Skip to main content
How to enable StorageGRID in your environment

Test and demonstrate S3 object lock on StorageGRID

Contributors netapp-aronk

By Aron Klein

Object Lock provides a WORM model to prevent objects from being deleted or overwritten. StorageGRID
implementation of object lock is Cohasset assessed to help meet regulatory requirements, supporting
legal hold and compliance mode for object retention, and default bucket retention policies.

This guide will demonstrate the S3 Object Lock API.

  • Object Lock legal hold is a simple on/off status applied to an object.

    aws s3api put-object-legal-hold --bucket <bucket> --key <file> --legal-hold Status=ON --endpoint-url https://s3.company.com
  • Verify it with a GET operation.

    aws s3api get-object-legal-hold --bucket <bucket> --key <file> --endpoint-url https://s3.company.com
    {
        "LegalHold": {
            "Status": "ON"
        }
    }
  • Turn legal hold off

    aws s3api put-object-legal-hold --bucket <bucket> --key <file> --legal-hold Status=OFF --endpoint-url https://s3.company.com
  • Verify it with a GET operation.

    aws s3api get-object-legal-hold --bucket <bucket> --key <file> --endpoint-url https://s3.company.com
    {
        "LegalHold": {
            "Status": "OFF"
        }
    }

Compliance mode

  • The object retention is done with a retain until timestamp.

    aws s3api put-object-retention --bucket <bucket> --key <file> --retention '{"Mode":"COMPLIANCE", "RetainUntilDate": "2025-06-10T16:00:00"}' --endpoint-url https://s3.company.com
  • Verify the retention status

    aws s3api get-object-retention --bucket <bucket> --key <file> --endpoint-url https://s3.company.com
    +
    {
        "Retention": {
            "Mode": "COMPLIANCE",
            "RetainUntilDate": "2025-06-10T16:00:00+00:00"
        }
    }

Default retention

  • Set the retention period in days and years verses a retain until date defined with the per object api.

    aws s3api put-object-lock-configuration --bucket <bucket> --object-lock-configuration '{"ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 10 }}}' --endpoint-url https://s3.company.com
  • Verify the retention status

    aws s3api get-object-lock-configuration --bucket <bucket> --endpoint-url https://s3.company.com
    {
        "ObjectLockConfiguration": {
            "ObjectLockEnabled": "Enabled",
            "Rule": {
                "DefaultRetention": {
                    "Mode": "COMPLIANCE",
                    "Days": 10
                }
            }
        }
    }
  • Put an object in the bucket

    aws s3api put-object --bucket <bucket> --key <file> --body "file" --endpoint-url https://s3.example.com
  • The retention duration set on the bucket is converted to a retention timestamp on the object.

    aws s3api get-object-retention --bucket <bucket> --key <file> --endpoint-url https://s3.company.com
    {
        "Retention": {
            "Mode": "COMPLIANCE",
            "RetainUntilDate": "2022-03-02T15:22:47.202000+00:00"
        }
    }

Test deleting an object with a defined retention

Object Lock is built on top of versioning. The retention is defined on a version of the object. If an attempt is made to delete an object with a retention defined, and no version is specified, a delete marker is created as the current version of the object.

  • Delete the object with retention defined

    aws s3api delete-object --bucket <bucket> --key <file> --endpoint-url https://s3.example.com
  • List the objects in the bucket

    aws s3api list-objects --bucket <bucket> --endpoint-url https://s3.example.com
    • Notice the object is not listed.

  • List versions to see the delete marker, and the original locked version

    aws s3api list-object-versions --bucket <bucket> --prefix <file> --endpoint-url https://s3.example.com
    {
        "Versions": [
            {
                "ETag": "\"82e8bfb872e778a4687a26e6c0b36bc1\"",
                "Size": 47,
                "StorageClass": "STANDARD",
                "Key": "file.txt",
                "VersionId": "RDVDMjYwMTQtQkNDQS0xMUVDLThGOEUtNjQ3NTAwQzAxQTk1",
                "IsLatest": false,
                "LastModified": "2022-04-15T14:46:29.734000+00:00",
                "Owner": {
                    "DisplayName": "Tenant01",
                    "ID": "56622399308951294926"
                }
            }
        ],
        "DeleteMarkers": [
            {
                "Owner": {
                    "DisplayName": "Tenant01",
                    "ID": "56622399308951294926"
                },
                "Key": "file01.txt",
                "VersionId": "QjVDQzgzOTAtQ0FGNi0xMUVDLThFMzgtQ0RGMjAwQjk0MjM1",
                "IsLatest": true,
                "LastModified": "2022-05-03T15:35:50.248000+00:00"
            }
        ]
    }
  • Delete the locked version of the object

    aws s3api delete-object  --bucket <bucket> --key <file> --version-id "<VersionId>" --endpoint-url https://s3.example.com
    An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied