Overview
COS offers the Object Lock feature to help you lock your objects to prevent them from being overwritten or deleted during retention.
The Object Lock feature is currently at the object level, allowing users to set retention periods for individual or multiple objects. Users can also enable the Object Lock configuration for a bucket to apply default object locking to newly uploaded objects.
Note:
Once an object is locked, unlocking or shortening the retention period is not supported; only extending the retention period is allowed.
Note:
With this feature, COS can meet stringent requirements (including SEC Rule 17a-4 (f), FINRA 4511, and CFTC 1.31) on retaining electronic records.
SEC Rule 17a-4 is a regulation issued by the U.S. Securities and Exchange Commission under the US Securities Exchange Act of 1934. The rule outlines requirements for data retention, indexing, and accessibility for companies that deal in the trade or brokering of financial securities such as stocks, bonds, and futures. According to the rule, records of numerous types of transactions must be retained and cannot be rewritten or erased with immediate access for a period of two years and non-immediate access for at least six years.
Enabling Object Lock for a Bucket
Before locking objects, the bucket must first enable the WORM feature. Note that enabling the Object Lock feature only marks the bucket as "Object Lock enabled" and does not automatically lock all objects within the bucket. After enabling the WORM feature for the bucket, users can choose to lock specific objects or keep them unlocked.
Once the Object Lock configuration for a bucket is enabled, it cannot be disabled. Buckets with Object Lock enabled are subject to the following restrictions:
Enabling version control is not supported. If a bucket has version control enabled, the Object Lock configuration cannot be activated.
Bucket replication is not supported because it requires versioning to be enabled.
Enabling Intelligent Tiering configuration is not supported. If a bucket has Intelligent Tiering enabled, Object Lock configuration cannot be enabled.
Append uploads are not supported.
How to Use
You can enable the Object Lock configuration for a bucket using the API method.
Using the REST API
Setting Retention Period for Objects
Retention Period
After enabling the Object Lock feature for a bucket, users can configure a retention period for objects within the bucket. COS stores a timestamp in the object's metadata to indicate the lock's expiration date (RetainUntilDate). Before the retention period expires:
The object cannot be deleted or modified.
The storage class of an object cannot be changed.
HTTP headers and user metadata (including
Content-Type, Content-Encoding, Content-Language, Content-Disposition, Cache-Control, Expires, and x-cos-meta-) cannot be modified.Users can configure a retention period for a specific object. When uploading an object, the retention period can be set using the
x-cos-object-lock-retain-until-date header. After the object is uploaded, the retention period can be configured using the PUT Object Retention API.Users can also set a default bucket configuration to automatically apply retention periods when objects are uploaded. For more information, see Bucket Default Configuration.
How to Use
You can set the retention period for objects using the API.
Using the REST API
Set retention period for objects during upload
Call the upload interface (PutObject, InitiateMultipartUploads, PostObject) and pass in the object lock-related headers or form fields. For more information, please refer to the following API documentation:
To set a retention period for an object after uploading, please refer to PUT Object Retention.
To view an object's retention period, please refer to GET Object Retention.
Set the default retention period for a bucket
COS supports adding a default object lock retention period for buckets, measured in days. When a user uploads an object without an object lock header, the object will be locked automatically based on the bucket's configured retention period. However, if the user uploads an object with an object lock header, the bucket configuration will be ignored, and the retention period will be set according to the header.
Note:
The default retention period for a bucket can be shortened, extended, or disabled.
Configuring the default retention days for a bucket will only affect subsequently added objects and will not impact the locking status of existing objects.
The following example illustrates the impact of the default bucket configuration on object retention periods.
Object Upload Time | Default Bucket Configuration | Headers during object upload | Object Lock Expiration Time |
2023-01-01T18:30:00Z | 7 days | x-cos-object-lock-retain-until-date: 2023-01-02T18:30:00Z | 2023-01-02T18:30:00Z |
2023-01-01T18:30:00Z | 7 days | x-cos-object-lock-retain-until-date: 2023-01-20T18:30:00Z | 2023-01-20T18:30:00Z |
2023-01-01T18:30:00Z | 7 days | Not carried | 2023-01-08T18:30:00Z |
2023-01-01T18:30:00Z | Not configured | x-cos-object-lock-retain-until-date: 2023-01-02T18:30:00Z | 2023-01-02T18:30:00Z |
2023-01-01T18:30:00Z | Not configured | x-cos-object-lock-retain-until-date: 2023-01-20T18:30:00Z | 2023-01-20T18:30:00Z |
2023-01-01T18:30:00Z | Not configured | Not carried | Not locked |
How to Use
You can set the default Object Lock configuration for a bucket using the API.
REST API
You can directly call the following APIs to manage Object Lock:
Description
1. Object Lock is now only available to customers in the allowlist. To use this feature, contact us.
2. Versioning is not supported for Object Lock−enabled buckets. If the versioning feature is enabled or suspended in a bucket, Object Lock also cannot be enabled.
3. Cross-bucket replication is not supported for Object Lock−enabled buckets. This is because the cross-bucket replication rule requires that the source and destination bucket must have versioning enabled, which is not supported for Object Lock-enabled buckets.
4. INTELLIGENT TIERING is not supported for Object Lock-enabled buckets, and Object Lock cannot be enabled in a bucket that has INTELLIGENT TIERING enabled.
5. The relationship between Object Lock and lifecycle rules: When an object is within its retention period, the transition and deletion actions in the lifecycle configuration are not effective. Once the object exceeds its retention period, the transition and deletion actions in the lifecycle configuration can function normally.
Lifecycle rule | Object Lock Retention Period | Lifecycle Execution Performance |
20-day transitioned objects | 30-Day Retention Period | On the 20th day after upload, the object does not transition; on the 31st day after upload, the object transitions. |
Delete object in 20 days | 30-Day Retention Period | On the 20th day after uploading, the object is not deleted; on the 31st day after uploading, the object is deleted. |
20-day transitioned objects | Ten-day Retention Period | After 20 days, the object will transition normally. |
Delete object in 20 days | Ten-day Retention Period | Objects will be deleted normally 20 days after uploading. |
6. If Object Lock is enabled, the incomplete multiple uploads are not subject to the object lock rule and can be purged for a bucket.
7. The Object Lock feature cannot be disabled once enabled.
8. If Object Lock is enabled, ACLs of the bucket and objects can still be modified.