Wasabi Object Lock is a feature that prohibits modification or deletion of specific object versions during a configured retention period. Object Lock is a method that can be used to achieve WORM or a form of airgapped storage. The retention policy can be specified on each object placed into a bucket. Additionally, bucket level settings can be applied so that new objects placed in a bucket will have the default settings applied. Versioning is required to be enabled on a bucket with Object Lock enabled.
There are two modes of Object Lock:
Governance Mode will lock the object for the configured retention policy, however, the root user or any user with the IAM permission “s3:BypassGovernanceRetention” can bypass the retention policy and modify or delete files.
Compliance Mode will lock the object for the configured retention policy, and no user can modify or delete the object, until that retention policy has passed.
Legal hold is an additional locking mechanism that can be placed on an object in an Object Lock enabled bucket. A legal hold will prevent the modification or deletion of an object indefinitely until the legal hold has been removed. A legal hold overrides both Governance Mode, and Compliance Mode retention policies, however, it does not remove them. After removing the legal hold, the existing Governance Mode, or Compliance Mode retention policy will still be in effect.
Enabling Object Lock
Object Lock must be enabled on a bucket before you can use the Object Lock functionality. Enabling Object Lock can only be done during bucket creation. Therefore, you are unable to enable Object Lock on existing buckets of data.
Creating a bucket that has Object Lock enabled will automatically disable the use of Wasabi Bucket Lock (Wasabi Compliance).
Bucket Level Defaults Configuration
Bucket level configuration for Object Lock allows you to automatically configure a Retention Mode and Retention Time in days, or years for new objects placed into a bucket. This configuration is disabled by default and is optional. Configuring Object Lock on a bucket does not affect objects which are already in a bucket. When an object is uploaded without any Object Lock configuration, the object will have the Bucket Level Defaults applied to it. Changing or disabling Object Lock default settings on the bucket, will not affect any existing objects in a bucket.
Viewing Object Lock Status on a File
Determining Wasabi Object Lock vs Wasabi Compliance
Wasabi Ball Support