Immutability: Amazon S3 Object Lock
Last updated
Was this helpful?
Last updated
Was this helpful?
is a feature provided by Amazon Web Services in their Simple Storage Service. It's designed to help you protect your data from being accidentally or intentionally deleted or overwritten. Cloudback supports S3 Object Lock feature for and allows you to enable it for your backups.
Enhanced Data Protection: With Amazon S3 Object Lock, you can implement retention policies to ensure your GitHub repository backups remain untouched during a specified period. This prevents the accidental or malicious deletion of your backups and offers greater peace of mind.
Compliance with Industry Regulations: For organizations that need to comply with industry-specific regulations such as HIPAA, GDPR, or SEC Rule 17a-4, Amazon S3 Object Lock offers a convenient solution to meet data retention requirements.
Create a AWS S3 bucket with Object Lock enabled:
Sign in to Amazon S3 Console
Enable Object Lock for your bucket:
Configure your Cloudback's storage with Object Lock:
Sign in to your Cloudback account and navigate to repository card
Open repository settings and click the 'New Storage' button to open the New Storage page
Select Amazon S3 AccessKey storage provider and fill in Step 4 with HTTP headers
Before you can lock any objects, you have to configure a bucket to use S3 Object Lock. To do this, you specify when you create the bucket that you want to enable Object Lock. After you configure a bucket for Object Lock, you can lock objects in that bucket using retention periods, legal holds, or both. You can find more information in the .
Additional HTTP headers are supported for all S3 compatible storage, such as:
Amazon S3 Bucket: Access Point
Amazon S3 Bucket: Access Key
OpenStack Swift Container: S3 API
Wasabi S3 Bucket: Access Key
The New Storage page with additional HTTP headers looks like this:
The headers are specified in the format key:value divided by a new line. For example:
Below is the list of S3 Object Lock related headers:
Must be COMPLIANCE (case-sensitive).
If you specify x-amz-object-lock-mode, you must also specify x-amz-object-lock-retain-until-date.
s3:PutObjectRetention permission is required to use this header.
Format yyyy-MM-ddThh:mm:ssZ. The retain-until-date value must be in the format 2023-04-23T11:28:00Z. Fractional seconds are allowed, but only 3 decimal digits are preserved (milliseconds precision). Other ISO 8601 formats are not allowed.
The retain-until-date must be in the future.
Can be ON or OFF (case-sensitive). If legal hold is ON, the object is placed under a legal hold. If legal hold is OFF, no legal hold is placed. Any other value results in a 400 Bad Request (InvalidArgument) error.
s3:PutObjectLegalHold permission is required to use this header.
The required Content-MD5 header is added by Cloudback automatically, no need to specify it manually.
In general, S3 object Lock parameters are specified using HTTP headers for the API call. There is an additional step in the New Storage page where you can provide additional HTTP headers for backups.
can be used.
Cloudback uses liquid templates to dynamically calculate values. The template engine is in use. It evaluates expressions inside braces {{ }}. You can see how it works in the examples given below. If you need more scripting options, you can consult the scriban documentation:
For date functions, visit
For a list of built-in functions, check
General documentation can be found
External Article:
External Article:
