Object Locking
Object Lock prevents objects from being deleted or overwritten while a retention period is in effect. Use it for compliance (financial records, audit logs), ransomware protection, or any case where data integrity must be guaranteed.
Object Lock is a permanent bucket setting. It must be enabled at bucket creation time under Advanced options in the Create Bucket dialog. It cannot be enabled, disabled, or changed after the bucket is created.
Enable Object Lock at bucket creation
When creating a bucket, expand Advanced options in the Create Bucket dialog and enable Object Lock before clicking Create Bucket. See Buckets → Create a bucket.
After creation, the Lock Settings tab will be active for the bucket and you can configure retention.
Lock Settings tab
After bucket creation, find the lock state in two places:
- The General tab shows Object Lock as a read-only field (Enabled or Disabled).
- The Lock Settings tab shows the active retention configuration.
If Object Lock was enabled at creation
The Lock Settings tab lets you manage retention policies for objects in the bucket. Object Lock applies to objects uploaded after retention is configured.
If Object Lock was not enabled at creation
The Lock Settings tab shows the message:
“Object Lock Not Enabled — Object locking must be enabled when creating the bucket to use retention policies. This setting cannot be changed after bucket creation.”
The message is marked Permanent Bucket Setting. To use Object Lock for that workload, create a new bucket with the option turned on and migrate objects.
How retention works
A locked object cannot be overwritten or deleted until its retention period expires. You configure retention on the Lock Settings tab under Default Retention Policy, which applies to every object uploaded after the policy is saved. A policy has two parts: a retention mode and a retention period.
Retention modes
The retention mode controls who can shorten or remove the lock before it expires. Choose one:
COMPLIANCE is the strictest protection. Once an object is written under a COMPLIANCE retention period, neither you nor any token can delete or overwrite it until the period expires. Confirm the retention period is correct before you save.
Retention period
The retention period is how long objects stay locked. Set it under Retention Period using a number plus a unit (Days or Years); the page shows the resolved Total Retention Period below the field. The lock stays in effect for that duration from the time each object is uploaded.
Set a default retention policy
- Open the bucket and go to the Lock Settings tab.
- Under Default Retention Policy, click Edit.
- Select a Retention Mode — GOVERNANCE or COMPLIANCE.
- Set the Retention Period value and unit (Days or Years), and check the Total Retention Period summary.
- Click Save Changes. The policy status shows as Configured and applies to objects uploaded afterward.
Use Object Lock together with API token scoping (Bucket policies) so that no path can bypass the lock.
Best practices
- Decide at creation time. Because Object Lock cannot be added later, plan before creating buckets that may need immutability.
- Pair with lifecycle rules carefully. Lifecycle expiry cannot delete locked objects; verify rules don’t silently fail on protected data.
- Document your retention policy internally so future engineers understand why objects can’t be deleted.
- Don’t lock everything. Reserve Object Lock for buckets where immutability is genuinely required.
