Object Lock (WORM Protection)
Last updated on
STACKIT Object Storage supports S3 Object Lock, which provides Write Once Read Many (WORM) protection for your objects. Once Object Lock is active on a bucket, objects stored in that bucket can be protected against deletion or overwriting for a defined retention period.
Object Lock is useful for regulatory compliance, legal holds, and any scenario where data immutability is required.
How Object Lock works
Section titled “How Object Lock works”Object Lock operates on three levels:
Level 1: Project Enable Object Lock capability for the project (Compliance Lock) | | prerequisite for vLevel 2: Bucket Enable Object Lock on individual buckets (at creation) + configure default retention policy | | applies to vLevel 3: Object Individual objects are WORM-protected (via S3 API) with retention period and/or legal holdLevel 1: Project-level Compliance Lock
Section titled “Level 1: Project-level Compliance Lock”Before you can use Object Lock on any bucket, you must enable the Compliance Lock on the project level via the STACKIT API. This is the prerequisite for all Object Lock functionality within the project.
- Enabled/disabled via
POST/DELETE /v1/project/{projectId}/compliance-lock - The maximum retention period for projects is 365 days.
- The Compliance Lock can only be disabled if no buckets with Object Lock exist in the project.
- A project with an active Compliance Lock cannot be deleted (HTTP 409). You must deactivate the Compliance Lock first.
For details, see Manage the Compliance Lock.
Level 2: Bucket-level Object Lock
Section titled “Level 2: Bucket-level Object Lock”Once the Compliance Lock is active, individual buckets can be created with Object Lock enabled.
- Object Lock can only be enabled at bucket creation time, not afterwards
- Object Lock cannot be disabled once enabled on a bucket
- You can configure a default retention policy for the bucket, which automatically applies to every new object uploaded to that bucket
For details, see Create a Bucket with Object Lock and Configure Default Retention.
Level 3: Object-level Retention
Section titled “Level 3: Object-level Retention”Once a bucket has Object Lock enabled, you can manage retention on individual objects using the standard S3-compatible API:
- Retention: Protect an object for a specific time period
- Legal Hold: Prevent deletion regardless of retention period
For details, see Object-level Retention via S3 API.
Retention modes
Section titled “Retention modes”Object Lock supports two retention modes. The following table describes how each mode affects the retention period of individual objects:
| Mode | Description | Retention can be shortened? | Retention extendable? | Retention removable? |
|---|---|---|---|---|
| COMPLIANCE | Strictest protection. No one can delete or overwrite the object until the retention period expires. | No | Yes | No |
| GOVERNANCE | Objects are protected, but users with special S3 permissions (s3:BypassGovernanceRetention) can modify or delete them before the retention period expires. | With bypass | Yes | With bypass |
Choose COMPLIANCE mode when you need to meet regulatory requirements that mandate immutable storage. Choose GOVERNANCE mode when you need protection against accidental deletion but want to retain the ability to remove objects in exceptional cases.
Constraints and limits
Section titled “Constraints and limits”| Parameter | Value |
|---|---|
| Maximum retention period | 365 days |
| Object Lock activation | Only at bucket creation time |
| Object Lock deactivation | Not possible once enabled on a bucket |
| Compliance Lock deactivation | Only if no buckets with Object Lock exist in the project |
| Compliance Lock deletion protection | Project cannot be deleted while Compliance Lock is active |