Object Lock: Legal Hold

⚠️ Object Storage is currently in Beta test. For more information see this FAQ: Object Storage » Beta test

To protect your objects from getting deleted by accident, you can use the Object Lock options Legal Hold and Retention. For more information about the differences between both options, see the FAQ entry "What is the difference between versioning and object locking?".

This getting started focuses on legal hold. As mentioned in the list of supported actions, you have to enable object lock during Bucket creation.

The commands depend on the S3-compatible tool you're using. This getting started explains each step with example commands for the MinIO Client and the AWS CLI.

1. Create a new Bucket with object lock enabled

   • MinIO Client

     mc mb <alias_name>/<bucket_name> --with-lock --region fsn1

     
     

   • AWS CLI

     aws s3api create-bucket \
       --bucket <bucket_name> \
       --region fsn1 \
       --object-lock-enabled-for-bucket

     If this command fails, check the content of ~/.aws/config. If it includes the following lines, comment them out with a # symbol and try again:

     #s3 =
     #  addressing_style = virtual

2. Check the object lock status

   • MinIO Client

     mc stat <alias_name>/<bucket_name>

     
     

   • AWS CLI

     aws s3api get-object-lock-configuration --bucket <bucket_name>

3. Activate legal hold

   • MinIO Client

     For all objects within the Bucket:

     mc legalhold set --recursive <alias_name>/<bucket_name>

     For a single object:

     mc legalhold set <alias_name>/<bucket_name>/<object_name>

     
     

   • AWS CLI

     For all objects within the Bucket:

     BUCKET="<bucket_name>"
     for key in $(aws s3api list-objects --bucket "$BUCKET" --query 'Contents[].Key' --output text); do
       aws s3api put-object-legal-hold --legal-hold Status=ON --bucket "$BUCKET" --key "$key"; done

     For a single object:

     aws s3api put-object-legal-hold --bucket <bucket_name> \ 
       --key <object_name> --legal-hold Status=ON

4. Check the legal hold status

   • MinIO Client

     Status of all objects within the Bucket:

     BUCKET="<alias_name>/<bucket_name>"
     for key in $(mc ls "$BUCKET" \
       | awk '{print $NF}'); do mc legalhold info \
       --json "$BUCKET"/"$key"; done

     Status of a single object:

     mc legalhold info --json <alias_name>/<bucket_name>/<object_name>

     
     

   • AWS CLI

     Status of all objects within the Bucket:

     BUCKET="<bucket_name>"
     for key in $(aws s3api list-objects --bucket "$BUCKET" --query 'Contents[].Key' --output text); do
       echo "Object: $key";
       aws s3api get-object-legal-hold --bucket "$BUCKET" --key "$key"; done

     Status of a single object:

     aws s3api get-object-legal-hold --bucket <bucket_name> --key <object_name>

5. Disable legal hold

   • MinIO Client

     For all objects within the Bucket:

     mc legalhold clear --recursive <alias_name>/<bucket_name>

     For a single object:

     mc legalhold clear <alias_name>/<bucket>/<object_name>

     
     

   • AWS CLI

     For all objects within the Bucket:

     BUCKET="<bucket_name>"
     for key in $(aws s3api list-objects --bucket "$BUCKET" --query 'Contents[].Key' --output text); do
       aws s3api put-object-legal-hold --bucket "$BUCKET" --key "$key" --legal-hold Status=OFF; done

     For a single object:

     aws s3api put-object-legal-hold --bucket <bucket_name> \
       --key <object_name> --legal-hold Status=OFF

Your objects should now be save from getting deleted by accident.

Next:

• Object Lock: Retention

• Versioning