Amazon S3 Object Lock
Amazon S3 Object Lock is a feature provided by Amazon Web Services in their Simple Storage Service. It’s designed to help you protect your data from being accidentally or intentionally deleted or overwritten. Cloudback supports S3 Object Lock feature for customer-managed storages and allows you to enable it for your backups.
Key Benefits of Amazon S3 Object Lock Support
Enhanced Data Protection: With Amazon S3 Object Lock, you can implement retention policies to ensure your GitHub repository backups remain untouched during a specified period. This prevents the accidental or malicious deletion of your backups and offers greater peace of mind.
Compliance with Industry Regulations: For organizations that need to comply with industry-specific regulations such as HIPAA, GDPR, or SEC Rule 17a-4, Amazon S3 Object Lock offers a convenient solution to meet data retention requirements.
Get Started with Amazon S3 Object Lock
Create a AWS S3 bucket with Object Lock enabled:
Sign in to Amazon S3 Console
Enable Object Lock for your bucket: Bucket configuration
Configure your Cloudback’s storage with Object Lock:
Sign in to your Cloudback account and navigate to repository card
Open repository settings and click the ‘New Storage’ button to open the
Storage WizardSelect
Amazon S3 Bucketstorage provider and fill inStep 5with HTTP headers
S3 Bucket Configuration in AWS Console
Before you can lock any objects, you have to configure a bucket to use S3 Object Lock. To do this, you specify when you create the bucket that you want to enable Object Lock. After you configure a bucket for Object Lock, you can lock objects in that bucket using retention periods, legal holds, or both. You can find more information in the official documentation.
Storage Configuration in Cloudback Dashboard
Storage wizard
In general, S3 object Lock parameters are specified using HTTP headers for the PutObject API call. There is an additional step in the Storage Wizard where you can provide additional HTTP headers for backups.
Additional HTTP headers are supported for all S3 compatible storages:
Amazon S3 Bucket: Access Point
Amazon S3 Bucket: Access Key
OpenStack Swift Container: S3 API
Wasabi S3 Bucket: Access Key
Example Storage Wizard screenshot:
HTTP headers for S3 Object Lock
The headers are specified in the the format key:value divided by a new line. For example:
Below is the list of S3 Object Lock related headers:
x-amz-object-lock-mode
Must be
COMPLIANCE(case sensitive).If you specify
x-amz-object-lock-mode, you must also specifyx-amz-object-lock-retain-until-date.s3:PutObjectRetentionpermission is required to use this header.
x-amz-object-lock-retain-until-date
Format
yyyy-MM-ddThh:mm:ssZ. The retain-until-date value must be in the format 2023-04-23T11:28:00Z. Fractional seconds are allowed, but only 3 decimal digits are preserved (milliseconds precision). Other ISO 8601 formats are not allowed.The retain-until-date must be in the future.
Dynamic values for retain-until-date can be used.
x-amz-object-lock-legal-hold
Can be
ONorOFF(case-sensitive). If legal hold isON, the object is placed under a legal hold. If legal hold is OFF, no legal hold is placed. Any other value results in a 400 Bad Request (InvalidArgument) error.s3:PutObjectLegalHoldpermission is required to use this header.
Content-MD5
The required
Content-MD5header is added by Cloudback automatically, no need to specify it manually.
Dynamic values for headers
Cloudback uses liquid templates to dynamically calculate values. The scriban template engine is in use. It evaluates expressions inside braces {{ }}. You can see how it works in the examples given below. If you need more scripting options, you can consult the scriban documentation:
For date functions, visit here
For a list of built-in functions, check this link
General documentation can be found here
Examples of HTTP headers
Retain the object for 1 month from the current date:
Retain the object for 1 year from the current date:
Learn more
External Article: Using S3 Object Lock
External Article: Managing S3 Object Lock