diff --git a/pages/audit-trail/how-to/manage-adt-export.mdx b/pages/audit-trail/how-to/manage-adt-export.mdx index be58b19ba9..85fa506cda 100644 --- a/pages/audit-trail/how-to/manage-adt-export.mdx +++ b/pages/audit-trail/how-to/manage-adt-export.mdx @@ -18,7 +18,7 @@ By default, your event logs are exported to the `Standard` [storage class](/obje - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - Created [resources integrated](/audit-trail/reference-content/resource-integration-with-adt/) with Audit Trail -- [Created](/object-storage/how-to/create-a-bucket/) an Object Storage bucket with [object lock](/object-storage/api-cli/object-lock/#how-to-configure-bucket-lock) set up +- [Created](/object-storage/how-to/create-a-bucket/) an Object Storage bucket with [object lock](/object-storage/how-to/use-object-lock/#how-to-configure-bucket-lock) set up At this stage, an export includes all Audit Trail events by default, allowing only one active export configuration per region. Future updates will let you select specific events for export. diff --git a/pages/object-storage/api-cli/lifecycle-rules-api.mdx b/pages/object-storage/api-cli/lifecycle-rules-api.mdx index c61417f2e7..d92de4df96 100644 --- a/pages/object-storage/api-cli/lifecycle-rules-api.mdx +++ b/pages/object-storage/api-cli/lifecycle-rules-api.mdx @@ -12,9 +12,10 @@ import LifecycleMinimalDurationMessage from '@macros/object-storage/lifecycle-mi You can configure the lifecycle of a group of objects to manage their storage costs effectively. A lifecycle configuration is a set of rules that defines actions applied to a group of objects stored on Object Storage. The Amazon S3 API allows you to automatically manage the lifecycle of your object by setting lifecycle rules. These rules allow you to automatically: - - Delete your objects and their versions by setting expiration durations - Transition objects and their versions to a colder storage class + - Delete your objects and their versions by setting expiration durations - Abort incomplete [multipart uploads](/object-storage/api-cli/multipart-uploads/) + - Expire delete markers without a non-current version automatically @@ -204,6 +205,14 @@ Lifecycle rules only allow the following transitions: **Parent** : `Rule` +### ExpiredObjectDeleteMarker + +**Description** +: Enables the expiration of delete markers without non-current versions. Expired delete markers are deleted automatically. + +**Parent** +: `Expiration` + ### NoncurrentVersionExpiration **Description** diff --git a/pages/object-storage/api-cli/object-lock.mdx b/pages/object-storage/api-cli/object-lock.mdx deleted file mode 100644 index bcff0953e8..0000000000 --- a/pages/object-storage/api-cli/object-lock.mdx +++ /dev/null @@ -1,461 +0,0 @@ ---- -title: Setting up object lock -description: Learn to use object locking in Scaleway Object Storage for data protection. -tags: object storage object-storage object-lock bucket-test bucket test -dates: - validation: 2025-07-31 - posted: 2021-05-27 ---- -import Requirements from '@macros/iam/requirements.mdx' - - -The **object lock** feature allows users to lock objects and prevent them from being deleted or overwritten. Objects can be put on lock for a specific amount of time or indefinitely. The lock period is defined by the user. - -The feature uses a write-once-read-many (WORM) data protection model. This model is generally used in cases where data must not be altered once it has been written. It provides [regulatory compliance](https://en.wikipedia.org/wiki/Regulatory_compliance) and protection against ransomware, and malicious or accidental deletion of objects. - -Setting object lock can only be achieved upon the creation of a bucket. In addition, versioning is automatically enabled on the bucket and cannot be disabled. You must enable object lock if you wish to write a lock configuration. You can use the `PutObjectLockConfiguration` request with the object lock flag set. - - - Object Lock can be used with `Standard Multi-AZ`, `Standard One Zone` and `Glacier` [storage classes](/object-storage/concepts/#storage-class). - - - - -- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization -- Installed the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) -- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) - -## How to configure bucket lock - -The lock Configuration enables you to set a lock configuration on a specified bucket. Once set, the rule specified in the object lock configuration is applied by default to every new object placed in the specified bucket. - -### XML lock configuration tokens - -`ObjectLockConfiguration` - - **Description:** Root level tag for the ObjectLockConfiguration parameters. - - **Required:** Yes - -`ObjectLockEnabled` - - **Description:** Indicates whether this bucket has an object lock configuration enabled. - - **Type:** String - - **Valid Values:** `Enabled` - - **Required:** Yes - -`Rule` - - **Description:** The object lock rule in place for the specified object. - - **Type:** ObjectLockRule data type - - **Required:** No - -`Mode` - - **Description:** The default object lock retention mode you want to apply to new objects placed in the specified bucket. - - **Type:** String - - **Valid Values:** `GOVERNANCE` or `COMPLIANCE` - -`Days` - - **Description:** The number of days that you want to specify for the default retention period. - - **Type:** Integer - -`Years` - - **Description:** The number of years that you want to specify for the default retention period. - - **Type:** Integer - - -### PUT Bucket - -This operation creates a new bucket with object lock. The `/lockedbucket` header is added to the standard PutBucket operation. - - - If the operation is successful, no output will be returned. - - -**Sample Request** -```xml -PUT /lockedbucket HTTP/1.1 -x-amz-bucket-object-lock-enabled: True -``` -### PUT Object lock Configuration - -This operation applies the lock configuration on a bucket. - - - If the operation is successful, no output will be returned. - - -**Sample Request** - -```xml -PUT /lockedbucket?object-lock HTTP/1.1 - - - Enabled - - - COMPLIANCE - 1000 - - - -``` - -**Sample Request** -```xml -PUT /lockedbucket?object-lock HTTP/1.1 - - - Enabled - - - GOVERNANCE - 30 - - - -``` - -**Sample Request** -```xml -PUT /lockedbucket?object-lock HTTP/1.1 - - - Enabled - -``` -### GET Object lock Configuration - -This operation returns the lock configuration. - -**Sample Request** -```xml -GET /lockedbucket?object-lock HTTP/1.1 -``` - -**Sample Response** -```xml - - Enabled - - - COMPLIANCE - 1000 - - - -``` - -**Sample Request** -```xml -GET /lockedbucket?object-lock HTTP/1.1 -``` - -**Sample Response** -```xml - - Enabled - - - GOVERNANCE - 30 - - - -``` - -**Sample Request** -```xml -GET /lockedbucket?object-lock HTTP/1.1 -``` - -**Sample Response** -```xml - - Enabled - -``` -### AWS-CLI Object lock configuration - -To use object lock, you have to create a bucket that supports the feature. - -You can create a bucket with the `--object-lock-enabled-for-bucket` flag, which enables object lock but does not activate it by default. If a bucket is created without `--object-lock-enabled-for-bucket`, the flag cannot be added later. - - - The following command does not apply object lock to the bucket's objects. Object lock has to be activated with a different command. - - -``` -aws s3api create-bucket --object-lock-enabled-for-bucket --bucket test-is-lock -``` -By default, object lock is not activated on buckets. To activate it, you can run the following command: - -```bash -aws s3api put-object-lock-configuration \ - --bucket my-bucket-with-object-lock \ - --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 50 }}}' -``` - - - In the example above, the `object-lock-configuration` is set to 50 days on the specified bucket. - - -To view the object lock configuration of a bucket, run the following command: - - ```bash - aws s3api get-object-lock-configuration - --bucket test-is-lock - ``` - -An output similar to the following displays: - - ```json - { - "ObjectLockConfiguration": { - "ObjectLockEnabled": "Enabled", - "Rule": { - "DefaultRetention": { - "Mode": "COMPLIANCE", - "Days": 50 - } - } - } - } - ``` - -## How to configure object retention - -Object retention is a feature that guarantees your object is WORM-protected and cannot be overwritten or deleted. - -Object lock provides two modes to manage object retention: **Compliance** and **Governance**. It allows retention settings on individual objects in addition to default retention settings for all objects within a bucket. - -### Retention Modes - -**Compliance** - -When this mode is set, an object version cannot be overwritten or deleted by any user. If the **Compliance** mode is configured for an object, then its retention mode cannot be changed, and its retention period cannot be shortened. In other words, it ensures that an object version cannot be overwritten or deleted for the duration of the retention period. - - -When the compliance mode is enabled, it is only possible to overwrite it or delete an object once the object lock expires or upon deleting your Scaleway account. - - -**Governance** - -When this mode is set, all users with [permission](/iam/concepts/#permission) can alter lock settings. - - - The **Governance** mode ensures extra protection before any alterations can be completed. An object can be permanently deleted only if: - - A retention rule is applied, the governance retention date must be anterior to the present time - - The object does not have a legal hold in place. If it does, the legal hold [status token](/object-storage/api-cli/object-lock/#xml-legal-hold-configuration-token) must be set to OFF before deletion. - When the above criteria are met, you will be able to use `delete-object --version-id` to permanently delete an object. - - -### Retention Periods - -A retention period specifies a fixed period during which an object remains locked. - -### XML retention configuration token - -`Mode` - - **Description:** Indicates the retention mode for the specified object. - - **Type:** String - - **Valid Values:** `GOVERNANCE` or `COMPLIANCE` - - **Required:** Yes - -`RetainUntilDate` - - **Description:** The date on which this object lock retention will expire. - - **Type:** Timestamp (iso format) - - **Required:** Yes - -### Put Object retention - -Places an object retention configuration on an object. - - - If the operation is successful, no output will be returned. - - -**Sample Request** -```xml -PUT /lockedbucket/myobject?retention HTTP/1.1 -X-Amz-Date: 20201028T052225Z -X-Amz-Content-SHA256: c6998888096fe13a5d84de6db902e3b3c0b623565cd5f2be70330d6ed40dca91 -Authorization: XXX -Content-Length: 149 - - - COMPLIANCE - 2021-01-01T21:42:42Z - -``` - -**Sample Request** -```xml -PUT /lockedbucket/myobject?retention HTTP/1.1 -X-Amz-Date: 20201028T052346Z -X-Amz-Content-SHA256: 470bfbbffadc821f4b4a398154e9c300d741093205ddbdb25514351b64d64b31 -Authorization: XXX -Content-Length: 149 - - - GOVERNANCE - 2025-12-12T00:00:00Z - -``` - -### GET Object retention - -This operation returns the object retention settings. - -**Sample Request** -```xml -GET /lockedbucket/myobject?retention HTTP/1.1 -``` - -**Sample Response** -```xml - - COMPLIANCE - 2021-01-01T21:42:42Z - -``` - -**Sample Request** -```xml -GET /lockedbucket/myobject?retention HTTP/1.1 -``` - -**Sample Response** -```xml - - GOVERNANCE - 2025-12-12T00:00:00Z - -``` - -### AWS-CLI Object retention - -```bash -aws s3api put-object-retention \ - --bucket test-is-lock \ - --key go \ - --retention '{ "Mode": "COMPLIANCE", "RetainUntilDate": -"2021-01-01T21:42:42Z" }' -aws s3api get-object-retention - --bucket test-is-lock - --key ohno -{ - "Retention": { - "Mode": "COMPLIANCE", - "RetainUntilDate": "2050-09-21T18:52:27Z" - } -} -``` -## How to manage object legal hold - -Legal hold is an ON/OFF switch that can be applied to every object in a locked bucket, independently of the lock configuration, the object retention or the object age. It can be applied to objects which are locked. - -A legal hold provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. - -### XML legal hold configuration token - -`Status`: - - **Description:** Indicates whether the specified object has a legal hold in place. - - **Type:** String - - **Valid Values:** `ON` or `OFF` - - **Required:** Yes - -### Put Object legal hold - -Applies a legal hold configuration to the specified object. - - - If the operation is successful, no output will be returned. - - -**Sample Request** -```xml -PUT /lockedbucket/myobject?legal-hold HTTP/1.1 -X-Amz-Date: 20201028T052448Z -X-Amz-Content-SHA256: 96b73c95a8d33e664ab2170e095025b47ebd55978bb71cebd6a51e394bf96722 -Authorization: XXX -Content-Length: 90 - - - ON - -``` - -**Sample Request** -```xml -PUT /lockedbucket/myobject?legal-hold HTTP/1.1 -X-Amz-Date: 20201028T052547Z -X-Amz-Content-SHA256: 33cb1c62439a66fbcbca4ffb243b013ceb212075048f72ab4383f73afb5c4bd9 -Authorization: XXX -Content-Length: 91 - - - OFF - -``` - -### GET Object legal hold - -Returns the legal hold configuration of the specified object. - -**Sample Request** -```xml -GET /lockedbucket/myobject?legal-hold HTTP/1.1 -``` -**Sample Response** -```xml - - ON - -``` - -**Sample Request** -```xml -GET /lockedbucket/myobject?legal-hold HTTP/1.1 -``` - -**Sample Response** -```xml - - OFF - -``` -### AWS-CLI Object legal hold - -Run the command below to apply a legal hold: - -```bash -aws s3api put-object-legal-hold - --bucket test-is-lock - --key go - --version-id 1601317928668527 - --legal-hold Status=ON -``` - -Run the command below to retrieve the legal hold status of an object: - -```bash -aws s3api get-object-legal-hold - --bucket test-is-lock - --key go - --version-id 1601317928668527 -``` - -An output similar to the following displays: - -```json -{ - "LegalHold": { - "Status": "ON" - } -} -``` - -### Object lock limitations - -- When enabling the compliance mode, the only way to overwrite it is to wait for the lock to be outdated or to delete your Scaleway account. - -- A bucket that has object lock enabled cannot be deleted via the Scaleway console. - -- If you set lifecycle expiration rules on some of your objects, the objects that are locked or have a legal hold enabled are ignored by the lifecycle engine. Hence, those objects will not be deleted. diff --git a/pages/object-storage/api-cli/using-api-call-list.mdx b/pages/object-storage/api-cli/using-api-call-list.mdx index 9dface5b2a..e0a52a8ea7 100644 --- a/pages/object-storage/api-cli/using-api-call-list.mdx +++ b/pages/object-storage/api-cli/using-api-call-list.mdx @@ -75,9 +75,9 @@ In this page we index all available Scaleway Object Storage API requests. | [DeleteObjectTagging](/object-storage/api-cli/object-operations/#deleteobjecttagging) | Deletes the tag(s) of an object | supported | | [GetObject](/object-storage/api-cli/object-operations/#getobject) | Retrieves an object | supported | | [GetObjectAcl](/object-storage/api-cli/object-operations/#getobjectacl) | Gets the ACL of an object | supported | -| [GetObjectLegalHold](/object-storage/api-cli/object-lock/#get-object-legal-hold) | Gets an object's current [Legal Hold configuration](/object-storage/api-cli/object-lock/#how-to-manage-object-legal-hold) | supported | -| [GetObjectLockConfiguration](/object-storage/api-cli/object-lock/#get-object-lock-configuration) | Gets an [object Lock configuration](/object-storage/api-cli/object-lock/) for a bucket. The specified rule will be applied by default to every new object placed in the bucket | supported | -| [GetObjectRetention](/object-storage/api-cli/object-lock/#get-object-retention) | Retrieves an object's [retention settings](/object-storage/api-cli/object-lock/#how-to-configure-object-retention) | supported | +| [GetObjectLegalHold](/object-storage/how-to/use-object-lock/#get-object-legal-hold) | Gets an object's current [Legal Hold configuration](/object-storage/how-to/use-object-lock/#how-to-manage-object-legal-hold) | supported | +| [GetObjectLockConfiguration](/object-storage/how-to/use-object-lock/#get-object-lock-configuration) | Gets an object's [Lock configuration](/object-storage/how-to/use-object-lock/) for a bucket. The specified rule will be applied by default to every new object placed in the bucket | supported | +| [GetObjectRetention](/object-storage/how-to/use-object-lock/#get-object-retention) | Retrieves an object's [Retention settings](/object-storage/how-to/use-object-lock/#how-to-configure-object-retention) | supported | | [GetObjectTagging](/object-storage/api-cli/object-operations/#getobjecttagging) | Get the tag(s) of an object | supported | | [HeadObject](/object-storage/api-cli/object-operations/#headobject) | Gets object metadata | supported | | [ListMultipart](/object-storage/api-cli/multipart-uploads/#listing-multipart-uploads) | Lists in-progress multipart uploads | supported | @@ -86,9 +86,9 @@ In this page we index all available Scaleway Object Storage API requests. | [PutObject](/object-storage/api-cli/object-operations/#putobject) | Adds an object to a bucket | supported | | [PutObjectAcl](/object-storage/api-cli/object-operations/#putobjectacl) | Adds an ACL to an object | supported | | [PutObjectTagging](/object-storage/api-cli/object-operations/#putobjecttagging) | Adds one or several tags to an object | supported | -| [PutObjectLegalHold](/object-storage/api-cli/object-lock/#put-object-legal-hold) | Applies a [Legal Hold configuration](/object-storage/api-cli/object-lock/#how-to-manage-object-legal-hold) to the specified object | supported | +| [PutObjectLegalHold](/object-storage/how-to/use-object-lock/#put-object-legal-hold) | Applies a [Legal Hold configuration](/object-storage/how-to/use-object-lock/#how-to-manage-object-legal-hold) to the specified object | supported | | PutObjectLockConfiguration | Sets an object lock configuration on a specified bucket | supported | -| [PutObjectRetention](/object-storage/api-cli/object-lock/#put-object-retention) | Places an [object Retention configuration](/object-storage/api-cli/object-lock/#how-to-configure-object-retention) on an object | supported | +| [PutObjectRetention](/object-storage/how-to/use-object-lock/#put-object-retention) | Places an [object Retention configuration](/object-storage/how-to/use-object-lock/#how-to-configure-object-retention) on an object | supported | | [RestoreObject](/object-storage/api-cli/object-operations/#restoreobject) | Restores an object from `Glacier` | supported | | [UploadPart](/object-storage/api-cli/multipart-uploads/#uploading-a-part) | Uploads a part in a multipart upload | supported | | UploadPartCopy | Copies data from an existing object as data source to upload a part | supported | diff --git a/pages/object-storage/concepts.mdx b/pages/object-storage/concepts.mdx index d25b981984..fc3a5021f0 100644 --- a/pages/object-storage/concepts.mdx +++ b/pages/object-storage/concepts.mdx @@ -63,7 +63,7 @@ An endpoint represents one end of a communication channel. In the context of Obj A legal hold provides the same protection as a retention period, but it has no expiration date. It takes the form of an ON/OFF switch that can be applied to every object in a locked bucket, independently of the lock configuration, or the object retention or its age. It can be applied to objects which are locked. A legal hold remains in place until you explicitly remove it. -Refer to our [dedicated documentation](/object-storage/api-cli/object-lock/#how-to-manage-object-legal-hold) for more information. +Refer to our [dedicated documentation](/object-storage/how-to/use-object-lock/#how-to-manage-object-legal-hold) for more information. ## Lifecycle configuration @@ -102,7 +102,7 @@ An Amazon S3 API feature that allows users to lock objects to prevent them from The feature uses a write-once-read-many (WORM) data protection model. This model is generally used in cases where data cannot be altered once it has been written. It provides regulatory compliance and protection against ransomware and malicious or accidental deletion of objects. -Refer to our [dedicated documentation](/object-storage/api-cli/object-lock/#how-to-manage-object-legal-hold) for more information. +Refer to our [dedicated documentation](/object-storage/how-to/use-object-lock/#how-to-manage-object-legal-hold) for more information. ## Object Storage @@ -158,7 +158,7 @@ A principal is the target of a [bucket policy](#bucket-policy). They acquire the - The object does not have a Legal Hold in place. If it does, the Legal Hold Status Token must be set to OFF before deletion. - When the above criteria are met, you'll be able to use delete-object --version-id to permanently delete an object. -Refer to the [dedicated documentation](/object-storage/api-cli/object-lock/) for information on how to use object lock. +Refer to the [dedicated documentation](/object-storage/how-to/use-object-lock/) for information on how to use object lock. ## Retention period diff --git a/pages/object-storage/how-to/create-a-bucket.mdx b/pages/object-storage/how-to/create-a-bucket.mdx index 9b300428fb..3d3f33c256 100644 --- a/pages/object-storage/how-to/create-a-bucket.mdx +++ b/pages/object-storage/how-to/create-a-bucket.mdx @@ -21,17 +21,18 @@ To get started with Object Storage, you must first create a bucket. Objects are 1. Click **Object Storage** on the left side menu of the console. The Object Storage dashboard displays. 2. Click **+ Create bucket**. The bucket creation page displays. 3. Select the [region](/object-storage/concepts/#region-and-availability-zone) in which to create your bucket. -4. Check **Public** or **Private** to define the bucket visibility. The bucket visibility specifies whether everyone can see the list of objects in the bucket. It does not affect [object visibility](/object-storage/concepts/#visibility). +4. Enter a name for your bucket. +5. Check **Public** or **Private** to define the bucket visibility. The bucket visibility specifies whether everyone can see the list of objects in the bucket. It does not affect [object visibility](/object-storage/concepts/#visibility). A file uploaded to a public bucket is private by default. A private file stored in a public bucket is not publicly accessible. You can change the bucket visibility at any time from the **Bucket settings** tab. -5. Select a use case for your bucket. -6. Enable [bucket versioning](/object-storage/how-to/use-bucket-versioning/) if you want to store multiple versions of your objects (this may lead to higher storage costs). -7. If applicable, you can tick the **Activate 90-day free trial** to benefit from total 750 GB of free [Standard Multi-AZ and Standard One Zone](/object-storage/faq/#what-are-the-object-storage-classes-offered-by-scaleway) storage for buckets in your Organization, across all regions. Refer to our [dedicated FAQ](/object-storage/faq/#how-can-i-benefit-from-the-object-storage-free-trial) for more information. -8. Enter a name for your bucket. -9. Optionally, you can use the cost estimator to simulate your Object Storage costs. -10. Click **Create bucket** to confirm. A list of your buckets displays, showing the newly created bucket. - -You can find more information about your bucket by clicking on its name in the **Buckets** list, and then on the **Bucket settings** tab. \ No newline at end of file +6. Optionally, tick **SSE-ONE encryption with Scaleway Object Native Encryption keys** to encrypt your objects with keys managed by Scaleway. +7. Optionally, configure [bucket versioning](/object-storage/how-to/use-bucket-versioning/): + - Tick **Enable bucket versioning** to store multiple versions of your objects (this may lead to higher storage costs). + - Tick **Enable object lock** to prevent objects from being deleted or overwritten for a defined retention period. Object lock requires versioning to be enabled. +8. Select a use case for your bucket. +9. If applicable, you can **Activate the 90-day free trial** to benefit from a total of 750 GB of free [Standard Multi-AZ and Standard One Zone](/object-storage/faq/#what-are-the-object-storage-classes-offered-by-scaleway) storage for buckets in your Organization, across all regions. Refer to our [dedicated FAQ](/object-storage/faq/#how-can-i-benefit-from-the-object-storage-free-trial) for more information. +10. Optionally, you can use the cost estimator to simulate your Object Storage costs and environmental footprint. +11. Click **Create bucket** to confirm. You are directed to the **Files** tab of your newly created bucket. \ No newline at end of file diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index 4eb31fa2e1..e3c9860ab5 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -1,50 +1,122 @@ --- title: How to use bucket versioning description: Enable and manage bucket versioning for Object Storage. -tags: object storage object-storage bucket versioning archived +tags: object storage object-storage bucket versioning dates: - validation: 2025-07-01 + validation: 2026-05-20 posted: 2021-05-27 --- import Requirements from '@macros/iam/requirements.mdx' - Versioning is a feature designed to keep multiple variants of an object in the same bucket. When enabled, it allows you to store, retrieve, and restore every version of your objects stored in a bucket. Versioning allows you to easily recover your objects in case of unintended user actions or application failures. -- A Scaleway account logged into the [console](https://console.scaleway.com) +- A Scaleway account logged in to the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization -- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) + +## Versioning overview + +### General concepts + +- **Version ID**: a unique identifier generated for each object write. Combined with the object key, it forms the full object address. Without versioning, the key alone identifies the object. +- **Current version**: the most recent write. The console object list and any `GET` request without a version ID return this version by default. +- **Non-current (previous) version**: any older write. Non-current versions remain stored, are billable, and can be retrieved by version ID. +- **Delete marker**: a placeholder current version that a `DELETE` operation inserts on a versioned bucket. The object appears removed, but prior versions remain intact. Removing the delete marker restores the object. +- **`null` version**: an object written before versioning was enabled, or while versioning is suspended. It has no version ID, and only one `null` version exists per key. +- **Versioning states**: a bucket is `Unversioned` (versioning never enabled), `Enabled`, or `Suspended`. Once enabled, versioning cannot return to the `Unversioned` state, only to `Suspended`. + +### Object and bucket behavior + +An object version behaves like a regular object, except that a combination of the object key and a version ID identifies it, rather than the key alone. + +Buckets with versioning enabled observe the following behavior: + +| Situation | What happens to existing objects | What happens to new objects | +|-------------------------------------------------|--------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| +| **Versioning never enabled** | Every object uploaded has a single `null` version. | Overwrites permanently replace the previous object, and deletes remove it completely. | +| **Versioning enabled from the start** | Every object uploaded receives a unique version ID. | Each subsequent write creates a new version automatically. | +| **Versioning disabled initially, then enabled** | Objects uploaded before the switch remain as a `null` version and are not versioned. | New objects are versioned, and overwrites create new versions. | +| **Versioning enabled, then suspended** | Existing versions stay exactly as they are, and are not removed automatically. | New objects do not get a version ID. Overwrites replace the current `null` version, but older versions remain in place. | +| **Versioning enabled, then bucket deleted** | All versions are deleted together when the bucket is removed. | N/A | ## How to enable versioning +This procedure explains how to enable versioning on an existing bucket. To create a new bucket with versioning enabled, refer to the [bucket creation documentation](/object-storage/how-to/create-a-bucket/). + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of the bucket in which you want to enable versioning. 3. Click the **Bucket settings** tab. 4. Scroll down and click the toggle under **Bucket versioning**. A pop-up appears. 5. Type **ENABLE** to confirm your action, then click **Enable bucket versioning** to proceed. - -Once versioning is enabled, uploading an object with the same name as an existing object will create a new version of it. This new version consumes storage as well, which may lead to higher costs. - +Once versioning is enabled, uploading an object with the same name as an existing object creates a new version of it. This new version consumes storage as well, which may lead to higher costs. ## How to manage object versions +### View object versions + +1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. +2. Click the name of your versioned bucket. A list of the objects it contains appears. +3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. + + Each object version displays the following elements: + - A unique version ID + - A status badge (**CURRENT**, **PREVIOUS**, or **DELETE MARKER**) + - The date of last modification + - The size of the version + - The storage class + - The object lock indicator + +### Add a new object version + +To add a new object version, upload an object with the same key as an existing one. + +### Restore an object to a previous version + +The Scaleway console does not currently provide a native restore action. To restore an object to a previous version, download the desired non-current version and upload it again. This action replaces the current version with the uploaded one. + +## How to delete an object or a version + +When versioning is enabled, deleting an object inserts a delete marker as the current version rather than removing the object. You can also permanently delete a specific version of an object. + +### Insert a delete marker + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. -2. Click the name of your selected bucket. A list of the objects it contains appears. -3. Click next to the object you want to manage, then click **Versioning**. A list of the object versions displays. +2. Click the name of your versioned bucket. A list of the objects it contains appears. +3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. +4. Click **Mark as deleted** at the bottom of the side panel. A **delete marker** is inserted as the current version of your object. + +Objects with a delete marker as their current version do not appear in console listings, and return errors when called via the API or CLI tools. Previous versions persist and remain billable. -4. Click next to a non-current object version to download it, or permanently delete it. +### Delete a specific version - -To restore an object to a previous version, download the desired non-current version and upload it again. This action will replace the current version with the uploaded one. + +Deleting a specific version permanently removes that version. This action cannot be undone. +1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. +2. Click the name of your versioned bucket. A list of the objects it contains appears. +3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. +4. Click next to the version you want to delete, then click **Delete**. A confirmation pop-up appears. +5. Confirm the deletion to permanently remove the selected version. + +### Restore an object by removing its delete marker + +1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. +2. Click the name of your versioned bucket. A list of the objects it contains appears. +3. Use the search bar to locate the object you want to restore. +4. Click next to the object name, then click **Versioning**. A side-panel displays, containing the different versions of your object. +5. Delete the delete marker at the top of the versions list. + +The version that preceded the delete marker becomes the current version of your object. + ## How to suspend versioning +Once you enable versioning on a bucket, you can only suspend it rather than disable it completely. When versioning is suspended, existing object versions persist and remain billable. + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of your selected bucket. 3. Click the **Bucket settings** tab. @@ -52,5 +124,10 @@ To restore an object to a previous version, download the desired non-current ver 5. Type **SUSPEND** to confirm your action, then click **Suspend bucket versioning** to proceed. -Once versioning is suspended, no new object versions will be created. Versions created up until this point will remain stored and billable. Uploading an object with the same name as an existing object will overwrite it. +- Once versioning is suspended, no new object versions are created. Versions created up to that point remain stored and billable. Uploading an object with the same name as an existing object overwrites it. +- You cannot suspend versioning on a bucket with [object lock](/object-storage/how-to/use-object-lock/) enabled. + +## How to use versioning in combination with lifecycle rules + +Lifecycle rules can target non-current versions and delete markers to automatically expire or transition them, which is the main lever to control storage costs on a versioned bucket. Refer to the [lifecycle rules documentation](/object-storage/how-to/manage-lifecycle-rules/) for more information. \ No newline at end of file diff --git a/pages/object-storage/how-to/use-object-lock.mdx b/pages/object-storage/how-to/use-object-lock.mdx new file mode 100644 index 0000000000..cc7318b377 --- /dev/null +++ b/pages/object-storage/how-to/use-object-lock.mdx @@ -0,0 +1,396 @@ +--- +title: How to use object lock +description: Learn how to protect objects in Scaleway Object Storage using object lock, retention modes, and legal hold. +tags: object storage object-storage object-lock compliance governance retention legal-hold worm +dates: + validation: 2026-05-21 + posted: 2021-05-27 +--- + +import Requirements from '@macros/iam/requirements.mdx' + +Object lock prevents objects from being deleted or overwritten for a defined period or indefinitely. It uses a **write-once-read-many (WORM)** model, commonly required for regulatory compliance and protection against ransomware or accidental deletion. Object lock can only be used in buckets with versioning enabled. + +## Overview + +Object lock provides two mechanisms to protect your objects: **retention** and **legal hold**. You can enable either, or both, at the same time: + +- **Retention** allows you to apply a retention period and a retention mode to your objects, limiting the actions that users can perform on them: + - **Compliance mode** prevents users, including owners and users with administrative permissions, from deleting or overwriting objects during the specified retention period. The retention mode cannot be modified, and the retention period cannot be shortened. + - **Governance mode** prevents users without the necessary permissions from deleting or overwriting objects during the specified retention period. Authorized users can modify the retention settings and delete the targeted objects. + +- **Legal hold** is an independent ON/OFF switch that provides the same protection as retention but has no expiration date. It must be explicitly removed by a user with the appropriate permissions and is evaluated independently of any retention configuration. + +Object lock is supported on `Standard Multi-AZ`, `Standard One Zone`, and `Glacier` [storage classes](/object-storage/concepts/#storage-class). + + + Once object lock is enabled on a bucket, it cannot be disabled and versioning cannot be suspended. + + + + +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- Installed and configured the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) + +## Enable object lock on a bucket + +You can enable object lock at bucket creation or on an existing bucket. + +### On a new bucket + + + + + To enable object lock during bucket creation, refer to the [dedicated how-to page](/object-storage/how-to/create-a-bucket/). + + + + + Run the command below to create a new bucket with object lock enabled. Replace `my-locked-bucket` with your bucket name. + + ```bash + aws s3api create-bucket \ + --bucket my-locked-bucket \ + --object-lock-enabled-for-bucket + ``` + + + + +### On an existing bucket + + + + + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. + 2. Click the name of the bucket for which you want to enable object lock. + 3. Click the **Bucket settings** tab. + 4. In the **Bucket versioning** section, click **Modify** under **Object lock**. + 5. Type **ENABLE** to confirm your action, then click **Confirm** to proceed. + + + + + Run the command below to enable object lock on an existing bucket. Replace `my-locked-bucket` with your bucket name. + + ```bash + aws s3api put-object-lock-configuration \ + --bucket my-locked-bucket \ + --object-lock-configuration '{"ObjectLockEnabled": "Enabled"}' + ``` + + If the command is successful, no output is returned. + + + + +## Apply retention to a specific object + +Object-level retention overrides the bucket default for that specific object. + + + + + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. + 2. Click the name of the desired bucket. A list of the objects it contains appears. + 3. Click next to the desired object, then click **Versioning**. A side panel displays the different versions of your object. + 4. Click next to the version ID you want to set up object lock for. A configuration pop-up displays. + 5. Tick **Enable retention mode**, then select one of the following: + - **Governance mode** to protect the selected version from being deleted or overwritten. Its duration can be shortened, and users with the appropriate permissions can bypass it. + - **Compliance mode** to protect the selected version from being deleted or overwritten. Its duration cannot be shortened, and no user (including the Organization owner) can bypass it. + 6. Enter a retain-until date in the `MM/DD/YYYY` format, then click **Save changes**. A confirmation pop-up displays. + 7. Verify the correct retention mode and retain-until date are selected, then click **Confirm** to proceed. + + + + + 1. Run the following command to apply the **compliance mode** to an object. Replace `my-locked-bucket`, `my-object`, and the date with your values. + + ```bash + aws s3api put-object-retention \ + --bucket my-locked-bucket \ + --key my-object \ + --retention '{ + "Mode": "COMPLIANCE", + "RetainUntilDate": "2028-01-01T00:00:00Z" + }' + ``` + + To use **Governance** mode instead, replace `COMPLIANCE` with `GOVERNANCE` and adjust the date. If the command is successful, no output is returned. + + 2. Run the following command to verify the configuration was applied correctly: + + ```bash + aws s3api get-object-retention \ + --bucket my-locked-bucket \ + --key my-object + ``` + + An output similar to the following displays: + + ```json + { + "Retention": { + "Mode": "COMPLIANCE", + "RetainUntilDate": "2028-01-01T00:00:00Z" + } + } + ``` + + + The `RetainUntilDate` must be an absolute timestamp in ISO 8601 format. + + + + + +## Manage legal hold on an object + +Legal hold is independent of retention settings and has no expiration date. It must be explicitly enabled and removed by a user with the necessary permissions. + + + + + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. + 2. Click the name of the desired bucket. A list of the objects it contains appears. + 3. Click next to the desired object, then click **Versioning**. A side panel displays the different versions of your object. + 4. Click next to the version ID you want to set up object lock for. A configuration pop-up displays. + 5. Enable **legal hold** to protect this version from being overwritten or deleted until the hold is explicitly removed by a user with the necessary permissions. + 6. Verify the correct settings are selected, then click **Confirm** to proceed. + + + + + 1. Run the following command to enable a legal hold on an object. Replace `my-locked-bucket` and `my-object` with the appropriate values. + + ```bash + aws s3api put-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object \ + --legal-hold Status=ON + ``` + + 2. Run the following command to verify the legal hold was applied: + + ```bash + aws s3api get-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object + ``` + + An output similar to the following displays: + + ```json + { + "LegalHold": { + "Status": "ON" + } + } + ``` + + 3. Run the following command to remove the legal hold: + + ```bash + aws s3api put-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object \ + --legal-hold Status=OFF + ``` + + + + +## Set a default retention policy on a bucket + +A default retention policy applies automatically to every new object added to the bucket. + + +Currently, you can only set a default retention policy using the AWS CLI, or other Amazon S3-compatible tools. + + +1. Run the following command to set a retention period of 365 days in **compliance mode**. Replace `my-locked-bucket` with your bucket name. + + ```bash + aws s3api put-object-lock-configuration \ + --bucket my-locked-bucket \ + --object-lock-configuration '{ + "ObjectLockEnabled": "Enabled", + "Rule": { + "DefaultRetention": { + "Mode": "COMPLIANCE", + "Days": 365 + } + } + }' + ``` + + To use **Governance** mode with a duration in years, replace the `Rule` block: + + ```json + "Rule": { + "DefaultRetention": { + "Mode": "GOVERNANCE", + "Years": 5 + } + } + ``` + + No output is returned on success. + +2. Run the following command to verify the configuration was applied correctly: + + ```bash + aws s3api get-object-lock-configuration \ + --bucket my-locked-bucket + ``` + + An output similar to the following displays: + + ```json + { + "ObjectLockConfiguration": { + "ObjectLockEnabled": "Enabled", + "Rule": { + "DefaultRetention": { + "Mode": "COMPLIANCE", + "Days": 365 + } + } + } + } + ``` + + + Use either `Days` or `Years`, not both. The retention period starts from each object's creation date. + + +## Technical reference + +### Object lock configuration tokens + +#### `ObjectLockConfiguration` + +**Description:** Root element of the lock configuration. + +**Required:** Yes + +#### `ObjectLockEnabled` + +**Description:** Enables object lock on the bucket. + +**Type:** String — `Enabled` + +**Required:** Yes + +#### `Rule` + +**Description:** Default retention rule applied to every new object placed in the bucket. + +**Required:** No + +#### `Mode` + +**Description:** Default retention mode for new objects. + +**Type:** String — `GOVERNANCE` or `COMPLIANCE` + +**Required:** Yes, if `Rule` is set + +#### `Days` + +**Description:** Default retention duration in days. + +**Type:** Integer + +**Required:** Use `Days` or `Years`, not both + +#### `Years` + +**Description:** Default retention duration in years. + +**Type:** Integer + +**Required:** Use `Days` or `Years`, not both + +### Object retention tokens + +#### `Mode` + +**Description:** Retention mode for the object. + +**Type:** String — `GOVERNANCE` or `COMPLIANCE` + +**Required:** Yes + +#### `RetainUntilDate` + +**Description:** Date on which the object retention expires. + +**Type:** Timestamp (ISO 8601) + +**Required:** Yes + +### Legal hold tokens + +#### `Status` + +**Description:** Enables or disables the legal hold on the object. + +**Type:** String — `ON` or `OFF` + +**Required:** Yes + +## Examples + +### Regulatory compliance bucket (compliance mode) + +This example sets up a bucket for strict regulatory retention: all objects are locked in compliance mode for seven years and cannot be deleted or overwritten by any user until the period expires. + +```bash +# Enable object lock on a new bucket +aws s3api create-bucket \ + --bucket my-compliance-bucket \ + --object-lock-enabled-for-bucket + +# Set a default seven-year compliance retention on all new objects +aws s3api put-object-lock-configuration \ + --bucket my-compliance-bucket \ + --object-lock-configuration '{ + "ObjectLockEnabled": "Enabled", + "Rule": { + "DefaultRetention": { + "Mode": "COMPLIANCE", + "Years": 7 + } + } + }' +``` + +Objects uploaded to `my-compliance-bucket` are automatically locked in compliance mode until seven years after their upload date. No user can shorten the retention period or delete objects before it expires. + +### Flexible protection bucket (governance mode + legal hold) + +This example sets up a bucket with a default governance retention of 90 days, then places an additional legal hold on a specific object under active investigation. + +```bash +# Enable object lock on an existing bucket +aws s3api put-object-lock-configuration \ + --bucket my-governance-bucket \ + --object-lock-configuration '{ + "ObjectLockEnabled": "Enabled", + "Rule": { + "DefaultRetention": { + "Mode": "GOVERNANCE", + "Days": 90 + } + } + }' + +# Apply a legal hold to a specific object +aws s3api put-object-legal-hold \ + --bucket my-governance-bucket \ + --key audit/report-2026-05.pdf \ + --legal-hold Status=ON +``` + +Objects in `my-governance-bucket` are protected for 90 days under governance mode. Authorized users can override the retention if needed. The object `audit/report-2026-05.pdf` additionally has a legal hold, which blocks deletion regardless of the retention period and must be explicitly removed. diff --git a/pages/object-storage/menu.ts b/pages/object-storage/menu.ts index ca691672ac..013c68524e 100644 --- a/pages/object-storage/menu.ts +++ b/pages/object-storage/menu.ts @@ -47,7 +47,7 @@ export const objectStorageMenu = { slug: 'access-objects-via-https', }, { - label: 'Use bucket versioning', + label: 'Use versioning', slug: 'use-bucket-versioning', }, { @@ -62,6 +62,10 @@ export const objectStorageMenu = { label: 'Enable SSE-ONE', slug: 'enable-sse-one', }, + { + label: 'Use object lock', + slug: 'use-object-lock', + }, { label: 'Host healthcare data (HDS)', slug: 'host-healthcare-data', @@ -170,10 +174,6 @@ export const objectStorageMenu = { label: 'Managing bucket permissions for IP addresses', slug: 'manage-bucket-permissions-ip', }, - { - label: 'Setting up object lock', - slug: 'object-lock', - }, { label: 'Hosting static websites on a bucket', slug: 'bucket-website-api', diff --git a/pages/object-storage/troubleshooting/cannot-access-data.mdx b/pages/object-storage/troubleshooting/cannot-access-data.mdx index e01c317660..92c9460eab 100644 --- a/pages/object-storage/troubleshooting/cannot-access-data.mdx +++ b/pages/object-storage/troubleshooting/cannot-access-data.mdx @@ -33,7 +33,7 @@ I am experiencing issues while trying to access my buckets and objects stored on - Make sure there is no [bucket policy](/object-storage/concepts/#bucket-policy) that prevents you from deleting the bucket. If there is one, make sure that it [explicitly allows you](/object-storage/api-cli/bucket-policy/) to perform the desired action. -- Make sure that [Object lock](/object-storage/api-cli/object-lock/) has not been enabled on the bucket you try to access. +- Make sure that [Object lock](/object-storage/how-to/use-object-lock/) has not been enabled on the bucket you try to access. ## Going further diff --git a/pages/object-storage/troubleshooting/object-deletion-issues.mdx b/pages/object-storage/troubleshooting/object-deletion-issues.mdx index f0b5a37cad..9970e99f6b 100644 --- a/pages/object-storage/troubleshooting/object-deletion-issues.mdx +++ b/pages/object-storage/troubleshooting/object-deletion-issues.mdx @@ -34,7 +34,7 @@ A [DeleteObject](/object-storage/api-cli/object-operations/#deleteobject) operat ## Going further -- Refer to the [object lock documentation](/object-storage/api-cli/object-lock/) for more information. +- Refer to the [object lock documentation](/object-storage/how-to/use-object-lock/) for more information. - Refer to the [bucket versioning documentation](/object-storage/how-to/use-bucket-versioning/) for more information. diff --git a/tutorials/backup-strategies/index.mdx b/tutorials/backup-strategies/index.mdx index ca27a1aa34..58f905ed66 100644 --- a/tutorials/backup-strategies/index.mdx +++ b/tutorials/backup-strategies/index.mdx @@ -178,7 +178,7 @@ In Scaleway, backup compliance is primarily assured through a combination of **d To ensure that your backups cannot be altered, encrypted by ransomware, or maliciously deleted, Scaleway Object Storage provides an [object lock](/object-storage/api-cli/object-lock) feature (based on an Amazon S3 API functionality). -This feature uses a [Write-Once-Read-Many (WORM)](/object-storage/concepts/#retention-period) data protection model, a standard requirement for regulatory compliance. You can configure object lock in [two distinct retention modes](/object-storage/api-cli/object-lock/#retention-modes): +This feature uses a [Write-Once-Read-Many (WORM)](/object-storage/concepts/#retention-period) data protection model, a standard requirement for regulatory compliance. You can configure object lock in [two distinct retention modes](/object-storage/how-to/use-object-lock/#retention-modes): - **Compliance mode**: When a backup is locked in this mode, the object version cannot be overwritten or deleted by any user, not even an administrator, during the retention period. The retention mode cannot be changed, and the retention period cannot be shortened. The data can only be deleted once the lock expires or if the entire Scaleway account is deleted. - **Governance mode**: This mode offers strong protection but allows specific users with specialized permissions to alter the lock settings or delete the object if absolutely necessary.