not allow bucket versioning.

How is object retention set?

Users can set a retain-until-date for each object version.

Users must set a retention period for the entire bucket. The retention period applies to all objects in the bucket.

Can a bucket have default settings for retention and legal hold?

Yes. StorageGRID buckets that have S3 Object Lock enabled can have a default retention period that is applied to object versions that do not have their own retention settings specified during ingest.

Yes

Can the retention period be changed?

The retain-until-date for an object version can be increased but never decreased.

The bucket's retention period can be increased but never decreased.

Where is legal hold controlled?

Users can place a legal hold or lift a legal hold for any object version in the bucket.

A legal hold is placed on the bucket and affects all objects in the bucket.

When can objects be deleted?

An object version can be deleted after the retain-until-date is reached, assuming the object is not under legal hold.

An object can be deleted after the retention period expires, assuming the bucket is not under legal hold. Objects can be deleted automatically or manually.

Is bucket lifecycle configuration supported?

Yes

No