Manage objects with S3 Object Lock

04/17/2023 Contributors

As a grid administrator, you can enable S3 Object Lock for your StorageGRID system and implement a compliant ILM policy to help ensure that objects in specific S3 buckets aren't deleted or overwritten for a specified amount of time.

What is S3 Object Lock?

The StorageGRID S3 Object Lock feature is an object-protection solution that is equivalent to S3 Object Lock in Amazon Simple Storage Service (Amazon S3).

As shown in the figure, when the global S3 Object Lock setting is enabled for a StorageGRID system, an S3 tenant account can create buckets with or without S3 Object Lock enabled. If a bucket has S3 Object Lock enabled, bucket versioning is required and is enabled automatically.

If a bucket has S3 Object Lock enabled, S3 client applications can optionally specify retention settings for any object version saved to that bucket.

In addition, a bucket that has S3 Object Lock enabled can optionally have a default retention mode and retention period. The default settings apply only to objects that are added to the bucket without their own retention settings.

Retention modes

The StorageGRID S3 Object Lock feature supports two retention modes to apply different levels of protection to objects. These modes are equivalent to the Amazon S3 retention modes.

In compliance mode:
- The object can't be deleted until its retain-until-date is reached.
- The object's retain-until-date can be increased, but it can't be decreased.
- The object's retain-until-date can't be removed until that date is reached.
In governance mode:
- Users with special permission can use a bypass header in requests to modify certain retention settings.
- These users can delete an object version before its retain-until-date is reached.
- These users can increase, decrease, or remove an object's retain-until-date.

Retention settings for object versions

If a bucket is created with S3 Object Lock enabled, users can use the S3 client application to optionally specify the following retention settings for each object that is added to the bucket:

Retention mode: Either compliance or governance.
Retain-until-date: If an object version's retain-until-date is in the future, the object can be retrieved, but it can't be deleted.
Legal hold: Applying a legal hold to an object version immediately locks that object. For example, you might need to put a legal hold on an object that is related to an investigation or legal dispute. A legal hold has no expiration date, but remains in place until it is explicitly removed. Legal holds are independent of the retain-until-date.

If an object is under a legal hold, no one can delete the object, regardless of its retention mode.

For details on the object settings, see Use S3 REST API to configure S3 Object Lock.

Default retention setting for buckets

If a bucket is created with S3 Object Lock enabled, users can optionally specify the following default settings for the bucket:

Default retention mode: Either compliance or governance.
Default retention period: How long new object versions added to this bucket should be retained, starting from the day they are added.

The default bucket settings apply only to new objects that don't have their own retention settings. Existing bucket objects aren't affected when you add or change these default settings.

See Create an S3 bucket and Update S3 Object Lock default retention.

Comparing S3 Object Lock to legacy Compliance

The S3 Object Lock replaces the Compliance feature that was available in earlier StorageGRID versions. Because the S3 Object Lock feature conforms to Amazon S3 requirements, it deprecates the proprietary StorageGRID Compliance feature, which is now referred to as “legacy Compliance.”

The global Compliance setting is deprecated. If you enabled this setting using a previous version of StorageGRID, the S3 Object Lock setting is enabled automatically. You can continue to use StorageGRID to manage the settings of existing compliant buckets; however, you can't create new compliant buckets. For details, see NetApp Knowledge Base: How to manage legacy Compliant buckets in StorageGRID 11.5.

If you used the legacy Compliance feature in a previous version of StorageGRID, refer to the following table to learn how it compares to the S3 Object Lock feature in StorageGRID.

	S3 Object Lock	Compliance (legacy)
How is the feature enabled globally?	From the Grid Manager, select CONFIGURATION > System > S3 Object Lock.	No longer supported.
How is the feature enabled for a bucket?	Users must enable S3 Object Lock when creating a new bucket using the Tenant Manager, the Tenant Management API, or the S3 REST API.	No longer supported.
Is bucket versioning supported?	Yes. Bucket versioning is required and is enabled automatically when S3 Object Lock is enabled for the bucket.	No.
How is object retention set?	Users can set a retain-until-date for each object version, or they can set a default retention period for each bucket.	Users must set a retention period for the entire bucket. The retention period applies to all objects in the bucket.
Can the retention period be changed?	In compliance mode, the retain-until-date for an object version can be increased but never decreased. In governance mode, users with special permissions can decrease or even remove an object's retention settings.	A bucket's retention period can be increased but never decreased.
Where is legal hold controlled?	Users can place a legal hold or lift a legal hold for any object version in the bucket.	A legal hold is placed on the bucket and affects all objects in the bucket.
When can objects be deleted?	In compliance mode, an object version can be deleted after the retain-until-date is reached, assuming the object is not under legal hold. In governance mode, users with special permissions can delete an object before its retain-until-date is reached, assuming the object is not under legal hold.	An object can be deleted after the retention period expires, assuming the bucket is not under legal hold. Objects can be deleted automatically or manually.
Is bucket lifecycle configuration supported?	Yes	No

S3 Object Lock

Compliance (legacy)

How is the feature enabled globally?

From the Grid Manager, select CONFIGURATION > System > S3 Object Lock.

No longer supported.

How is the feature enabled for a bucket?

Users must enable S3 Object Lock when creating a new bucket using the Tenant Manager, the Tenant Management API, or the S3 REST API.

No longer supported.

Is bucket versioning supported?

Yes. Bucket versioning is required and is enabled automatically when S3 Object Lock is enabled for the bucket.

No.

How is object retention set?

Users can set a retain-until-date for each object version, or they can set a default retention period for each bucket.

Users must set a retention period for the entire bucket. The retention period applies to all objects in the bucket.

Can the retention period be changed?

In compliance mode, the retain-until-date for an object version can be increased but never decreased.
In governance mode, users with special permissions can decrease or even remove an object's retention settings.

A bucket's retention period can be increased but never decreased.

Where is legal hold controlled?

Users can place a legal hold or lift a legal hold for any object version in the bucket.

A legal hold is placed on the bucket and affects all objects in the bucket.

When can objects be deleted?

In compliance mode, an object version can be deleted after the retain-until-date is reached, assuming the object is not under legal hold.
In governance mode, users with special permissions can delete an object before its retain-until-date is reached, assuming the object is not under legal hold.

An object can be deleted after the retention period expires, assuming the bucket is not under legal hold. Objects can be deleted automatically or manually.

Is bucket lifecycle configuration supported?

Yes