From 87a882100f1484bca5abc6ba2be68e51e6d1e351 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Mon, 18 May 2026 14:59:44 +0200 Subject: [PATCH 01/20] docs(object-storage): update object lock doc --- .../audit-trail/how-to/manage-adt-export.mdx | 2 +- pages/object-storage/api-cli/object-lock.mdx | 461 ------------------ .../api-cli/using-api-call-list.mdx | 10 +- pages/object-storage/concepts.mdx | 6 +- pages/object-storage/how-to/object-lock.mdx | 231 +++++++++ pages/object-storage/menu.ts | 8 +- .../troubleshooting/cannot-access-data.mdx | 2 +- .../object-deletion-issues.mdx | 2 +- tutorials/backup-strategies/index.mdx | 2 +- 9 files changed, 247 insertions(+), 477 deletions(-) delete mode 100644 pages/object-storage/api-cli/object-lock.mdx create mode 100644 pages/object-storage/how-to/object-lock.mdx diff --git a/pages/audit-trail/how-to/manage-adt-export.mdx b/pages/audit-trail/how-to/manage-adt-export.mdx index be58b19ba9..79457e79ed 100644 --- a/pages/audit-trail/how-to/manage-adt-export.mdx +++ b/pages/audit-trail/how-to/manage-adt-export.mdx @@ -18,7 +18,7 @@ By default, your event logs are exported to the `Standard` [storage class](/obje - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - Created [resources integrated](/audit-trail/reference-content/resource-integration-with-adt/) with Audit Trail -- [Created](/object-storage/how-to/create-a-bucket/) an Object Storage bucket with [object lock](/object-storage/api-cli/object-lock/#how-to-configure-bucket-lock) set up +- [Created](/object-storage/how-to/create-a-bucket/) an Object Storage bucket with [object lock](/object-storage/how-to/object-lock/#how-to-configure-bucket-lock) set up At this stage, an export includes all Audit Trail events by default, allowing only one active export configuration per region. Future updates will let you select specific events for export. diff --git a/pages/object-storage/api-cli/object-lock.mdx b/pages/object-storage/api-cli/object-lock.mdx deleted file mode 100644 index bcff0953e8..0000000000 --- a/pages/object-storage/api-cli/object-lock.mdx +++ /dev/null @@ -1,461 +0,0 @@ ---- -title: Setting up object lock -description: Learn to use object locking in Scaleway Object Storage for data protection. -tags: object storage object-storage object-lock bucket-test bucket test -dates: - validation: 2025-07-31 - posted: 2021-05-27 ---- -import Requirements from '@macros/iam/requirements.mdx' - - -The **object lock** feature allows users to lock objects and prevent them from being deleted or overwritten. Objects can be put on lock for a specific amount of time or indefinitely. The lock period is defined by the user. - -The feature uses a write-once-read-many (WORM) data protection model. This model is generally used in cases where data must not be altered once it has been written. It provides [regulatory compliance](https://en.wikipedia.org/wiki/Regulatory_compliance) and protection against ransomware, and malicious or accidental deletion of objects. - -Setting object lock can only be achieved upon the creation of a bucket. In addition, versioning is automatically enabled on the bucket and cannot be disabled. You must enable object lock if you wish to write a lock configuration. You can use the `PutObjectLockConfiguration` request with the object lock flag set. - - - Object Lock can be used with `Standard Multi-AZ`, `Standard One Zone` and `Glacier` [storage classes](/object-storage/concepts/#storage-class). - - - - -- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization -- Installed the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) -- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) - -## How to configure bucket lock - -The lock Configuration enables you to set a lock configuration on a specified bucket. Once set, the rule specified in the object lock configuration is applied by default to every new object placed in the specified bucket. - -### XML lock configuration tokens - -`ObjectLockConfiguration` - - **Description:** Root level tag for the ObjectLockConfiguration parameters. - - **Required:** Yes - -`ObjectLockEnabled` - - **Description:** Indicates whether this bucket has an object lock configuration enabled. - - **Type:** String - - **Valid Values:** `Enabled` - - **Required:** Yes - -`Rule` - - **Description:** The object lock rule in place for the specified object. - - **Type:** ObjectLockRule data type - - **Required:** No - -`Mode` - - **Description:** The default object lock retention mode you want to apply to new objects placed in the specified bucket. - - **Type:** String - - **Valid Values:** `GOVERNANCE` or `COMPLIANCE` - -`Days` - - **Description:** The number of days that you want to specify for the default retention period. - - **Type:** Integer - -`Years` - - **Description:** The number of years that you want to specify for the default retention period. - - **Type:** Integer - - -### PUT Bucket - -This operation creates a new bucket with object lock. The `/lockedbucket` header is added to the standard PutBucket operation. - - - If the operation is successful, no output will be returned. - - -**Sample Request** -```xml -PUT /lockedbucket HTTP/1.1 -x-amz-bucket-object-lock-enabled: True -``` -### PUT Object lock Configuration - -This operation applies the lock configuration on a bucket. - - - If the operation is successful, no output will be returned. - - -**Sample Request** - -```xml -PUT /lockedbucket?object-lock HTTP/1.1 - - - Enabled - - - COMPLIANCE - 1000 - - - -``` - -**Sample Request** -```xml -PUT /lockedbucket?object-lock HTTP/1.1 - - - Enabled - - - GOVERNANCE - 30 - - - -``` - -**Sample Request** -```xml -PUT /lockedbucket?object-lock HTTP/1.1 - - - Enabled - -``` -### GET Object lock Configuration - -This operation returns the lock configuration. - -**Sample Request** -```xml -GET /lockedbucket?object-lock HTTP/1.1 -``` - -**Sample Response** -```xml - - Enabled - - - COMPLIANCE - 1000 - - - -``` - -**Sample Request** -```xml -GET /lockedbucket?object-lock HTTP/1.1 -``` - -**Sample Response** -```xml - - Enabled - - - GOVERNANCE - 30 - - - -``` - -**Sample Request** -```xml -GET /lockedbucket?object-lock HTTP/1.1 -``` - -**Sample Response** -```xml - - Enabled - -``` -### AWS-CLI Object lock configuration - -To use object lock, you have to create a bucket that supports the feature. - -You can create a bucket with the `--object-lock-enabled-for-bucket` flag, which enables object lock but does not activate it by default. If a bucket is created without `--object-lock-enabled-for-bucket`, the flag cannot be added later. - - - The following command does not apply object lock to the bucket's objects. Object lock has to be activated with a different command. - - -``` -aws s3api create-bucket --object-lock-enabled-for-bucket --bucket test-is-lock -``` -By default, object lock is not activated on buckets. To activate it, you can run the following command: - -```bash -aws s3api put-object-lock-configuration \ - --bucket my-bucket-with-object-lock \ - --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 50 }}}' -``` - - - In the example above, the `object-lock-configuration` is set to 50 days on the specified bucket. - - -To view the object lock configuration of a bucket, run the following command: - - ```bash - aws s3api get-object-lock-configuration - --bucket test-is-lock - ``` - -An output similar to the following displays: - - ```json - { - "ObjectLockConfiguration": { - "ObjectLockEnabled": "Enabled", - "Rule": { - "DefaultRetention": { - "Mode": "COMPLIANCE", - "Days": 50 - } - } - } - } - ``` - -## How to configure object retention - -Object retention is a feature that guarantees your object is WORM-protected and cannot be overwritten or deleted. - -Object lock provides two modes to manage object retention: **Compliance** and **Governance**. It allows retention settings on individual objects in addition to default retention settings for all objects within a bucket. - -### Retention Modes - -**Compliance** - -When this mode is set, an object version cannot be overwritten or deleted by any user. If the **Compliance** mode is configured for an object, then its retention mode cannot be changed, and its retention period cannot be shortened. In other words, it ensures that an object version cannot be overwritten or deleted for the duration of the retention period. - - -When the compliance mode is enabled, it is only possible to overwrite it or delete an object once the object lock expires or upon deleting your Scaleway account. - - -**Governance** - -When this mode is set, all users with [permission](/iam/concepts/#permission) can alter lock settings. - - - The **Governance** mode ensures extra protection before any alterations can be completed. An object can be permanently deleted only if: - - A retention rule is applied, the governance retention date must be anterior to the present time - - The object does not have a legal hold in place. If it does, the legal hold [status token](/object-storage/api-cli/object-lock/#xml-legal-hold-configuration-token) must be set to OFF before deletion. - When the above criteria are met, you will be able to use `delete-object --version-id` to permanently delete an object. - - -### Retention Periods - -A retention period specifies a fixed period during which an object remains locked. - -### XML retention configuration token - -`Mode` - - **Description:** Indicates the retention mode for the specified object. - - **Type:** String - - **Valid Values:** `GOVERNANCE` or `COMPLIANCE` - - **Required:** Yes - -`RetainUntilDate` - - **Description:** The date on which this object lock retention will expire. - - **Type:** Timestamp (iso format) - - **Required:** Yes - -### Put Object retention - -Places an object retention configuration on an object. - - - If the operation is successful, no output will be returned. - - -**Sample Request** -```xml -PUT /lockedbucket/myobject?retention HTTP/1.1 -X-Amz-Date: 20201028T052225Z -X-Amz-Content-SHA256: c6998888096fe13a5d84de6db902e3b3c0b623565cd5f2be70330d6ed40dca91 -Authorization: XXX -Content-Length: 149 - - - COMPLIANCE - 2021-01-01T21:42:42Z - -``` - -**Sample Request** -```xml -PUT /lockedbucket/myobject?retention HTTP/1.1 -X-Amz-Date: 20201028T052346Z -X-Amz-Content-SHA256: 470bfbbffadc821f4b4a398154e9c300d741093205ddbdb25514351b64d64b31 -Authorization: XXX -Content-Length: 149 - - - GOVERNANCE - 2025-12-12T00:00:00Z - -``` - -### GET Object retention - -This operation returns the object retention settings. - -**Sample Request** -```xml -GET /lockedbucket/myobject?retention HTTP/1.1 -``` - -**Sample Response** -```xml - - COMPLIANCE - 2021-01-01T21:42:42Z - -``` - -**Sample Request** -```xml -GET /lockedbucket/myobject?retention HTTP/1.1 -``` - -**Sample Response** -```xml - - GOVERNANCE - 2025-12-12T00:00:00Z - -``` - -### AWS-CLI Object retention - -```bash -aws s3api put-object-retention \ - --bucket test-is-lock \ - --key go \ - --retention '{ "Mode": "COMPLIANCE", "RetainUntilDate": -"2021-01-01T21:42:42Z" }' -aws s3api get-object-retention - --bucket test-is-lock - --key ohno -{ - "Retention": { - "Mode": "COMPLIANCE", - "RetainUntilDate": "2050-09-21T18:52:27Z" - } -} -``` -## How to manage object legal hold - -Legal hold is an ON/OFF switch that can be applied to every object in a locked bucket, independently of the lock configuration, the object retention or the object age. It can be applied to objects which are locked. - -A legal hold provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. - -### XML legal hold configuration token - -`Status`: - - **Description:** Indicates whether the specified object has a legal hold in place. - - **Type:** String - - **Valid Values:** `ON` or `OFF` - - **Required:** Yes - -### Put Object legal hold - -Applies a legal hold configuration to the specified object. - - - If the operation is successful, no output will be returned. - - -**Sample Request** -```xml -PUT /lockedbucket/myobject?legal-hold HTTP/1.1 -X-Amz-Date: 20201028T052448Z -X-Amz-Content-SHA256: 96b73c95a8d33e664ab2170e095025b47ebd55978bb71cebd6a51e394bf96722 -Authorization: XXX -Content-Length: 90 - - - ON - -``` - -**Sample Request** -```xml -PUT /lockedbucket/myobject?legal-hold HTTP/1.1 -X-Amz-Date: 20201028T052547Z -X-Amz-Content-SHA256: 33cb1c62439a66fbcbca4ffb243b013ceb212075048f72ab4383f73afb5c4bd9 -Authorization: XXX -Content-Length: 91 - - - OFF - -``` - -### GET Object legal hold - -Returns the legal hold configuration of the specified object. - -**Sample Request** -```xml -GET /lockedbucket/myobject?legal-hold HTTP/1.1 -``` -**Sample Response** -```xml - - ON - -``` - -**Sample Request** -```xml -GET /lockedbucket/myobject?legal-hold HTTP/1.1 -``` - -**Sample Response** -```xml - - OFF - -``` -### AWS-CLI Object legal hold - -Run the command below to apply a legal hold: - -```bash -aws s3api put-object-legal-hold - --bucket test-is-lock - --key go - --version-id 1601317928668527 - --legal-hold Status=ON -``` - -Run the command below to retrieve the legal hold status of an object: - -```bash -aws s3api get-object-legal-hold - --bucket test-is-lock - --key go - --version-id 1601317928668527 -``` - -An output similar to the following displays: - -```json -{ - "LegalHold": { - "Status": "ON" - } -} -``` - -### Object lock limitations - -- When enabling the compliance mode, the only way to overwrite it is to wait for the lock to be outdated or to delete your Scaleway account. - -- A bucket that has object lock enabled cannot be deleted via the Scaleway console. - -- If you set lifecycle expiration rules on some of your objects, the objects that are locked or have a legal hold enabled are ignored by the lifecycle engine. Hence, those objects will not be deleted. diff --git a/pages/object-storage/api-cli/using-api-call-list.mdx b/pages/object-storage/api-cli/using-api-call-list.mdx index 9dface5b2a..0c9ed7ecbd 100644 --- a/pages/object-storage/api-cli/using-api-call-list.mdx +++ b/pages/object-storage/api-cli/using-api-call-list.mdx @@ -75,9 +75,9 @@ In this page we index all available Scaleway Object Storage API requests. | [DeleteObjectTagging](/object-storage/api-cli/object-operations/#deleteobjecttagging) | Deletes the tag(s) of an object | supported | | [GetObject](/object-storage/api-cli/object-operations/#getobject) | Retrieves an object | supported | | [GetObjectAcl](/object-storage/api-cli/object-operations/#getobjectacl) | Gets the ACL of an object | supported | -| [GetObjectLegalHold](/object-storage/api-cli/object-lock/#get-object-legal-hold) | Gets an object's current [Legal Hold configuration](/object-storage/api-cli/object-lock/#how-to-manage-object-legal-hold) | supported | -| [GetObjectLockConfiguration](/object-storage/api-cli/object-lock/#get-object-lock-configuration) | Gets an [object Lock configuration](/object-storage/api-cli/object-lock/) for a bucket. The specified rule will be applied by default to every new object placed in the bucket | supported | -| [GetObjectRetention](/object-storage/api-cli/object-lock/#get-object-retention) | Retrieves an object's [retention settings](/object-storage/api-cli/object-lock/#how-to-configure-object-retention) | supported | +| [GetObjectLegalHold](/object-storage/how-to/object-lock/#get-object-legal-hold) | Gets an object's current [Legal Hold configuration](/object-storage/how-to/object-lock/#how-to-manage-object-legal-hold) | supported | +| [GetObjectLockConfiguration](/object-storage/how-to/object-lock/#get-object-lock-configuration) | Gets an [object Lock configuration](/object-storage/how-to/object-lock/) for a bucket. The specified rule will be applied by default to every new object placed in the bucket | supported | +| [GetObjectRetention](/object-storage/how-to/object-lock/#get-object-retention) | Retrieves an object's [retention settings](/object-storage/how-to/object-lock/#how-to-configure-object-retention) | supported | | [GetObjectTagging](/object-storage/api-cli/object-operations/#getobjecttagging) | Get the tag(s) of an object | supported | | [HeadObject](/object-storage/api-cli/object-operations/#headobject) | Gets object metadata | supported | | [ListMultipart](/object-storage/api-cli/multipart-uploads/#listing-multipart-uploads) | Lists in-progress multipart uploads | supported | @@ -86,9 +86,9 @@ In this page we index all available Scaleway Object Storage API requests. | [PutObject](/object-storage/api-cli/object-operations/#putobject) | Adds an object to a bucket | supported | | [PutObjectAcl](/object-storage/api-cli/object-operations/#putobjectacl) | Adds an ACL to an object | supported | | [PutObjectTagging](/object-storage/api-cli/object-operations/#putobjecttagging) | Adds one or several tags to an object | supported | -| [PutObjectLegalHold](/object-storage/api-cli/object-lock/#put-object-legal-hold) | Applies a [Legal Hold configuration](/object-storage/api-cli/object-lock/#how-to-manage-object-legal-hold) to the specified object | supported | +| [PutObjectLegalHold](/object-storage/how-to/object-lock/#put-object-legal-hold) | Applies a [Legal Hold configuration](/object-storage/how-to/object-lock/#how-to-manage-object-legal-hold) to the specified object | supported | | PutObjectLockConfiguration | Sets an object lock configuration on a specified bucket | supported | -| [PutObjectRetention](/object-storage/api-cli/object-lock/#put-object-retention) | Places an [object Retention configuration](/object-storage/api-cli/object-lock/#how-to-configure-object-retention) on an object | supported | +| [PutObjectRetention](/object-storage/how-to/object-lock/#put-object-retention) | Places an [object Retention configuration](/object-storage/how-to/object-lock/#how-to-configure-object-retention) on an object | supported | | [RestoreObject](/object-storage/api-cli/object-operations/#restoreobject) | Restores an object from `Glacier` | supported | | [UploadPart](/object-storage/api-cli/multipart-uploads/#uploading-a-part) | Uploads a part in a multipart upload | supported | | UploadPartCopy | Copies data from an existing object as data source to upload a part | supported | diff --git a/pages/object-storage/concepts.mdx b/pages/object-storage/concepts.mdx index d25b981984..9ec946f8d0 100644 --- a/pages/object-storage/concepts.mdx +++ b/pages/object-storage/concepts.mdx @@ -63,7 +63,7 @@ An endpoint represents one end of a communication channel. In the context of Obj A legal hold provides the same protection as a retention period, but it has no expiration date. It takes the form of an ON/OFF switch that can be applied to every object in a locked bucket, independently of the lock configuration, or the object retention or its age. It can be applied to objects which are locked. A legal hold remains in place until you explicitly remove it. -Refer to our [dedicated documentation](/object-storage/api-cli/object-lock/#how-to-manage-object-legal-hold) for more information. +Refer to our [dedicated documentation](/object-storage/how-to/object-lock/#how-to-manage-object-legal-hold) for more information. ## Lifecycle configuration @@ -102,7 +102,7 @@ An Amazon S3 API feature that allows users to lock objects to prevent them from The feature uses a write-once-read-many (WORM) data protection model. This model is generally used in cases where data cannot be altered once it has been written. It provides regulatory compliance and protection against ransomware and malicious or accidental deletion of objects. -Refer to our [dedicated documentation](/object-storage/api-cli/object-lock/#how-to-manage-object-legal-hold) for more information. +Refer to our [dedicated documentation](/object-storage/how-to/object-lock/#how-to-manage-object-legal-hold) for more information. ## Object Storage @@ -158,7 +158,7 @@ A principal is the target of a [bucket policy](#bucket-policy). They acquire the - The object does not have a Legal Hold in place. If it does, the Legal Hold Status Token must be set to OFF before deletion. - When the above criteria are met, you'll be able to use delete-object --version-id to permanently delete an object. -Refer to the [dedicated documentation](/object-storage/api-cli/object-lock/) for information on how to use object lock. +Refer to the [dedicated documentation](/object-storage/how-to/object-lock/) for information on how to use object lock. ## Retention period diff --git a/pages/object-storage/how-to/object-lock.mdx b/pages/object-storage/how-to/object-lock.mdx new file mode 100644 index 0000000000..1f352f5459 --- /dev/null +++ b/pages/object-storage/how-to/object-lock.mdx @@ -0,0 +1,231 @@ +--- +title: How to use Object Lock +description: Learn how to protect objects in Scaleway Object Storage using object lock, retention modes, and legal hold. +tags: object storage object-storage object-lock compliance governance retention legal-hold worm +dates: + validation: 2026-05-18 + posted: 2021-05-27 +--- +import Requirements from '@macros/iam/requirements.mdx' + +Object lock prevents objects from being deleted or overwritten for a defined period or indefinitely. It uses a **write-once-read-many (WORM)** model, commonly required for regulatory compliance and protection against ransomware or accidental deletion. Object lock can only be used in buckets with versioning enabled. + +Object lock provides two mechanisms to protect your objects: **retention** and **legal hold**. You can enable either, or both at the same time: + +- **Retention** allows you to apply a retention period, and a retention mode for your objects, to limit the actions that users can perform on them: + - **Compliance mode** prevents users, including owners and users with administrative permissions, from deleting or overwriting objects during the specified retention period. The retention mode cannot be modified, and the retention period cannot be shortened. + - **Governance mode** prevents users without the necessary permissions from deleting or overwriting objects during the specified retention period. Authorized users can modify the retention settings, and delete the targeted objects. + +- **Legal hold** is an independent that provides the same protection as the retention, but has no expiration date. It must be explicitly removed by a user with the appropriate permissions, and is evaluated independently of any retention configuration. + +Object Lock is supported on `Standard Multi-AZ`, `Standard One Zone`, and `Glacier` [storage classes](/object-storage/concepts/#storage-class). + + + Once Object Lock is enabled on a bucket, it cannot be disabled and versioning cannot be suspended. + + + + +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- Installed and configured the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) + +## Enable Object Lock on a bucket + +You can enable Object Lock at bucket creation, or on an existing bucket. + +### On a new bucket + +Use the `--object-lock-enabled-for-bucket` flag when creating the bucket. Replace `my-locked-bucket` with your bucket name. + +```bash +aws s3api create-bucket \ + --bucket my-locked-bucket \ + --object-lock-enabled-for-bucket +``` + +### On an existing bucket + +Use `put-object-lock-configuration` with `"ObjectLockEnabled": "Enabled"`. Replace `my-locked-bucket` with your bucket name. + +```bash +aws s3api put-object-lock-configuration \ + --bucket my-locked-bucket \ + --object-lock-configuration '{"ObjectLockEnabled": "Enabled"}' +``` + +No output is returned on success. This enables Object Lock without setting a default retention policy. To add a default retention policy, see the [next section](#set-a-default-retention-policy-on-a-bucket). + +## Set a default retention policy on a bucket + +A default retention policy applies automatically to every new object added to the bucket. + +1. Run the following command to set a **Compliance** retention of 365 days. Replace `my-locked-bucket` with your bucket name. + + ```bash + aws s3api put-object-lock-configuration \ + --bucket my-locked-bucket \ + --object-lock-configuration '{ + "ObjectLockEnabled": "Enabled", + "Rule": { + "DefaultRetention": { + "Mode": "COMPLIANCE", + "Days": 365 + } + } + }' + ``` + + To use **Governance** mode with a duration in years instead, replace the `Rule` block: + + ```json + "Rule": { + "DefaultRetention": { + "Mode": "GOVERNANCE", + "Years": 5 + } + } + ``` + + No output is returned on success. + +2. Run the following command to check the configuration was properly applied: + + ```bash + aws s3api get-object-lock-configuration \ + --bucket my-locked-bucket + ``` + + An output similar to the following displays: + + ```json + { + "ObjectLockConfiguration": { + "ObjectLockEnabled": "Enabled", + "Rule": { + "DefaultRetention": { + "Mode": "COMPLIANCE", + "Days": 365 + } + } + } + } + ``` + + + Use either `Days` or `Years`, not both. The retention period starts from each object's creation date. + + +## Apply retention to a specific object + +Object-level retention overrides the bucket default for that specific object. The `RetainUntilDate` must be an absolute timestamp in ISO 8601 format. + +1. Run the following command to apply **Compliance** retention to an object. Replace `my-locked-bucket`, `my-object`, and the date with your values. + + ```bash + aws s3api put-object-retention \ + --bucket my-locked-bucket \ + --key my-object \ + --retention '{ + "Mode": "COMPLIANCE", + "RetainUntilDate": "2028-01-01T00:00:00Z" + }' + ``` + + To use **Governance** mode instead, replace `COMPLIANCE` with `GOVERNANCE` and adjust the date. + + No output is returned on success. + +2. Run the following command to check the configuration was properly applied: + + ```bash + aws s3api get-object-retention \ + --bucket my-locked-bucket \ + --key my-object + ``` + + An output similar to the following displays: + + ```json + { + "Retention": { + "Mode": "COMPLIANCE", + "RetainUntilDate": "2028-01-01T00:00:00Z" + } + } + ``` + + + +## Manage legal hold on an object + +Legal hold is independent of retention settings and has no expiration date. It must be explicitly enabled and removed by a user with the necessary permissions. + +1. Run the following command to enable a legal hold on an object. Replace `my-locked-bucket` and `my-object` with the appropriate values. + + ```bash + aws s3api put-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object \ + --legal-hold Status=ON + ``` + + +3. Run the following command to check if legal hold was properly applied: + + ```bash + aws s3api get-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object + ``` + +2. To remove the legal hold: + + ```bash + aws s3api put-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object \ + --legal-hold Status=OFF + ``` + + An output similar to the following displays: + + ```json + { + "LegalHold": { + "Status": "ON" + } + } + ``` + +## Limitations + +- **Object Lock cannot be disabled** once enabled on a bucket, and versioning cannot be suspended. +- **Compliance mode is irreversible during the retention period.** No user can delete or overwrite a COMPLIANCE-locked object until the retention period expires. The only exception is deleting your Scaleway account. +- **Locked buckets cannot be deleted** via the Scaleway console. All locks must expire and all legal holds must be removed before a bucket can be deleted. +- **Lifecycle expiration rules do not apply** to objects with an active lock or legal hold. Those objects are skipped by the lifecycle engine and will not be deleted automatically. + +## Technical reference + +### Bucket lock configuration tokens + +| Token | Description | Type | Required | +|---|---|---|---| +| `ObjectLockConfiguration` | Root element | — | Yes | +| `ObjectLockEnabled` | Enables Object Lock on the bucket | String: `Enabled` | Yes | +| `Rule` | Default retention rule applied to new objects | ObjectLockRule | No | +| `Mode` | Retention mode | String: `GOVERNANCE` or `COMPLIANCE` | Required if `Rule` is set | +| `Days` | Retention duration in days | Integer | `Days` or `Years`, not both | +| `Years` | Retention duration in years | Integer | `Days` or `Years`, not both | + +### Object retention tokens + +| Token | Description | Type | Required | +|---|---|---|---| +| `Mode` | Retention mode for the object | String: `GOVERNANCE` or `COMPLIANCE` | Yes | +| `RetainUntilDate` | Retention expiry date | Timestamp (ISO 8601) | Yes | + +### Legal hold tokens + +| Token | Description | Type | Required | +|---|---|---|---| +| `Status` | Legal hold state | String: `ON` or `OFF` | Yes | diff --git a/pages/object-storage/menu.ts b/pages/object-storage/menu.ts index ca691672ac..0d2b9ba09c 100644 --- a/pages/object-storage/menu.ts +++ b/pages/object-storage/menu.ts @@ -62,6 +62,10 @@ export const objectStorageMenu = { label: 'Enable SSE-ONE', slug: 'enable-sse-one', }, + { + label: 'Enable object lock', + slug: 'object-lock', + }, { label: 'Host healthcare data (HDS)', slug: 'host-healthcare-data', @@ -170,10 +174,6 @@ export const objectStorageMenu = { label: 'Managing bucket permissions for IP addresses', slug: 'manage-bucket-permissions-ip', }, - { - label: 'Setting up object lock', - slug: 'object-lock', - }, { label: 'Hosting static websites on a bucket', slug: 'bucket-website-api', diff --git a/pages/object-storage/troubleshooting/cannot-access-data.mdx b/pages/object-storage/troubleshooting/cannot-access-data.mdx index e01c317660..e26b55cf8b 100644 --- a/pages/object-storage/troubleshooting/cannot-access-data.mdx +++ b/pages/object-storage/troubleshooting/cannot-access-data.mdx @@ -33,7 +33,7 @@ I am experiencing issues while trying to access my buckets and objects stored on - Make sure there is no [bucket policy](/object-storage/concepts/#bucket-policy) that prevents you from deleting the bucket. If there is one, make sure that it [explicitly allows you](/object-storage/api-cli/bucket-policy/) to perform the desired action. -- Make sure that [Object lock](/object-storage/api-cli/object-lock/) has not been enabled on the bucket you try to access. +- Make sure that [Object lock](/object-storage/how-to/object-lock/) has not been enabled on the bucket you try to access. ## Going further diff --git a/pages/object-storage/troubleshooting/object-deletion-issues.mdx b/pages/object-storage/troubleshooting/object-deletion-issues.mdx index f0b5a37cad..789e3219fa 100644 --- a/pages/object-storage/troubleshooting/object-deletion-issues.mdx +++ b/pages/object-storage/troubleshooting/object-deletion-issues.mdx @@ -34,7 +34,7 @@ A [DeleteObject](/object-storage/api-cli/object-operations/#deleteobject) operat ## Going further -- Refer to the [object lock documentation](/object-storage/api-cli/object-lock/) for more information. +- Refer to the [object lock documentation](/object-storage/how-to/object-lock/) for more information. - Refer to the [bucket versioning documentation](/object-storage/how-to/use-bucket-versioning/) for more information. diff --git a/tutorials/backup-strategies/index.mdx b/tutorials/backup-strategies/index.mdx index ca27a1aa34..067f7cbb83 100644 --- a/tutorials/backup-strategies/index.mdx +++ b/tutorials/backup-strategies/index.mdx @@ -178,7 +178,7 @@ In Scaleway, backup compliance is primarily assured through a combination of **d To ensure that your backups cannot be altered, encrypted by ransomware, or maliciously deleted, Scaleway Object Storage provides an [object lock](/object-storage/api-cli/object-lock) feature (based on an Amazon S3 API functionality). -This feature uses a [Write-Once-Read-Many (WORM)](/object-storage/concepts/#retention-period) data protection model, a standard requirement for regulatory compliance. You can configure object lock in [two distinct retention modes](/object-storage/api-cli/object-lock/#retention-modes): +This feature uses a [Write-Once-Read-Many (WORM)](/object-storage/concepts/#retention-period) data protection model, a standard requirement for regulatory compliance. You can configure object lock in [two distinct retention modes](/object-storage/how-to/object-lock/#retention-modes): - **Compliance mode**: When a backup is locked in this mode, the object version cannot be overwritten or deleted by any user, not even an administrator, during the retention period. The retention mode cannot be changed, and the retention period cannot be shortened. The data can only be deleted once the lock expires or if the entire Scaleway account is deleted. - **Governance mode**: This mode offers strong protection but allows specific users with specialized permissions to alter the lock settings or delete the object if absolutely necessary. From 64a82ee9b8a63e6e2a23c799b1f53ebafea9b0b6 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 19 May 2026 15:27:30 +0200 Subject: [PATCH 02/20] docs(object-storage): update --- pages/audit-trail/how-to/manage-adt-export.mdx | 2 +- pages/object-storage/api-cli/using-api-call-list.mdx | 10 +++++----- pages/object-storage/concepts.mdx | 6 +++--- pages/object-storage/how-to/use-bucket-versioning.mdx | 3 ++- .../how-to/{object-lock.mdx => use-object-lock.mdx} | 0 .../troubleshooting/cannot-access-data.mdx | 2 +- .../troubleshooting/object-deletion-issues.mdx | 2 +- tutorials/backup-strategies/index.mdx | 2 +- 8 files changed, 14 insertions(+), 13 deletions(-) rename pages/object-storage/how-to/{object-lock.mdx => use-object-lock.mdx} (100%) diff --git a/pages/audit-trail/how-to/manage-adt-export.mdx b/pages/audit-trail/how-to/manage-adt-export.mdx index 79457e79ed..85fa506cda 100644 --- a/pages/audit-trail/how-to/manage-adt-export.mdx +++ b/pages/audit-trail/how-to/manage-adt-export.mdx @@ -18,7 +18,7 @@ By default, your event logs are exported to the `Standard` [storage class](/obje - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - Created [resources integrated](/audit-trail/reference-content/resource-integration-with-adt/) with Audit Trail -- [Created](/object-storage/how-to/create-a-bucket/) an Object Storage bucket with [object lock](/object-storage/how-to/object-lock/#how-to-configure-bucket-lock) set up +- [Created](/object-storage/how-to/create-a-bucket/) an Object Storage bucket with [object lock](/object-storage/how-to/use-object-lock/#how-to-configure-bucket-lock) set up At this stage, an export includes all Audit Trail events by default, allowing only one active export configuration per region. Future updates will let you select specific events for export. diff --git a/pages/object-storage/api-cli/using-api-call-list.mdx b/pages/object-storage/api-cli/using-api-call-list.mdx index 0c9ed7ecbd..57216d85e6 100644 --- a/pages/object-storage/api-cli/using-api-call-list.mdx +++ b/pages/object-storage/api-cli/using-api-call-list.mdx @@ -75,9 +75,9 @@ In this page we index all available Scaleway Object Storage API requests. | [DeleteObjectTagging](/object-storage/api-cli/object-operations/#deleteobjecttagging) | Deletes the tag(s) of an object | supported | | [GetObject](/object-storage/api-cli/object-operations/#getobject) | Retrieves an object | supported | | [GetObjectAcl](/object-storage/api-cli/object-operations/#getobjectacl) | Gets the ACL of an object | supported | -| [GetObjectLegalHold](/object-storage/how-to/object-lock/#get-object-legal-hold) | Gets an object's current [Legal Hold configuration](/object-storage/how-to/object-lock/#how-to-manage-object-legal-hold) | supported | -| [GetObjectLockConfiguration](/object-storage/how-to/object-lock/#get-object-lock-configuration) | Gets an [object Lock configuration](/object-storage/how-to/object-lock/) for a bucket. The specified rule will be applied by default to every new object placed in the bucket | supported | -| [GetObjectRetention](/object-storage/how-to/object-lock/#get-object-retention) | Retrieves an object's [retention settings](/object-storage/how-to/object-lock/#how-to-configure-object-retention) | supported | +| [GetObjectLegalHold](/object-storage/how-to/use-object-lock/#get-object-legal-hold) | Gets an object's current [Legal Hold configuration](/object-storage/how-to/use-object-lock/#how-to-manage-object-legal-hold) | supported | +| [GetObjectLockConfiguration](/object-storage/how-to/use-object-lock/#get-object-lock-configuration) | Gets an [object Lock configuration](/object-storage/how-to/use-object-lock/) for a bucket. The specified rule will be applied by default to every new object placed in the bucket | supported | +| [GetObjectRetention](/object-storage/how-to/use-object-lock/#get-object-retention) | Retrieves an object's [retention settings](/object-storage/how-to/use-object-lock/#how-to-configure-object-retention) | supported | | [GetObjectTagging](/object-storage/api-cli/object-operations/#getobjecttagging) | Get the tag(s) of an object | supported | | [HeadObject](/object-storage/api-cli/object-operations/#headobject) | Gets object metadata | supported | | [ListMultipart](/object-storage/api-cli/multipart-uploads/#listing-multipart-uploads) | Lists in-progress multipart uploads | supported | @@ -86,9 +86,9 @@ In this page we index all available Scaleway Object Storage API requests. | [PutObject](/object-storage/api-cli/object-operations/#putobject) | Adds an object to a bucket | supported | | [PutObjectAcl](/object-storage/api-cli/object-operations/#putobjectacl) | Adds an ACL to an object | supported | | [PutObjectTagging](/object-storage/api-cli/object-operations/#putobjecttagging) | Adds one or several tags to an object | supported | -| [PutObjectLegalHold](/object-storage/how-to/object-lock/#put-object-legal-hold) | Applies a [Legal Hold configuration](/object-storage/how-to/object-lock/#how-to-manage-object-legal-hold) to the specified object | supported | +| [PutObjectLegalHold](/object-storage/how-to/use-object-lock/#put-object-legal-hold) | Applies a [Legal Hold configuration](/object-storage/how-to/use-object-lock/#how-to-manage-object-legal-hold) to the specified object | supported | | PutObjectLockConfiguration | Sets an object lock configuration on a specified bucket | supported | -| [PutObjectRetention](/object-storage/how-to/object-lock/#put-object-retention) | Places an [object Retention configuration](/object-storage/how-to/object-lock/#how-to-configure-object-retention) on an object | supported | +| [PutObjectRetention](/object-storage/how-to/use-object-lock/#put-object-retention) | Places an [object Retention configuration](/object-storage/how-to/use-object-lock/#how-to-configure-object-retention) on an object | supported | | [RestoreObject](/object-storage/api-cli/object-operations/#restoreobject) | Restores an object from `Glacier` | supported | | [UploadPart](/object-storage/api-cli/multipart-uploads/#uploading-a-part) | Uploads a part in a multipart upload | supported | | UploadPartCopy | Copies data from an existing object as data source to upload a part | supported | diff --git a/pages/object-storage/concepts.mdx b/pages/object-storage/concepts.mdx index 9ec946f8d0..fc3a5021f0 100644 --- a/pages/object-storage/concepts.mdx +++ b/pages/object-storage/concepts.mdx @@ -63,7 +63,7 @@ An endpoint represents one end of a communication channel. In the context of Obj A legal hold provides the same protection as a retention period, but it has no expiration date. It takes the form of an ON/OFF switch that can be applied to every object in a locked bucket, independently of the lock configuration, or the object retention or its age. It can be applied to objects which are locked. A legal hold remains in place until you explicitly remove it. -Refer to our [dedicated documentation](/object-storage/how-to/object-lock/#how-to-manage-object-legal-hold) for more information. +Refer to our [dedicated documentation](/object-storage/how-to/use-object-lock/#how-to-manage-object-legal-hold) for more information. ## Lifecycle configuration @@ -102,7 +102,7 @@ An Amazon S3 API feature that allows users to lock objects to prevent them from The feature uses a write-once-read-many (WORM) data protection model. This model is generally used in cases where data cannot be altered once it has been written. It provides regulatory compliance and protection against ransomware and malicious or accidental deletion of objects. -Refer to our [dedicated documentation](/object-storage/how-to/object-lock/#how-to-manage-object-legal-hold) for more information. +Refer to our [dedicated documentation](/object-storage/how-to/use-object-lock/#how-to-manage-object-legal-hold) for more information. ## Object Storage @@ -158,7 +158,7 @@ A principal is the target of a [bucket policy](#bucket-policy). They acquire the - The object does not have a Legal Hold in place. If it does, the Legal Hold Status Token must be set to OFF before deletion. - When the above criteria are met, you'll be able to use delete-object --version-id to permanently delete an object. -Refer to the [dedicated documentation](/object-storage/how-to/object-lock/) for information on how to use object lock. +Refer to the [dedicated documentation](/object-storage/how-to/use-object-lock/) for information on how to use object lock. ## Retention period diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index 4eb31fa2e1..17eaa430ba 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -52,5 +52,6 @@ To restore an object to a previous version, download the desired non-current ver 5. Type **SUSPEND** to confirm your action, then click **Suspend bucket versioning** to proceed. -Once versioning is suspended, no new object versions will be created. Versions created up until this point will remain stored and billable. Uploading an object with the same name as an existing object will overwrite it. +- Once versioning is suspended, no new object versions will be created. Versions created up until this point will remain stored and billable. Uploading an object with the same name as an existing object will overwrite it. +- You cannot suspend versioning on a bucket with [object lock](/object-storage/how-to/use-object-lock/) enabled. diff --git a/pages/object-storage/how-to/object-lock.mdx b/pages/object-storage/how-to/use-object-lock.mdx similarity index 100% rename from pages/object-storage/how-to/object-lock.mdx rename to pages/object-storage/how-to/use-object-lock.mdx diff --git a/pages/object-storage/troubleshooting/cannot-access-data.mdx b/pages/object-storage/troubleshooting/cannot-access-data.mdx index e26b55cf8b..92c9460eab 100644 --- a/pages/object-storage/troubleshooting/cannot-access-data.mdx +++ b/pages/object-storage/troubleshooting/cannot-access-data.mdx @@ -33,7 +33,7 @@ I am experiencing issues while trying to access my buckets and objects stored on - Make sure there is no [bucket policy](/object-storage/concepts/#bucket-policy) that prevents you from deleting the bucket. If there is one, make sure that it [explicitly allows you](/object-storage/api-cli/bucket-policy/) to perform the desired action. -- Make sure that [Object lock](/object-storage/how-to/object-lock/) has not been enabled on the bucket you try to access. +- Make sure that [Object lock](/object-storage/how-to/use-object-lock/) has not been enabled on the bucket you try to access. ## Going further diff --git a/pages/object-storage/troubleshooting/object-deletion-issues.mdx b/pages/object-storage/troubleshooting/object-deletion-issues.mdx index 789e3219fa..9970e99f6b 100644 --- a/pages/object-storage/troubleshooting/object-deletion-issues.mdx +++ b/pages/object-storage/troubleshooting/object-deletion-issues.mdx @@ -34,7 +34,7 @@ A [DeleteObject](/object-storage/api-cli/object-operations/#deleteobject) operat ## Going further -- Refer to the [object lock documentation](/object-storage/how-to/object-lock/) for more information. +- Refer to the [object lock documentation](/object-storage/how-to/use-object-lock/) for more information. - Refer to the [bucket versioning documentation](/object-storage/how-to/use-bucket-versioning/) for more information. diff --git a/tutorials/backup-strategies/index.mdx b/tutorials/backup-strategies/index.mdx index 067f7cbb83..58f905ed66 100644 --- a/tutorials/backup-strategies/index.mdx +++ b/tutorials/backup-strategies/index.mdx @@ -178,7 +178,7 @@ In Scaleway, backup compliance is primarily assured through a combination of **d To ensure that your backups cannot be altered, encrypted by ransomware, or maliciously deleted, Scaleway Object Storage provides an [object lock](/object-storage/api-cli/object-lock) feature (based on an Amazon S3 API functionality). -This feature uses a [Write-Once-Read-Many (WORM)](/object-storage/concepts/#retention-period) data protection model, a standard requirement for regulatory compliance. You can configure object lock in [two distinct retention modes](/object-storage/how-to/object-lock/#retention-modes): +This feature uses a [Write-Once-Read-Many (WORM)](/object-storage/concepts/#retention-period) data protection model, a standard requirement for regulatory compliance. You can configure object lock in [two distinct retention modes](/object-storage/how-to/use-object-lock/#retention-modes): - **Compliance mode**: When a backup is locked in this mode, the object version cannot be overwritten or deleted by any user, not even an administrator, during the retention period. The retention mode cannot be changed, and the retention period cannot be shortened. The data can only be deleted once the lock expires or if the entire Scaleway account is deleted. - **Governance mode**: This mode offers strong protection but allows specific users with specialized permissions to alter the lock settings or delete the object if absolutely necessary. From c708e985a8f01586e5ae6fe7a43f99aa3e8875bb Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 19 May 2026 15:51:41 +0200 Subject: [PATCH 03/20] docs(object-storage): update --- .../object-storage/how-to/create-a-bucket.mdx | 19 ++++++++++--------- .../how-to/use-bucket-versioning.mdx | 1 - 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pages/object-storage/how-to/create-a-bucket.mdx b/pages/object-storage/how-to/create-a-bucket.mdx index 9b300428fb..0ae67f4d38 100644 --- a/pages/object-storage/how-to/create-a-bucket.mdx +++ b/pages/object-storage/how-to/create-a-bucket.mdx @@ -21,17 +21,18 @@ To get started with Object Storage, you must first create a bucket. Objects are 1. Click **Object Storage** on the left side menu of the console. The Object Storage dashboard displays. 2. Click **+ Create bucket**. The bucket creation page displays. 3. Select the [region](/object-storage/concepts/#region-and-availability-zone) in which to create your bucket. -4. Check **Public** or **Private** to define the bucket visibility. The bucket visibility specifies whether everyone can see the list of objects in the bucket. It does not affect [object visibility](/object-storage/concepts/#visibility). +4. Enter a name for your bucket. +5. Check **Public** or **Private** to define the bucket visibility. The bucket visibility specifies whether everyone can see the list of objects in the bucket. It does not affect [object visibility](/object-storage/concepts/#visibility). A file uploaded to a public bucket is private by default. A private file stored in a public bucket is not publicly accessible. You can change the bucket visibility at any time from the **Bucket settings** tab. -5. Select a use case for your bucket. -6. Enable [bucket versioning](/object-storage/how-to/use-bucket-versioning/) if you want to store multiple versions of your objects (this may lead to higher storage costs). -7. If applicable, you can tick the **Activate 90-day free trial** to benefit from total 750 GB of free [Standard Multi-AZ and Standard One Zone](/object-storage/faq/#what-are-the-object-storage-classes-offered-by-scaleway) storage for buckets in your Organization, across all regions. Refer to our [dedicated FAQ](/object-storage/faq/#how-can-i-benefit-from-the-object-storage-free-trial) for more information. -8. Enter a name for your bucket. -9. Optionally, you can use the cost estimator to simulate your Object Storage costs. -10. Click **Create bucket** to confirm. A list of your buckets displays, showing the newly created bucket. - -You can find more information about your bucket by clicking on its name in the **Buckets** list, and then on the **Bucket settings** tab. \ No newline at end of file +6. Optionally, tick **SSE-ONE encryption with Scaleway Object Native Encryption keys** to encrypt your objects with keys managed by Scaleway. +7. Optionally, configure [bucket versioning](/object-storage/how-to/use-bucket-versioning/): + - Tick **Enable bucket versioning** to store multiple versions of your objects (this may lead to higher storage costs). + - Tick **Enable object lock** to prevent objects from being deleted or overwritten for a defined retention period. Object lock requires versioning to be enabled. +8. Select a use case for your bucket. +9. If applicable, you can tick the **Activate 90-day free trial** to benefit from total 750 GB of free [Standard Multi-AZ and Standard One Zone](/object-storage/faq/#what-are-the-object-storage-classes-offered-by-scaleway) storage for buckets in your Organization, across all regions. Refer to our [dedicated FAQ](/object-storage/faq/#how-can-i-benefit-from-the-object-storage-free-trial) for more information. +10. Optionally, you can use the cost estimator to simulate your Object Storage costs and environmental foorprint. +11. Click **Create bucket** to confirm. You are directed to the **Files** tab of your newly created bucket. \ No newline at end of file diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index 17eaa430ba..839ab04926 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -17,7 +17,6 @@ Versioning allows you to easily recover your objects in case of unintended user - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization -- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) ## How to enable versioning From a3138fdf7c23db883fa7d996650fdfc45d2e14bb Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 19 May 2026 16:01:49 +0200 Subject: [PATCH 04/20] docs(object-storage): update --- pages/object-storage/how-to/use-bucket-versioning.mdx | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index 839ab04926..519be98339 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -18,17 +18,20 @@ Versioning allows you to easily recover your objects in case of unintended user - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization + ## How to enable versioning + +You can also enable versioning during bucket creation. Refer to the [dedicated documentation](/object-storage/how-to/create-a-bucket/) for more information. + + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of the bucket in which you want to enable versioning. 3. Click the **Bucket settings** tab. 4. Scroll down and click the toggle under **Bucket versioning**. A pop-up appears. 5. Type **ENABLE** to confirm your action, then click **Enable bucket versioning** to proceed. - Once versioning is enabled, uploading an object with the same name as an existing object will create a new version of it. This new version consumes storage as well, which may lead to higher costs. - ## How to manage object versions From aa0090597ff581e6b909b8c5664d635c171a0f11 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 19 May 2026 17:32:22 +0200 Subject: [PATCH 05/20] docs(object-storage): update --- .../how-to/use-bucket-versioning.mdx | 33 ++++++++++++++++--- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index 519be98339..9d03a7c48b 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -22,7 +22,7 @@ Versioning allows you to easily recover your objects in case of unintended user ## How to enable versioning -You can also enable versioning during bucket creation. Refer to the [dedicated documentation](/object-storage/how-to/create-a-bucket/) for more information. +You can enable versioning during bucket creation. Refer to the [dedicated documentation](/object-storage/how-to/create-a-bucket/) for more information. 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. @@ -36,10 +36,10 @@ Once versioning is enabled, uploading an object with the same name as an existin ## How to manage object versions 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. -2. Click the name of your selected bucket. A list of the objects it contains appears. -3. Click next to the object you want to manage, then click **Versioning**. A list of the object versions displays. - -4. Click next to a non-current object version to download it, or permanently delete it. +2. Click the name of your versioned bucket. A list of the objects it contains appears. +3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. +4. Click next to an object version to download it, set up object lock if enabled, or permanently delete it. +5. Click **Add delete marker**. To restore an object to a previous version, download the desired non-current version and upload it again. This action will replace the current version with the uploaded one. @@ -57,3 +57,26 @@ To restore an object to a previous version, download the desired non-current ver - Once versioning is suspended, no new object versions will be created. Versions created up until this point will remain stored and billable. Uploading an object with the same name as an existing object will overwrite it. - You cannot suspend versioning on a bucket with [object lock](/object-storage/how-to/use-object-lock/) enabled. + +## Understanding versioning + +An object version behaves like a regular object, except taht it is identified by a combination of a key and a version ID, rather than just a key. + +Buckets with versioning enabled observe the following behavior: + +| Situation | What happens to existing objects | What happens to new objects | +|---------------------------------------------------|---------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| +| **Versioning never enabled** | Every object uploaded has a single `null` version. | Overwrites permanently replace the previous object; deletes remove it completely. | +| **Versioning enabled from the start** | Every object uploaded gets a **unique version ID**. | All subsequent writes are versioned automatically. | +| **Versioning disabled initially, then enabled** | Objects uploaded before the switch are NOT versioned, and remain as a `null` version. | New objects are versioned; overwrites create new versions. | +| **Versioning enabled, then suspended** | Existing versions **stay** exactly as they are; they are not removed automatically. | New objects **do not get a version ID**. Overwrites replace the current `null` version, but older versions remain. | +| **Versioning enabled, then bucket deleted** | All versions are **deleted together** when the bucket is removed. | N/A | + +### Impact of versioning on common operations + +| Operation | Versioning **Enabled** | Versioning **Suspended / Disabled** | +|---------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------| +| **PUT** | Creates a new version ID. | Overwrites the existing object (no version ID). | +| **DELETE** | Adds a **delete marker**, the object appears deleted but previous versions are still stored and can be restored. | Object is permanently removed. | +| **GET** | Returns the **latest version** by default; you can request a specific version ID to retrieve an older copy. | Returns the only existing version (or 404 if deleted). | +| **Lifecycle rules** | Can target **non-current versions**, **delete markers**, or the **current version**. | Rules can only act on the single (current) version. | From 713d144aa8c1e6d06ac0868f45c18982afcbb72a Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 11:21:48 +0200 Subject: [PATCH 06/20] docs(object-storage): update --- .../how-to/use-bucket-versioning.mdx | 47 ++++++++++++++++--- 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index 9d03a7c48b..d501b0f1b2 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -21,8 +21,7 @@ Versioning allows you to easily recover your objects in case of unintended user ## How to enable versioning - -You can enable versioning during bucket creation. Refer to the [dedicated documentation](/object-storage/how-to/create-a-bucket/) for more information. +Thsis procedure explains how to enable versioning on an existin bucket. To create a new bucket with vesioning enabled, refer to the [dedicated documentation](/object-storage/how-to/create-a-bucket/). 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. @@ -35,18 +34,52 @@ Once versioning is enabled, uploading an object with the same name as an existin ## How to manage object versions +### View object versions + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of your versioned bucket. A list of the objects it contains appears. 3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. -4. Click next to an object version to download it, set up object lock if enabled, or permanently delete it. -5. Click **Add delete marker**. - + Each object version contains the following elements: + - Random version ID + - Status badge (CURRENT, PREVIOUS, DELETE MARKER) + - Date of last modification + - Size + - Storage class + - Object lock indicator + +### Add a new object version + + + +### Restore an object to a previous version + To restore an object to a previous version, download the desired non-current version and upload it again. This action will replace the current version with the uploaded one. - + +## How to delete an object or a version + +When versioning is enabled, deleting an object will insert a + +### Insert a delete marker + +1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. +2. Click the name of your versioned bucket. A list of the objects it contains appears. +3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. +4. Click **Mark as deleted** at the bottom of the side panel. A **delete marker** is inserted as the current version of your object. + +Objects with a delete marker as their current version do not appear in console listings, and return errors when called via the API or CLI tools, but previous versions will persist and remain billable. + +### Delete a specific version + +1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. +2. Click the name of your versioned bucket. A list of the objects it contains appears. +3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. + ## How to suspend versioning +If you have enabled versioning on a bucket, you can only suspend it rather than disabling it completely. When versioning is suspended, already existing object versions will persist and remain billable. + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of your selected bucket. 3. Click the **Bucket settings** tab. @@ -60,7 +93,7 @@ To restore an object to a previous version, download the desired non-current ver ## Understanding versioning -An object version behaves like a regular object, except taht it is identified by a combination of a key and a version ID, rather than just a key. +An object version behaves like a regular object, except that it is identified by a combination of a key and a version ID, rather than just a key. Buckets with versioning enabled observe the following behavior: From a1d4bbc6bc2438929e62d1ca34a9e7e39ebb329f Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 12:07:58 +0200 Subject: [PATCH 07/20] docs(object-storage): update --- .../how-to/use-bucket-versioning.mdx | 81 ++++++++++++------- 1 file changed, 52 insertions(+), 29 deletions(-) diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index d501b0f1b2..9f97a3002e 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -1,14 +1,13 @@ --- title: How to use bucket versioning description: Enable and manage bucket versioning for Object Storage. -tags: object storage object-storage bucket versioning archived +tags: object storage object-storage bucket versioning dates: - validation: 2025-07-01 + validation: 2026-05-20 posted: 2021-05-27 --- import Requirements from '@macros/iam/requirements.mdx' - Versioning is a feature designed to keep multiple variants of an object in the same bucket. When enabled, it allows you to store, retrieve, and restore every version of your objects stored in a bucket. Versioning allows you to easily recover your objects in case of unintended user actions or application failures. @@ -18,11 +17,44 @@ Versioning allows you to easily recover your objects in case of unintended user - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +## Versioning overview + +### General concepts + +- Version ID — unique ID per object write. Key + version ID = address. Without versioning, key alone. +- Current version — latest write. Default returned by GET / shown in console list. +- Non-current (previous) version — older writes. Retained, billable, fetchable by version ID. +- Delete marker — placeholder current version inserted by DELETE on versioned bucket. Object looks gone, prior versions intact. Removable to undelete. +- `null` version — objects written before versioning enabled, or while suspended. No version ID. Only one per key. +- Versioning states — Unversioned (never enabled), Enabled, Suspended. + +### Object and bucket behavior + +An object version behaves like a regular object, except that it is identified by a combination of a key and a version ID, rather than just a key. + +Buckets with versioning enabled observe the following behavior: + +| Situation | What happens to existing objects | What happens to new objects | +|---------------------------------------------------|---------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| +| **Versioning never enabled** | Every object uploaded has a single `null` version. | Overwrites permanently replace the previous object; deletes remove it completely. | +| **Versioning enabled from the start** | Every object uploaded gets a **unique version ID**. | All subsequent writes are versioned automatically. | +| **Versioning disabled initially, then enabled** | Objects uploaded before the switch are NOT versioned, and remain as a `null` version. | New objects are versioned; overwrites create new versions. | +| **Versioning enabled, then suspended** | Existing versions **stay** exactly as they are; they are not removed automatically. | New objects **do not get a version ID**. Overwrites replace the current `null` version, but older versions remain. | +| **Versioning enabled, then bucket deleted** | All versions are **deleted together** when the bucket is removed. | N/A | + +### Impact of versioning on common operations + +| Operation | Versioning **Enabled** | Versioning **Suspended / Unversioned enabled** | +|---------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------| +| **PUT** | Creates a new version ID. | Overwrites the existing object (no version ID). | +| **DELETE** | Adds a **delete marker**, the object appears deleted but previous versions are still stored and can be restored. | Object is permanently removed. | +| **GET** | Returns the **latest version** by default; you can request a specific version ID to retrieve an older copy. | Returns the only existing version (or 404 if deleted). | +| **Lifecycle rules** | Can target **non-current versions**, **delete markers**, or the **current version**. | Rules can only act on the single (current) version. | + ## How to enable versioning -Thsis procedure explains how to enable versioning on an existin bucket. To create a new bucket with vesioning enabled, refer to the [dedicated documentation](/object-storage/how-to/create-a-bucket/). - +This procedure explains how to enable versioning on an existing bucket. To create a new bucket with versioning enabled, refer to the [dedicated documentation](/object-storage/how-to/create-a-bucket/). 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of the bucket in which you want to enable versioning. @@ -50,15 +82,16 @@ Once versioning is enabled, uploading an object with the same name as an existin ### Add a new object version - +To add a new object version, upload an object with the same key as an existing one. ### Restore an object to a previous version -To restore an object to a previous version, download the desired non-current version and upload it again. This action will replace the current version with the uploaded one. +It is currently not possible to restore an object to a previous version using the Scaleway console. To do so, download the desired non-current version and upload it again. This action will replace the current version with the uploaded one. ## How to delete an object or a version -When versioning is enabled, deleting an object will insert a +When versioning is enabled, deleting an object will insert a delete marker as the current version rather than actually deleting it. +You can permanently delete a specific version of an object. ### Insert a delete marker @@ -75,6 +108,15 @@ Objects with a delete marker as their current version do not appear in console l 2. Click the name of your versioned bucket. A list of the objects it contains appears. 3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. +### Undelete an object / remove a delete marker + +1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. +2. Click the name of your versioned bucket. A list of the objects it contains appears. +3. Use the search bar to look for the object you want to undelete. +4. 3. Click next to its name, then click **Versioning**. +5. Remove the delete marker at the top of the versions list. + +The last version before the delete marker was inserted is now the current version of your object. ## How to suspend versioning @@ -91,25 +133,6 @@ If you have enabled versioning on a bucket, you can only suspend it rather than - You cannot suspend versioning on a bucket with [object lock](/object-storage/how-to/use-object-lock/) enabled. -## Understanding versioning +## How to use versioning in combination with lifecycle rules -An object version behaves like a regular object, except that it is identified by a combination of a key and a version ID, rather than just a key. - -Buckets with versioning enabled observe the following behavior: - -| Situation | What happens to existing objects | What happens to new objects | -|---------------------------------------------------|---------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| -| **Versioning never enabled** | Every object uploaded has a single `null` version. | Overwrites permanently replace the previous object; deletes remove it completely. | -| **Versioning enabled from the start** | Every object uploaded gets a **unique version ID**. | All subsequent writes are versioned automatically. | -| **Versioning disabled initially, then enabled** | Objects uploaded before the switch are NOT versioned, and remain as a `null` version. | New objects are versioned; overwrites create new versions. | -| **Versioning enabled, then suspended** | Existing versions **stay** exactly as they are; they are not removed automatically. | New objects **do not get a version ID**. Overwrites replace the current `null` version, but older versions remain. | -| **Versioning enabled, then bucket deleted** | All versions are **deleted together** when the bucket is removed. | N/A | - -### Impact of versioning on common operations - -| Operation | Versioning **Enabled** | Versioning **Suspended / Disabled** | -|---------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------| -| **PUT** | Creates a new version ID. | Overwrites the existing object (no version ID). | -| **DELETE** | Adds a **delete marker**, the object appears deleted but previous versions are still stored and can be restored. | Object is permanently removed. | -| **GET** | Returns the **latest version** by default; you can request a specific version ID to retrieve an older copy. | Returns the only existing version (or 404 if deleted). | -| **Lifecycle rules** | Can target **non-current versions**, **delete markers**, or the **current version**. | Rules can only act on the single (current) version. | +Refer to the [dedicated documentation](/object-storage/how-to/manage-lifecycle-rules/) for more information. \ No newline at end of file From effed1c72dee418c73bb878ae8b546fcbf9ec085 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 13:38:01 +0200 Subject: [PATCH 08/20] docs(object-storage): update --- .../how-to/use-bucket-versioning.mdx | 73 ++++++++++--------- 1 file changed, 39 insertions(+), 34 deletions(-) diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index 9f97a3002e..35670168b0 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -14,37 +14,37 @@ Versioning allows you to easily recover your objects in case of unintended user -- A Scaleway account logged into the [console](https://console.scaleway.com) +- A Scaleway account logged in to the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization ## Versioning overview ### General concepts -- Version ID — unique ID per object write. Key + version ID = address. Without versioning, key alone. -- Current version — latest write. Default returned by GET / shown in console list. -- Non-current (previous) version — older writes. Retained, billable, fetchable by version ID. -- Delete marker — placeholder current version inserted by DELETE on versioned bucket. Object looks gone, prior versions intact. Removable to undelete. -- `null` version — objects written before versioning enabled, or while suspended. No version ID. Only one per key. -- Versioning states — Unversioned (never enabled), Enabled, Suspended. +- **Version ID**: a unique identifier generated for each object write. Combined with the object key, it forms the full object address. Without versioning, the key alone identifies the object. +- **Current version**: the most recent write. The console object list and any `GET` request without a version ID return this version by default. +- **Non-current (previous) version**: any older write. Non-current versions remain stored, are billable, and can be retrieved by version ID. +- **Delete marker**: a placeholder current version that a `DELETE` operation inserts on a versioned bucket. The object appears removed, but prior versions remain intact. Removing the delete marker restores the object. +- **`null` version**: an object written before versioning was enabled, or while versioning is suspended. It has no version ID, and only one `null` version exists per key. +- **Versioning states**: a bucket is `Unversioned` (versioning never enabled), `Enabled`, or `Suspended`. Once enabled, versioning cannot return to the `Unversioned` state, only to `Suspended`. ### Object and bucket behavior -An object version behaves like a regular object, except that it is identified by a combination of a key and a version ID, rather than just a key. +An object version behaves like a regular object, except that a combination of the object key and a version ID identifies it, rather than the key alone. Buckets with versioning enabled observe the following behavior: | Situation | What happens to existing objects | What happens to new objects | |---------------------------------------------------|---------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| -| **Versioning never enabled** | Every object uploaded has a single `null` version. | Overwrites permanently replace the previous object; deletes remove it completely. | -| **Versioning enabled from the start** | Every object uploaded gets a **unique version ID**. | All subsequent writes are versioned automatically. | -| **Versioning disabled initially, then enabled** | Objects uploaded before the switch are NOT versioned, and remain as a `null` version. | New objects are versioned; overwrites create new versions. | -| **Versioning enabled, then suspended** | Existing versions **stay** exactly as they are; they are not removed automatically. | New objects **do not get a version ID**. Overwrites replace the current `null` version, but older versions remain. | +| **Versioning never enabled** | Every object uploaded has a single `null` version. | Overwrites permanently replace the previous object, and deletes remove it completely. | +| **Versioning enabled from the start** | Every object uploaded receives a **unique version ID**. | Each subsequent write creates a new version automatically. | +| **Versioning disabled initially, then enabled** | Objects uploaded before the switch remain as a `null` version and are not versioned. | New objects are versioned, and overwrites create new versions. | +| **Versioning enabled, then suspended** | Existing versions **stay** exactly as they are, and are not removed automatically. | New objects **do not get a version ID**. Overwrites replace the current `null` version, but older versions remain. | | **Versioning enabled, then bucket deleted** | All versions are **deleted together** when the bucket is removed. | N/A | ### Impact of versioning on common operations -| Operation | Versioning **Enabled** | Versioning **Suspended / Unversioned enabled** | +| Operation | Versioning **Enabled** | Versioning **Suspended / Unversioned** | |---------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------| | **PUT** | Creates a new version ID. | Overwrites the existing object (no version ID). | | **DELETE** | Adds a **delete marker**, the object appears deleted but previous versions are still stored and can be restored. | Object is permanently removed. | @@ -54,7 +54,7 @@ Buckets with versioning enabled observe the following behavior: ## How to enable versioning -This procedure explains how to enable versioning on an existing bucket. To create a new bucket with versioning enabled, refer to the [dedicated documentation](/object-storage/how-to/create-a-bucket/). +This procedure explains how to enable versioning on an existing bucket. To create a new bucket with versioning enabled, refer to the [bucket creation documentation](/object-storage/how-to/create-a-bucket/). 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of the bucket in which you want to enable versioning. @@ -62,7 +62,7 @@ This procedure explains how to enable versioning on an existing bucket. To creat 4. Scroll down and click the toggle under **Bucket versioning**. A pop-up appears. 5. Type **ENABLE** to confirm your action, then click **Enable bucket versioning** to proceed. -Once versioning is enabled, uploading an object with the same name as an existing object will create a new version of it. This new version consumes storage as well, which may lead to higher costs. +Once versioning is enabled, uploading an object with the same name as an existing object creates a new version of it. This new version consumes storage as well, which may lead to higher costs. ## How to manage object versions @@ -72,13 +72,13 @@ Once versioning is enabled, uploading an object with the same name as an existin 2. Click the name of your versioned bucket. A list of the objects it contains appears. 3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. - Each object version contains the following elements: - - Random version ID - - Status badge (CURRENT, PREVIOUS, DELETE MARKER) - - Date of last modification - - Size - - Storage class - - Object lock indicator + Each object version displays the following elements: + - A unique version ID + - A status badge (**CURRENT**, **PREVIOUS**, or **DELETE MARKER**) + - The date of last modification + - The size of the version + - The storage class + - The object lock indicator ### Add a new object version @@ -86,12 +86,11 @@ To add a new object version, upload an object with the same key as an existing o ### Restore an object to a previous version -It is currently not possible to restore an object to a previous version using the Scaleway console. To do so, download the desired non-current version and upload it again. This action will replace the current version with the uploaded one. +The Scaleway console does not currently provide a native restore action. To restore an object to a previous version, download the desired non-current version and upload it again. This action replaces the current version with the uploaded one. ## How to delete an object or a version -When versioning is enabled, deleting an object will insert a delete marker as the current version rather than actually deleting it. -You can permanently delete a specific version of an object. +When versioning is enabled, deleting an object inserts a delete marker as the current version rather than removing the object. You can also permanently delete a specific version of an object. ### Insert a delete marker @@ -100,27 +99,33 @@ You can permanently delete a specific version of an object. 3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. 4. Click **Mark as deleted** at the bottom of the side panel. A **delete marker** is inserted as the current version of your object. -Objects with a delete marker as their current version do not appear in console listings, and return errors when called via the API or CLI tools, but previous versions will persist and remain billable. +Objects with a delete marker as their current version do not appear in console listings, and return errors when called via the API or CLI tools. Previous versions persist and remain billable. ### Delete a specific version + +Deleting a specific version permanently removes that version. This action cannot be undone. + + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of your versioned bucket. A list of the objects it contains appears. 3. Click next to the object you want to manage, then click **Versioning**. A side-panel displays, containing the different versions of your object. +4. Click next to the version you want to delete, then click **Delete**. A confirmation pop-up appears. +5. Confirm the deletion to permanently remove the selected version. -### Undelete an object / remove a delete marker +### Restore an object by removing its delete marker 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of your versioned bucket. A list of the objects it contains appears. -3. Use the search bar to look for the object you want to undelete. -4. 3. Click next to its name, then click **Versioning**. -5. Remove the delete marker at the top of the versions list. +3. Use the search bar to locate the object you want to restore. +4. Click next to the object name, then click **Versioning**. A side-panel displays, containing the different versions of your object. +5. Delete the delete marker at the top of the versions list. -The last version before the delete marker was inserted is now the current version of your object. +The version that preceded the delete marker becomes the current version of your object. ## How to suspend versioning -If you have enabled versioning on a bucket, you can only suspend it rather than disabling it completely. When versioning is suspended, already existing object versions will persist and remain billable. +Once you enable versioning on a bucket, you can only suspend it rather than disable it completely. When versioning is suspended, existing object versions persist and remain billable. 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of your selected bucket. @@ -129,10 +134,10 @@ If you have enabled versioning on a bucket, you can only suspend it rather than 5. Type **SUSPEND** to confirm your action, then click **Suspend bucket versioning** to proceed. -- Once versioning is suspended, no new object versions will be created. Versions created up until this point will remain stored and billable. Uploading an object with the same name as an existing object will overwrite it. +- Once versioning is suspended, no new object versions are created. Versions created up to that point remain stored and billable. Uploading an object with the same name as an existing object overwrites it. - You cannot suspend versioning on a bucket with [object lock](/object-storage/how-to/use-object-lock/) enabled. ## How to use versioning in combination with lifecycle rules -Refer to the [dedicated documentation](/object-storage/how-to/manage-lifecycle-rules/) for more information. \ No newline at end of file +Lifecycle rules can target non-current versions and delete markers to automatically expire or transition them, which is the main lever to control storage costs on a versioned bucket. Refer to the [lifecycle rules documentation](/object-storage/how-to/manage-lifecycle-rules/) for more information. \ No newline at end of file From 46ef08fd6f27e133724496b6e57380c38b64a380 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 13:47:14 +0200 Subject: [PATCH 09/20] docs(object-storage): update --- pages/object-storage/how-to/use-bucket-versioning.mdx | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index 35670168b0..c64674c749 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -42,16 +42,6 @@ Buckets with versioning enabled observe the following behavior: | **Versioning enabled, then suspended** | Existing versions **stay** exactly as they are, and are not removed automatically. | New objects **do not get a version ID**. Overwrites replace the current `null` version, but older versions remain. | | **Versioning enabled, then bucket deleted** | All versions are **deleted together** when the bucket is removed. | N/A | -### Impact of versioning on common operations - -| Operation | Versioning **Enabled** | Versioning **Suspended / Unversioned** | -|---------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------| -| **PUT** | Creates a new version ID. | Overwrites the existing object (no version ID). | -| **DELETE** | Adds a **delete marker**, the object appears deleted but previous versions are still stored and can be restored. | Object is permanently removed. | -| **GET** | Returns the **latest version** by default; you can request a specific version ID to retrieve an older copy. | Returns the only existing version (or 404 if deleted). | -| **Lifecycle rules** | Can target **non-current versions**, **delete markers**, or the **current version**. | Rules can only act on the single (current) version. | - - ## How to enable versioning This procedure explains how to enable versioning on an existing bucket. To create a new bucket with versioning enabled, refer to the [bucket creation documentation](/object-storage/how-to/create-a-bucket/). From ea564302493f0ffffdd363cad63d401f708dcdbe Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 13:53:33 +0200 Subject: [PATCH 10/20] docs(object-storage): update --- pages/object-storage/menu.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/object-storage/menu.ts b/pages/object-storage/menu.ts index 0d2b9ba09c..6bcc184264 100644 --- a/pages/object-storage/menu.ts +++ b/pages/object-storage/menu.ts @@ -47,7 +47,7 @@ export const objectStorageMenu = { slug: 'access-objects-via-https', }, { - label: 'Use bucket versioning', + label: 'Use versioning', slug: 'use-bucket-versioning', }, { From de3e6db3b4e28eaa6a5c07d524a2d1975c366ea8 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 13:54:50 +0200 Subject: [PATCH 11/20] docs(object-storage): update --- .../how-to/use-bucket-versioning.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index c64674c749..6bcd0508b7 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -34,13 +34,13 @@ An object version behaves like a regular object, except that a combination of th Buckets with versioning enabled observe the following behavior: -| Situation | What happens to existing objects | What happens to new objects | -|---------------------------------------------------|---------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| -| **Versioning never enabled** | Every object uploaded has a single `null` version. | Overwrites permanently replace the previous object, and deletes remove it completely. | -| **Versioning enabled from the start** | Every object uploaded receives a **unique version ID**. | Each subsequent write creates a new version automatically. | -| **Versioning disabled initially, then enabled** | Objects uploaded before the switch remain as a `null` version and are not versioned. | New objects are versioned, and overwrites create new versions. | -| **Versioning enabled, then suspended** | Existing versions **stay** exactly as they are, and are not removed automatically. | New objects **do not get a version ID**. Overwrites replace the current `null` version, but older versions remain. | -| **Versioning enabled, then bucket deleted** | All versions are **deleted together** when the bucket is removed. | N/A | +| Situation | What happens to existing objects | What happens to new objects | +|-------------------------------------------------|--------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| +| **Versioning never enabled** | Every object uploaded has a single `null` version. | Overwrites permanently replace the previous object, and deletes remove it completely. | +| **Versioning enabled from the start** | Every object uploaded receives a unique version ID. | Each subsequent write creates a new version automatically. | +| **Versioning disabled initially, then enabled** | Objects uploaded before the switch remain as a `null` version and are not versioned. | New objects are versioned, and overwrites create new versions. | +| **Versioning enabled, then suspended** | Existing versions stay exactly as they are, and are not removed automatically. | New objects do not get a version ID . Overwrites replace the current `null` version, but older versions remain. | +| **Versioning enabled, then bucket deleted** | All versions are deleted together when the bucket is removed. | N/A | ## How to enable versioning From 5b712149af7d04a4c52f0f3f6b959cac270ac5d0 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 14:43:59 +0200 Subject: [PATCH 12/20] docs(object-storage): update --- .../object-storage/how-to/use-object-lock.mdx | 183 +++++++++++++++--- pages/object-storage/menu.ts | 4 +- 2 files changed, 158 insertions(+), 29 deletions(-) diff --git a/pages/object-storage/how-to/use-object-lock.mdx b/pages/object-storage/how-to/use-object-lock.mdx index 1f352f5459..ea0001e445 100644 --- a/pages/object-storage/how-to/use-object-lock.mdx +++ b/pages/object-storage/how-to/use-object-lock.mdx @@ -16,7 +16,7 @@ Object lock provides two mechanisms to protect your objects: **retention** and * - **Compliance mode** prevents users, including owners and users with administrative permissions, from deleting or overwriting objects during the specified retention period. The retention mode cannot be modified, and the retention period cannot be shortened. - **Governance mode** prevents users without the necessary permissions from deleting or overwriting objects during the specified retention period. Authorized users can modify the retention settings, and delete the targeted objects. -- **Legal hold** is an independent that provides the same protection as the retention, but has no expiration date. It must be explicitly removed by a user with the appropriate permissions, and is evaluated independently of any retention configuration. +- **Legal hold** is an independent ON/OFF switch that provides the same protection as retention, but has no expiration date. It must be explicitly removed by a user with the appropriate permissions, and is evaluated independently of any retention configuration. Object Lock is supported on `Standard Multi-AZ`, `Standard One Zone`, and `Glacier` [storage classes](/object-storage/concepts/#storage-class). @@ -169,8 +169,7 @@ Legal hold is independent of retention settings and has no expiration date. It m --legal-hold Status=ON ``` - -3. Run the following command to check if legal hold was properly applied: +2. Run the following command to check if the legal hold was properly applied: ```bash aws s3api get-object-legal-hold \ @@ -178,15 +177,6 @@ Legal hold is independent of retention settings and has no expiration date. It m --key my-object ``` -2. To remove the legal hold: - - ```bash - aws s3api put-object-legal-hold \ - --bucket my-locked-bucket \ - --key my-object \ - --legal-hold Status=OFF - ``` - An output similar to the following displays: ```json @@ -197,6 +187,15 @@ Legal hold is independent of retention settings and has no expiration date. It m } ``` +3. To remove the legal hold: + + ```bash + aws s3api put-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object \ + --legal-hold Status=OFF + ``` + ## Limitations - **Object Lock cannot be disabled** once enabled on a bucket, and versioning cannot be suspended. @@ -208,24 +207,154 @@ Legal hold is independent of retention settings and has no expiration date. It m ### Bucket lock configuration tokens -| Token | Description | Type | Required | -|---|---|---|---| -| `ObjectLockConfiguration` | Root element | — | Yes | -| `ObjectLockEnabled` | Enables Object Lock on the bucket | String: `Enabled` | Yes | -| `Rule` | Default retention rule applied to new objects | ObjectLockRule | No | -| `Mode` | Retention mode | String: `GOVERNANCE` or `COMPLIANCE` | Required if `Rule` is set | -| `Days` | Retention duration in days | Integer | `Days` or `Years`, not both | -| `Years` | Retention duration in years | Integer | `Days` or `Years`, not both | +#### `ObjectLockConfiguration` + +**Description** +: Root element of the lock configuration. + +**Required** +: Yes + +#### `ObjectLockEnabled` + +**Description** +: Enables Object Lock on the bucket. + +**Type** +: String — `Enabled` + +**Required** +: Yes + +#### `Rule` + +**Description** +: Default retention rule applied to every new object placed in the bucket. + +**Required** +: No + +#### `Mode` + +**Description** +: Default retention mode for new objects. + +**Type** +: String — `GOVERNANCE` or `COMPLIANCE` + +**Required** +: Yes, if `Rule` is set + +#### `Days` + +**Description** +: Default retention duration in days. + +**Type** +: Integer + +**Required** +: Use `Days` or `Years`, not both + +#### `Years` + +**Description** +: Default retention duration in years. + +**Type** +: Integer + +**Required** +: Use `Days` or `Years`, not both ### Object retention tokens -| Token | Description | Type | Required | -|---|---|---|---| -| `Mode` | Retention mode for the object | String: `GOVERNANCE` or `COMPLIANCE` | Yes | -| `RetainUntilDate` | Retention expiry date | Timestamp (ISO 8601) | Yes | +#### `Mode` + +**Description** +: Retention mode for the object. + +**Type** +: String — `GOVERNANCE` or `COMPLIANCE` + +**Required** +: Yes + +#### `RetainUntilDate` + +**Description** +: Date on which the object retention expires. + +**Type** +: Timestamp (ISO 8601) + +**Required** +: Yes ### Legal hold tokens -| Token | Description | Type | Required | -|---|---|---|---| -| `Status` | Legal hold state | String: `ON` or `OFF` | Yes | +#### `Status` + +**Description** +: Enables or disables the legal hold on the object. + +**Type** +: String — `ON` or `OFF` + +**Required** +: Yes + +## Examples + +### Regulatory compliance bucket (Compliance mode) + +This example sets up a bucket for strict regulatory retention: all objects are locked in Compliance mode for 7 years and cannot be deleted or overwritten by any user until the period expires. + +```bash +# Enable Object Lock on a new bucket +aws s3api create-bucket \ + --bucket my-compliance-bucket \ + --object-lock-enabled-for-bucket + +# Set a default 7-year Compliance retention on all new objects +aws s3api put-object-lock-configuration \ + --bucket my-compliance-bucket \ + --object-lock-configuration '{ + "ObjectLockEnabled": "Enabled", + "Rule": { + "DefaultRetention": { + "Mode": "COMPLIANCE", + "Years": 7 + } + } + }' +``` + +Objects uploaded to `my-compliance-bucket` are automatically locked in Compliance mode until 7 years after their upload date. No user can shorten the retention period or delete objects before it expires. + +### Flexible protection bucket (Governance mode + legal hold) + +This example sets up a bucket with a default Governance retention of 90 days, then places an additional legal hold on a specific object under active investigation. + +```bash +# Enable Object Lock on an existing bucket +aws s3api put-object-lock-configuration \ + --bucket my-governance-bucket \ + --object-lock-configuration '{ + "ObjectLockEnabled": "Enabled", + "Rule": { + "DefaultRetention": { + "Mode": "GOVERNANCE", + "Days": 90 + } + } + }' + +# Apply a legal hold to a specific object +aws s3api put-object-legal-hold \ + --bucket my-governance-bucket \ + --key audit/report-2026-05.pdf \ + --legal-hold Status=ON +``` + +Objects in `my-governance-bucket` are protected for 90 days under Governance mode. Authorized users can override the retention if needed. The object `audit/report-2026-05.pdf` additionally has a legal hold, which blocks deletion regardless of the retention period and must be explicitly removed. diff --git a/pages/object-storage/menu.ts b/pages/object-storage/menu.ts index 6bcc184264..013c68524e 100644 --- a/pages/object-storage/menu.ts +++ b/pages/object-storage/menu.ts @@ -63,8 +63,8 @@ export const objectStorageMenu = { slug: 'enable-sse-one', }, { - label: 'Enable object lock', - slug: 'object-lock', + label: 'Use object lock', + slug: 'use-object-lock', }, { label: 'Host healthcare data (HDS)', From d2aafdda20e9c036b067bdd83e98ff8e1c0e8314 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 15:43:03 +0200 Subject: [PATCH 13/20] docs(object-storage): update --- pages/object-storage/api-cli/lifecycle-rules-api.mdx | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pages/object-storage/api-cli/lifecycle-rules-api.mdx b/pages/object-storage/api-cli/lifecycle-rules-api.mdx index c61417f2e7..f997ce0898 100644 --- a/pages/object-storage/api-cli/lifecycle-rules-api.mdx +++ b/pages/object-storage/api-cli/lifecycle-rules-api.mdx @@ -12,9 +12,10 @@ import LifecycleMinimalDurationMessage from '@macros/object-storage/lifecycle-mi You can configure the lifecycle of a group of objects to manage their storage costs effectively. A lifecycle configuration is a set of rules that defines actions applied to a group of objects stored on Object Storage. The Amazon S3 API allows you to automatically manage the lifecycle of your object by setting lifecycle rules. These rules allow you to automatically: - - Delete your objects and their versions by setting expiration durations - Transition objects and their versions to a colder storage class + - Delete your objects and their versions by setting expiration durations - Abort incomplete [multipart uploads](/object-storage/api-cli/multipart-uploads/) + - Expire delete markers without a non-current version automatically. @@ -204,6 +205,14 @@ Lifecycle rules only allow the following transitions: **Parent** : `Rule` +### ExpiredObjectDeleteMarker + +**Description** +: Enables the expiration of delete markers without non-current versions. Expired delete markers are deleted automatically. + +**Parent** +: `Expiration` + ### NoncurrentVersionExpiration **Description** From c774053063da725b1db02b2e3cd01a3cd69ea809 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 17:14:23 +0200 Subject: [PATCH 14/20] docs(object-storage): update --- .../object-storage/how-to/use-object-lock.mdx | 249 +++++++++++------- 1 file changed, 154 insertions(+), 95 deletions(-) diff --git a/pages/object-storage/how-to/use-object-lock.mdx b/pages/object-storage/how-to/use-object-lock.mdx index ea0001e445..29c8cb51c0 100644 --- a/pages/object-storage/how-to/use-object-lock.mdx +++ b/pages/object-storage/how-to/use-object-lock.mdx @@ -10,6 +10,8 @@ import Requirements from '@macros/iam/requirements.mdx' Object lock prevents objects from being deleted or overwritten for a defined period or indefinitely. It uses a **write-once-read-many (WORM)** model, commonly required for regulatory compliance and protection against ransomware or accidental deletion. Object lock can only be used in buckets with versioning enabled. +## Overview + Object lock provides two mechanisms to protect your objects: **retention** and **legal hold**. You can enable either, or both at the same time: - **Retention** allows you to apply a retention period, and a retention mode for your objects, to limit the actions that users can perform on them: @@ -31,29 +33,167 @@ Object Lock is supported on `Standard Multi-AZ`, `Standard One Zone`, and `Glaci ## Enable Object Lock on a bucket -You can enable Object Lock at bucket creation, or on an existing bucket. +You can enable object Lock at bucket creation, or on an existing bucket. ### On a new bucket -Use the `--object-lock-enabled-for-bucket` flag when creating the bucket. Replace `my-locked-bucket` with your bucket name. + + + + To enable object lock during bucket creation, refer to the [dedicated how-to page](/object-storage/how-to/create-a-bucket/). + + + + Run the command below to create a new bucket with object lock enabled. Replace `my-locked-bucket` with your bucket name. + + ```bash + aws s3api create-bucket \ + --bucket my-locked-bucket \ + --object-lock-enabled-for-bucket + ``` + + -```bash -aws s3api create-bucket \ - --bucket my-locked-bucket \ - --object-lock-enabled-for-bucket -``` ### On an existing bucket -Use `put-object-lock-configuration` with `"ObjectLockEnabled": "Enabled"`. Replace `my-locked-bucket` with your bucket name. + + + + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. + 2. Click the name of the bucket for which you want to enable object lock. + 3. Click the **Bucket settings** tab. + 4. In the **Bucket versioning** section, click **Modify** under **Object lock**. + 5. Type **ENABLE** to confirm your action, then click **Confirm** to proceed. + + + + Run the command below to enable object lock on an existing bucket. Replace `my-locked-bucket` with your bucket name. + + ```bash + aws s3api put-object-lock-configuration \ + --bucket my-locked-bucket \ + --object-lock-configuration '{"ObjectLockEnabled": "Enabled"}' + ``` + + No output is returned on success. + + + +## Apply retention to a specific object + +Object-level retention overrides the bucket default for that specific object. + + + + + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. + 2. Click the name of the desired bucket. A list of the objects it contains appears. + 3. Click next to the desired object, then click **Versioning**. A side-panel displays, containing the different versions of your object. + 4. Click next to the version ID you want to set up object lock for. A configuration pop-up displays. + 5. Tick ** Enable retention mode, then select one of the following: + - **Governance mode** to protect the selected version from being deleted or overwritten. Its duration can be shortened, and users with the appropriate permissions can bypass it. + - **Compliance mode** to protect the selected version from being deleted or overwritten. Its duration cannot be shortened, and no user (including the Organization owner) can bypass it. + 6. Enter a retain-until date in the `MM/DD/YYYY` format, then click **Save changes**. A confirmation pop-up displays. + 7. Make sure you selected the correct retention mode and retain-until date, then click **Confirm** to proceed. + + + + 1. Run the following command to apply **Compliance** retention to an object. Replace `my-locked-bucket`, `my-object`, and the date with your values. + + ```bash + aws s3api put-object-retention \ + --bucket my-locked-bucket \ + --key my-object \ + --retention '{ + "Mode": "COMPLIANCE", + "RetainUntilDate": "2028-01-01T00:00:00Z" + }' + ``` + + To use **Governance** mode instead, replace `COMPLIANCE` with `GOVERNANCE` and adjust the date. + + No output is returned on success. + + 2. Run the following command to check the configuration was properly applied: + + ```bash + aws s3api get-object-retention \ + --bucket my-locked-bucket \ + --key my-object + ``` + + An output similar to the following displays: + + ```json + { + "Retention": { + "Mode": "COMPLIANCE", + "RetainUntilDate": "2028-01-01T00:00:00Z" + } + } + ``` + + + The `RetainUntilDate` must be an absolute timestamp in ISO 8601 format. + + + + + +## Manage legal hold on an object + +Legal hold is independent of retention settings and has no expiration date. It must be explicitly enabled and removed by a user with the necessary permissions. + + + + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. + 2. Click the name of the desired bucket. A list of the objects it contains appears. + 3. Click next to the desired object, then click **Versioning**. A side-panel displays, containing the different versions of your object. + 4. Click next to the version ID you want to set up object lock for. A configuration pop-up displays. + 5. Enable **legal hold** to protect this version from being overwritten or deleted, until the hold is explicitly removed by a user with the necessary permissions. + 6. Make sure you selected the correct retention mode and retain-until date, then click **Confirm** to proceed. + + + 1. Run the following command to enable a legal hold on an object. Replace `my-locked-bucket` and `my-object` with the appropriate values. + + ```bash + aws s3api put-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object \ + --legal-hold Status=ON + ``` + + 2. Run the following command to check if the legal hold was properly applied: + + ```bash + aws s3api get-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object + ``` + + An output similar to the following displays: + + ```json + { + "LegalHold": { + "Status": "ON" + } + } + ``` + + 3. Run the following command to remove the legal hold: + + ```bash + aws s3api put-object-legal-hold \ + --bucket my-locked-bucket \ + --key my-object \ + --legal-hold Status=OFF + ``` + + -```bash -aws s3api put-object-lock-configuration \ - --bucket my-locked-bucket \ - --object-lock-configuration '{"ObjectLockEnabled": "Enabled"}' -``` -No output is returned on success. This enables Object Lock without setting a default retention policy. To add a default retention policy, see the [next section](#set-a-default-retention-policy-on-a-bucket). ## Set a default retention policy on a bucket @@ -115,87 +255,6 @@ A default retention policy applies automatically to every new object added to th Use either `Days` or `Years`, not both. The retention period starts from each object's creation date. -## Apply retention to a specific object - -Object-level retention overrides the bucket default for that specific object. The `RetainUntilDate` must be an absolute timestamp in ISO 8601 format. - -1. Run the following command to apply **Compliance** retention to an object. Replace `my-locked-bucket`, `my-object`, and the date with your values. - - ```bash - aws s3api put-object-retention \ - --bucket my-locked-bucket \ - --key my-object \ - --retention '{ - "Mode": "COMPLIANCE", - "RetainUntilDate": "2028-01-01T00:00:00Z" - }' - ``` - - To use **Governance** mode instead, replace `COMPLIANCE` with `GOVERNANCE` and adjust the date. - - No output is returned on success. - -2. Run the following command to check the configuration was properly applied: - - ```bash - aws s3api get-object-retention \ - --bucket my-locked-bucket \ - --key my-object - ``` - - An output similar to the following displays: - - ```json - { - "Retention": { - "Mode": "COMPLIANCE", - "RetainUntilDate": "2028-01-01T00:00:00Z" - } - } - ``` - - - -## Manage legal hold on an object - -Legal hold is independent of retention settings and has no expiration date. It must be explicitly enabled and removed by a user with the necessary permissions. - -1. Run the following command to enable a legal hold on an object. Replace `my-locked-bucket` and `my-object` with the appropriate values. - - ```bash - aws s3api put-object-legal-hold \ - --bucket my-locked-bucket \ - --key my-object \ - --legal-hold Status=ON - ``` - -2. Run the following command to check if the legal hold was properly applied: - - ```bash - aws s3api get-object-legal-hold \ - --bucket my-locked-bucket \ - --key my-object - ``` - - An output similar to the following displays: - - ```json - { - "LegalHold": { - "Status": "ON" - } - } - ``` - -3. To remove the legal hold: - - ```bash - aws s3api put-object-legal-hold \ - --bucket my-locked-bucket \ - --key my-object \ - --legal-hold Status=OFF - ``` - ## Limitations - **Object Lock cannot be disabled** once enabled on a bucket, and versioning cannot be suspended. From 07bb68a16ec06c606e9698b6390425120090baa3 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 17:27:57 +0200 Subject: [PATCH 15/20] docs(object-storage): update --- .../object-storage/how-to/use-object-lock.mdx | 177 ++++++++---------- 1 file changed, 75 insertions(+), 102 deletions(-) diff --git a/pages/object-storage/how-to/use-object-lock.mdx b/pages/object-storage/how-to/use-object-lock.mdx index 29c8cb51c0..d05e0434a1 100644 --- a/pages/object-storage/how-to/use-object-lock.mdx +++ b/pages/object-storage/how-to/use-object-lock.mdx @@ -1,29 +1,30 @@ --- -title: How to use Object Lock +title: How to use object lock description: Learn how to protect objects in Scaleway Object Storage using object lock, retention modes, and legal hold. tags: object storage object-storage object-lock compliance governance retention legal-hold worm dates: validation: 2026-05-18 posted: 2021-05-27 --- + import Requirements from '@macros/iam/requirements.mdx' -Object lock prevents objects from being deleted or overwritten for a defined period or indefinitely. It uses a **write-once-read-many (WORM)** model, commonly required for regulatory compliance and protection against ransomware or accidental deletion. Object lock can only be used in buckets with versioning enabled. +object lock prevents objects from being deleted or overwritten for a defined period or indefinitely. It uses a **write-once-read-many (WORM)** model, commonly required for regulatory compliance and protection against ransomware or accidental deletion. object lock can only be used in buckets with versioning enabled [1]. ## Overview -Object lock provides two mechanisms to protect your objects: **retention** and **legal hold**. You can enable either, or both at the same time: +object lock provides two mechanisms to protect your objects: **retention** and **legal hold**. You can enable either, or both, at the same time [1]: -- **Retention** allows you to apply a retention period, and a retention mode for your objects, to limit the actions that users can perform on them: +- **Retention** allows you to apply a retention period and a retention mode to your objects, limiting the actions that users can perform on them: - **Compliance mode** prevents users, including owners and users with administrative permissions, from deleting or overwriting objects during the specified retention period. The retention mode cannot be modified, and the retention period cannot be shortened. - - **Governance mode** prevents users without the necessary permissions from deleting or overwriting objects during the specified retention period. Authorized users can modify the retention settings, and delete the targeted objects. + - **Governance mode** prevents users without the necessary permissions from deleting or overwriting objects during the specified retention period. Authorized users can modify the retention settings and delete the targeted objects. -- **Legal hold** is an independent ON/OFF switch that provides the same protection as retention, but has no expiration date. It must be explicitly removed by a user with the appropriate permissions, and is evaluated independently of any retention configuration. +- **Legal hold** is an independent ON/OFF switch that provides the same protection as retention but has no expiration date. It must be explicitly removed by a user with the appropriate permissions and is evaluated independently of any retention configuration. -Object Lock is supported on `Standard Multi-AZ`, `Standard One Zone`, and `Glacier` [storage classes](/object-storage/concepts/#storage-class). +object lock is supported on `Standard Multi-AZ`, `Standard One Zone`, and `Glacier` [storage classes](/object-storage/concepts/#storage-class). - Once Object Lock is enabled on a bucket, it cannot be disabled and versioning cannot be suspended. + Once object lock is enabled on a bucket, it cannot be disabled and versioning cannot be suspended. @@ -31,19 +32,20 @@ Object Lock is supported on `Standard Multi-AZ`, `Standard One Zone`, and `Glaci - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - Installed and configured the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) -## Enable Object Lock on a bucket +## Enable object lock on a bucket -You can enable object Lock at bucket creation, or on an existing bucket. +You can enable object lock at bucket creation or on an existing bucket. ### On a new bucket - + - + To enable object lock during bucket creation, refer to the [dedicated how-to page](/object-storage/how-to/create-a-bucket/). + Run the command below to create a new bucket with object lock enabled. Replace `my-locked-bucket` with your bucket name. ```bash @@ -51,23 +53,24 @@ You can enable object Lock at bucket creation, or on an existing bucket. --bucket my-locked-bucket \ --object-lock-enabled-for-bucket ``` + - ### On an existing bucket - + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of the bucket for which you want to enable object lock. 3. Click the **Bucket settings** tab. - 4. In the **Bucket versioning** section, click **Modify** under **Object lock**. + 4. In the **Bucket versioning** section, click **Modify** under **Object lock**. 5. Type **ENABLE** to confirm your action, then click **Confirm** to proceed. + Run the command below to enable object lock on an existing bucket. Replace `my-locked-bucket` with your bucket name. ```bash @@ -76,7 +79,8 @@ You can enable object Lock at bucket creation, or on an existing bucket. --object-lock-configuration '{"ObjectLockEnabled": "Enabled"}' ``` - No output is returned on success. + If the command is successful, no output is returned. + @@ -84,21 +88,22 @@ You can enable object Lock at bucket creation, or on an existing bucket. Object-level retention overrides the bucket default for that specific object. - + - + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of the desired bucket. A list of the objects it contains appears. - 3. Click next to the desired object, then click **Versioning**. A side-panel displays, containing the different versions of your object. + 3. Click next to the desired object, then click **Versioning**. A side panel displays the different versions of your object. 4. Click next to the version ID you want to set up object lock for. A configuration pop-up displays. - 5. Tick ** Enable retention mode, then select one of the following: + 5. Tick **Enable retention mode**, then select one of the following: - **Governance mode** to protect the selected version from being deleted or overwritten. Its duration can be shortened, and users with the appropriate permissions can bypass it. - **Compliance mode** to protect the selected version from being deleted or overwritten. Its duration cannot be shortened, and no user (including the Organization owner) can bypass it. 6. Enter a retain-until date in the `MM/DD/YYYY` format, then click **Save changes**. A confirmation pop-up displays. - 7. Make sure you selected the correct retention mode and retain-until date, then click **Confirm** to proceed. + 7. Verify the correct retention mode and retain-until date are selected, then click **Confirm** to proceed. + 1. Run the following command to apply **Compliance** retention to an object. Replace `my-locked-bucket`, `my-object`, and the date with your values. ```bash @@ -111,11 +116,9 @@ Object-level retention overrides the bucket default for that specific object. }' ``` - To use **Governance** mode instead, replace `COMPLIANCE` with `GOVERNANCE` and adjust the date. + To use **Governance** mode instead, replace `COMPLIANCE` with `GOVERNANCE` and adjust the date. If the command is successful, no output is returned. - No output is returned on success. - - 2. Run the following command to check the configuration was properly applied: + 2. Run the following command to verify the configuration was applied correctly: ```bash aws s3api get-object-retention \ @@ -135,7 +138,7 @@ Object-level retention overrides the bucket default for that specific object. ``` - The `RetainUntilDate` must be an absolute timestamp in ISO 8601 format. + The `RetainUntilDate` must be an absolute timestamp in ISO 8601 format. @@ -145,16 +148,19 @@ Object-level retention overrides the bucket default for that specific object. Legal hold is independent of retention settings and has no expiration date. It must be explicitly enabled and removed by a user with the necessary permissions. - + + 1. Click **Object Storage** in the **Storage** section of the side menu. A list of your buckets displays. 2. Click the name of the desired bucket. A list of the objects it contains appears. - 3. Click next to the desired object, then click **Versioning**. A side-panel displays, containing the different versions of your object. + 3. Click next to the desired object, then click **Versioning**. A side panel displays the different versions of your object. 4. Click next to the version ID you want to set up object lock for. A configuration pop-up displays. - 5. Enable **legal hold** to protect this version from being overwritten or deleted, until the hold is explicitly removed by a user with the necessary permissions. - 6. Make sure you selected the correct retention mode and retain-until date, then click **Confirm** to proceed. + 5. Enable **legal hold** to protect this version from being overwritten or deleted until the hold is explicitly removed by a user with the necessary permissions. + 6. Verify the correct settings are selected, then click **Confirm** to proceed. + + 1. Run the following command to enable a legal hold on an object. Replace `my-locked-bucket` and `my-object` with the appropriate values. ```bash @@ -164,7 +170,7 @@ Legal hold is independent of retention settings and has no expiration date. It m --legal-hold Status=ON ``` - 2. Run the following command to check if the legal hold was properly applied: + 2. Run the following command to verify the legal hold was applied: ```bash aws s3api get-object-legal-hold \ @@ -190,11 +196,10 @@ Legal hold is independent of retention settings and has no expiration date. It m --key my-object \ --legal-hold Status=OFF ``` + - - ## Set a default retention policy on a bucket A default retention policy applies automatically to every new object added to the bucket. @@ -215,7 +220,7 @@ A default retention policy applies automatically to every new object added to th }' ``` - To use **Governance** mode with a duration in years instead, replace the `Rule` block: + To use **Governance** mode with a duration in years, replace the `Rule` block: ```json "Rule": { @@ -228,7 +233,7 @@ A default retention policy applies automatically to every new object added to th No output is returned on success. -2. Run the following command to check the configuration was properly applied: +2. Run the following command to verify the configuration was applied correctly: ```bash aws s3api get-object-lock-configuration \ @@ -255,127 +260,95 @@ A default retention policy applies automatically to every new object added to th Use either `Days` or `Years`, not both. The retention period starts from each object's creation date. -## Limitations - -- **Object Lock cannot be disabled** once enabled on a bucket, and versioning cannot be suspended. -- **Compliance mode is irreversible during the retention period.** No user can delete or overwrite a COMPLIANCE-locked object until the retention period expires. The only exception is deleting your Scaleway account. -- **Locked buckets cannot be deleted** via the Scaleway console. All locks must expire and all legal holds must be removed before a bucket can be deleted. -- **Lifecycle expiration rules do not apply** to objects with an active lock or legal hold. Those objects are skipped by the lifecycle engine and will not be deleted automatically. - ## Technical reference -### Bucket lock configuration tokens +### Object lock configuration tokens #### `ObjectLockConfiguration` -**Description** -: Root element of the lock configuration. +**Description:** Root element of the lock configuration. -**Required** -: Yes +**Required:** Yes #### `ObjectLockEnabled` -**Description** -: Enables Object Lock on the bucket. +**Description:** Enables object lock on the bucket. -**Type** -: String — `Enabled` +**Type:** String — `Enabled` -**Required** -: Yes +**Required:** Yes #### `Rule` -**Description** -: Default retention rule applied to every new object placed in the bucket. +**Description:** Default retention rule applied to every new object placed in the bucket. -**Required** -: No +**Required:** No #### `Mode` -**Description** -: Default retention mode for new objects. +**Description:** Default retention mode for new objects. -**Type** -: String — `GOVERNANCE` or `COMPLIANCE` +**Type:** String — `GOVERNANCE` or `COMPLIANCE` -**Required** -: Yes, if `Rule` is set +**Required:** Yes, if `Rule` is set #### `Days` -**Description** -: Default retention duration in days. +**Description:** Default retention duration in days. -**Type** -: Integer +**Type:** Integer -**Required** -: Use `Days` or `Years`, not both +**Required:** Use `Days` or `Years`, not both #### `Years` -**Description** -: Default retention duration in years. +**Description:** Default retention duration in years. -**Type** -: Integer +**Type:** Integer -**Required** -: Use `Days` or `Years`, not both +**Required:** Use `Days` or `Years`, not both ### Object retention tokens #### `Mode` -**Description** -: Retention mode for the object. +**Description:** Retention mode for the object. -**Type** -: String — `GOVERNANCE` or `COMPLIANCE` +**Type:** String — `GOVERNANCE` or `COMPLIANCE` -**Required** -: Yes +**Required:** Yes #### `RetainUntilDate` -**Description** -: Date on which the object retention expires. +**Description:** Date on which the object retention expires. -**Type** -: Timestamp (ISO 8601) +**Type:** Timestamp (ISO 8601) -**Required** -: Yes +**Required:** Yes ### Legal hold tokens #### `Status` -**Description** -: Enables or disables the legal hold on the object. +**Description:** Enables or disables the legal hold on the object. -**Type** -: String — `ON` or `OFF` +**Type:** String — `ON` or `OFF` -**Required** -: Yes +**Required:** Yes ## Examples -### Regulatory compliance bucket (Compliance mode) +### Regulatory compliance bucket (compliance mode) -This example sets up a bucket for strict regulatory retention: all objects are locked in Compliance mode for 7 years and cannot be deleted or overwritten by any user until the period expires. +This example sets up a bucket for strict regulatory retention: all objects are locked in compliance mode for seven years and cannot be deleted or overwritten by any user until the period expires. ```bash -# Enable Object Lock on a new bucket +# Enable object lock on a new bucket aws s3api create-bucket \ --bucket my-compliance-bucket \ --object-lock-enabled-for-bucket -# Set a default 7-year Compliance retention on all new objects +# Set a default seven-year Compliance retention on all new objects aws s3api put-object-lock-configuration \ --bucket my-compliance-bucket \ --object-lock-configuration '{ @@ -389,14 +362,14 @@ aws s3api put-object-lock-configuration \ }' ``` -Objects uploaded to `my-compliance-bucket` are automatically locked in Compliance mode until 7 years after their upload date. No user can shorten the retention period or delete objects before it expires. +Objects uploaded to `my-compliance-bucket` are automatically locked in compliance mode until seven years after their upload date. No user can shorten the retention period or delete objects before it expires. -### Flexible protection bucket (Governance mode + legal hold) +### Flexible protection bucket (governance mode + legal hold) -This example sets up a bucket with a default Governance retention of 90 days, then places an additional legal hold on a specific object under active investigation. +This example sets up a bucket with a default governance retention of 90 days, then places an additional legal hold on a specific object under active investigation. ```bash -# Enable Object Lock on an existing bucket +# Enable object lock on an existing bucket aws s3api put-object-lock-configuration \ --bucket my-governance-bucket \ --object-lock-configuration '{ @@ -416,4 +389,4 @@ aws s3api put-object-legal-hold \ --legal-hold Status=ON ``` -Objects in `my-governance-bucket` are protected for 90 days under Governance mode. Authorized users can override the retention if needed. The object `audit/report-2026-05.pdf` additionally has a legal hold, which blocks deletion regardless of the retention period and must be explicitly removed. +Objects in `my-governance-bucket` are protected for 90 days under governance mode. Authorized users can override the retention if needed. The object `audit/report-2026-05.pdf` additionally has a legal hold, which blocks deletion regardless of the retention period and must be explicitly removed. From 9c6d7e9a87eb74db4f9b8492883ced9b30761ada Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 20 May 2026 18:00:08 +0200 Subject: [PATCH 16/20] docs(object-storage): update --- pages/object-storage/how-to/use-object-lock.mdx | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pages/object-storage/how-to/use-object-lock.mdx b/pages/object-storage/how-to/use-object-lock.mdx index d05e0434a1..3c5fabff47 100644 --- a/pages/object-storage/how-to/use-object-lock.mdx +++ b/pages/object-storage/how-to/use-object-lock.mdx @@ -9,11 +9,11 @@ dates: import Requirements from '@macros/iam/requirements.mdx' -object lock prevents objects from being deleted or overwritten for a defined period or indefinitely. It uses a **write-once-read-many (WORM)** model, commonly required for regulatory compliance and protection against ransomware or accidental deletion. object lock can only be used in buckets with versioning enabled [1]. +Object lock prevents objects from being deleted or overwritten for a defined period or indefinitely. It uses a **write-once-read-many (WORM)** model, commonly required for regulatory compliance and protection against ransomware or accidental deletion. Object lock can only be used in buckets with versioning enabled. ## Overview -object lock provides two mechanisms to protect your objects: **retention** and **legal hold**. You can enable either, or both, at the same time [1]: +Object lock provides two mechanisms to protect your objects: **retention** and **legal hold**. You can enable either, or both, at the same time: - **Retention** allows you to apply a retention period and a retention mode to your objects, limiting the actions that users can perform on them: - **Compliance mode** prevents users, including owners and users with administrative permissions, from deleting or overwriting objects during the specified retention period. The retention mode cannot be modified, and the retention period cannot be shortened. @@ -21,7 +21,7 @@ object lock provides two mechanisms to protect your objects: **retention** and * - **Legal hold** is an independent ON/OFF switch that provides the same protection as retention but has no expiration date. It must be explicitly removed by a user with the appropriate permissions and is evaluated independently of any retention configuration. -object lock is supported on `Standard Multi-AZ`, `Standard One Zone`, and `Glacier` [storage classes](/object-storage/concepts/#storage-class). +Object lock is supported on `Standard Multi-AZ`, `Standard One Zone`, and `Glacier` [storage classes](/object-storage/concepts/#storage-class). Once object lock is enabled on a bucket, it cannot be disabled and versioning cannot be suspended. @@ -204,6 +204,10 @@ Legal hold is independent of retention settings and has no expiration date. It m A default retention policy applies automatically to every new object added to the bucket. + +Currently, you can only set a default retention policy using the AWS CLI, or other Amazon S3-compatible tools. + + 1. Run the following command to set a **Compliance** retention of 365 days. Replace `my-locked-bucket` with your bucket name. ```bash From b98b4ffd291073e1a0bfcca4b8fdf0165a0741ed Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 21 May 2026 10:15:05 +0200 Subject: [PATCH 17/20] docs(object-storage): update --- pages/object-storage/how-to/use-object-lock.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/object-storage/how-to/use-object-lock.mdx b/pages/object-storage/how-to/use-object-lock.mdx index 3c5fabff47..a8d602cb3f 100644 --- a/pages/object-storage/how-to/use-object-lock.mdx +++ b/pages/object-storage/how-to/use-object-lock.mdx @@ -3,7 +3,7 @@ title: How to use object lock description: Learn how to protect objects in Scaleway Object Storage using object lock, retention modes, and legal hold. tags: object storage object-storage object-lock compliance governance retention legal-hold worm dates: - validation: 2026-05-18 + validation: 2026-05-21 posted: 2021-05-27 --- From a7d70d6bb5dfceddd46d3883617c6c7db372e12c Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Thu, 21 May 2026 12:57:24 +0200 Subject: [PATCH 18/20] Apply suggestions from code review Co-authored-by: vanda-scw Co-authored-by: Firdevs Arslan --- pages/object-storage/api-cli/lifecycle-rules-api.mdx | 2 +- pages/object-storage/api-cli/using-api-call-list.mdx | 4 ++-- pages/object-storage/how-to/create-a-bucket.mdx | 4 ++-- pages/object-storage/how-to/use-bucket-versioning.mdx | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pages/object-storage/api-cli/lifecycle-rules-api.mdx b/pages/object-storage/api-cli/lifecycle-rules-api.mdx index f997ce0898..d92de4df96 100644 --- a/pages/object-storage/api-cli/lifecycle-rules-api.mdx +++ b/pages/object-storage/api-cli/lifecycle-rules-api.mdx @@ -15,7 +15,7 @@ The Amazon S3 API allows you to automatically manage the lifecycle of your objec - Transition objects and their versions to a colder storage class - Delete your objects and their versions by setting expiration durations - Abort incomplete [multipart uploads](/object-storage/api-cli/multipart-uploads/) - - Expire delete markers without a non-current version automatically. + - Expire delete markers without a non-current version automatically diff --git a/pages/object-storage/api-cli/using-api-call-list.mdx b/pages/object-storage/api-cli/using-api-call-list.mdx index 57216d85e6..e0a52a8ea7 100644 --- a/pages/object-storage/api-cli/using-api-call-list.mdx +++ b/pages/object-storage/api-cli/using-api-call-list.mdx @@ -76,8 +76,8 @@ In this page we index all available Scaleway Object Storage API requests. | [GetObject](/object-storage/api-cli/object-operations/#getobject) | Retrieves an object | supported | | [GetObjectAcl](/object-storage/api-cli/object-operations/#getobjectacl) | Gets the ACL of an object | supported | | [GetObjectLegalHold](/object-storage/how-to/use-object-lock/#get-object-legal-hold) | Gets an object's current [Legal Hold configuration](/object-storage/how-to/use-object-lock/#how-to-manage-object-legal-hold) | supported | -| [GetObjectLockConfiguration](/object-storage/how-to/use-object-lock/#get-object-lock-configuration) | Gets an [object Lock configuration](/object-storage/how-to/use-object-lock/) for a bucket. The specified rule will be applied by default to every new object placed in the bucket | supported | -| [GetObjectRetention](/object-storage/how-to/use-object-lock/#get-object-retention) | Retrieves an object's [retention settings](/object-storage/how-to/use-object-lock/#how-to-configure-object-retention) | supported | +| [GetObjectLockConfiguration](/object-storage/how-to/use-object-lock/#get-object-lock-configuration) | Gets an object's [Lock configuration](/object-storage/how-to/use-object-lock/) for a bucket. The specified rule will be applied by default to every new object placed in the bucket | supported | +| [GetObjectRetention](/object-storage/how-to/use-object-lock/#get-object-retention) | Retrieves an object's [Retention settings](/object-storage/how-to/use-object-lock/#how-to-configure-object-retention) | supported | | [GetObjectTagging](/object-storage/api-cli/object-operations/#getobjecttagging) | Get the tag(s) of an object | supported | | [HeadObject](/object-storage/api-cli/object-operations/#headobject) | Gets object metadata | supported | | [ListMultipart](/object-storage/api-cli/multipart-uploads/#listing-multipart-uploads) | Lists in-progress multipart uploads | supported | diff --git a/pages/object-storage/how-to/create-a-bucket.mdx b/pages/object-storage/how-to/create-a-bucket.mdx index 0ae67f4d38..37db435487 100644 --- a/pages/object-storage/how-to/create-a-bucket.mdx +++ b/pages/object-storage/how-to/create-a-bucket.mdx @@ -33,6 +33,6 @@ To get started with Object Storage, you must first create a bucket. Objects are - Tick **Enable bucket versioning** to store multiple versions of your objects (this may lead to higher storage costs). - Tick **Enable object lock** to prevent objects from being deleted or overwritten for a defined retention period. Object lock requires versioning to be enabled. 8. Select a use case for your bucket. -9. If applicable, you can tick the **Activate 90-day free trial** to benefit from total 750 GB of free [Standard Multi-AZ and Standard One Zone](/object-storage/faq/#what-are-the-object-storage-classes-offered-by-scaleway) storage for buckets in your Organization, across all regions. Refer to our [dedicated FAQ](/object-storage/faq/#how-can-i-benefit-from-the-object-storage-free-trial) for more information. -10. Optionally, you can use the cost estimator to simulate your Object Storage costs and environmental foorprint. +9. If applicable, you can tick the **Activate 90-day free trial** to benefit from a total of 750 GB of free [Standard Multi-AZ and Standard One Zone](/object-storage/faq/#what-are-the-object-storage-classes-offered-by-scaleway) storage for buckets in your Organization, across all regions. Refer to our [dedicated FAQ](/object-storage/faq/#how-can-i-benefit-from-the-object-storage-free-trial) for more information. +10. Optionally, you can use the cost estimator to simulate your Object Storage costs and environmental footprint. 11. Click **Create bucket** to confirm. You are directed to the **Files** tab of your newly created bucket. \ No newline at end of file diff --git a/pages/object-storage/how-to/use-bucket-versioning.mdx b/pages/object-storage/how-to/use-bucket-versioning.mdx index 6bcd0508b7..e3c9860ab5 100644 --- a/pages/object-storage/how-to/use-bucket-versioning.mdx +++ b/pages/object-storage/how-to/use-bucket-versioning.mdx @@ -39,8 +39,8 @@ Buckets with versioning enabled observe the following behavior: | **Versioning never enabled** | Every object uploaded has a single `null` version. | Overwrites permanently replace the previous object, and deletes remove it completely. | | **Versioning enabled from the start** | Every object uploaded receives a unique version ID. | Each subsequent write creates a new version automatically. | | **Versioning disabled initially, then enabled** | Objects uploaded before the switch remain as a `null` version and are not versioned. | New objects are versioned, and overwrites create new versions. | -| **Versioning enabled, then suspended** | Existing versions stay exactly as they are, and are not removed automatically. | New objects do not get a version ID . Overwrites replace the current `null` version, but older versions remain. | -| **Versioning enabled, then bucket deleted** | All versions are deleted together when the bucket is removed. | N/A | +| **Versioning enabled, then suspended** | Existing versions stay exactly as they are, and are not removed automatically. | New objects do not get a version ID. Overwrites replace the current `null` version, but older versions remain in place. | +| **Versioning enabled, then bucket deleted** | All versions are deleted together when the bucket is removed. | N/A | ## How to enable versioning From 43281868f8e492cf180798533b9da6e52dd09aa4 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 21 May 2026 12:59:16 +0200 Subject: [PATCH 19/20] docs(object-storage): update --- pages/object-storage/how-to/create-a-bucket.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/object-storage/how-to/create-a-bucket.mdx b/pages/object-storage/how-to/create-a-bucket.mdx index 37db435487..3d3f33c256 100644 --- a/pages/object-storage/how-to/create-a-bucket.mdx +++ b/pages/object-storage/how-to/create-a-bucket.mdx @@ -33,6 +33,6 @@ To get started with Object Storage, you must first create a bucket. Objects are - Tick **Enable bucket versioning** to store multiple versions of your objects (this may lead to higher storage costs). - Tick **Enable object lock** to prevent objects from being deleted or overwritten for a defined retention period. Object lock requires versioning to be enabled. 8. Select a use case for your bucket. -9. If applicable, you can tick the **Activate 90-day free trial** to benefit from a total of 750 GB of free [Standard Multi-AZ and Standard One Zone](/object-storage/faq/#what-are-the-object-storage-classes-offered-by-scaleway) storage for buckets in your Organization, across all regions. Refer to our [dedicated FAQ](/object-storage/faq/#how-can-i-benefit-from-the-object-storage-free-trial) for more information. +9. If applicable, you can **Activate the 90-day free trial** to benefit from a total of 750 GB of free [Standard Multi-AZ and Standard One Zone](/object-storage/faq/#what-are-the-object-storage-classes-offered-by-scaleway) storage for buckets in your Organization, across all regions. Refer to our [dedicated FAQ](/object-storage/faq/#how-can-i-benefit-from-the-object-storage-free-trial) for more information. 10. Optionally, you can use the cost estimator to simulate your Object Storage costs and environmental footprint. 11. Click **Create bucket** to confirm. You are directed to the **Files** tab of your newly created bucket. \ No newline at end of file From deb5e7e267096c56d260e0952f30212fe4de7548 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 21 May 2026 13:01:10 +0200 Subject: [PATCH 20/20] docs(object-storage): update --- pages/object-storage/how-to/use-object-lock.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/object-storage/how-to/use-object-lock.mdx b/pages/object-storage/how-to/use-object-lock.mdx index a8d602cb3f..cc7318b377 100644 --- a/pages/object-storage/how-to/use-object-lock.mdx +++ b/pages/object-storage/how-to/use-object-lock.mdx @@ -104,7 +104,7 @@ Object-level retention overrides the bucket default for that specific object. - 1. Run the following command to apply **Compliance** retention to an object. Replace `my-locked-bucket`, `my-object`, and the date with your values. + 1. Run the following command to apply the **compliance mode** to an object. Replace `my-locked-bucket`, `my-object`, and the date with your values. ```bash aws s3api put-object-retention \ @@ -208,7 +208,7 @@ A default retention policy applies automatically to every new object added to th Currently, you can only set a default retention policy using the AWS CLI, or other Amazon S3-compatible tools. -1. Run the following command to set a **Compliance** retention of 365 days. Replace `my-locked-bucket` with your bucket name. +1. Run the following command to set a retention period of 365 days in **compliance mode**. Replace `my-locked-bucket` with your bucket name. ```bash aws s3api put-object-lock-configuration \ @@ -352,7 +352,7 @@ aws s3api create-bucket \ --bucket my-compliance-bucket \ --object-lock-enabled-for-bucket -# Set a default seven-year Compliance retention on all new objects +# Set a default seven-year compliance retention on all new objects aws s3api put-object-lock-configuration \ --bucket my-compliance-bucket \ --object-lock-configuration '{