Immutability: Amazon S3 Object Lock

Protect GitHub backups from deletion with Amazon S3 Object Lock, ensuring compliance with data retention regulations and enhancing security.

Amazon S3 Object Lock is a feature provided by Amazon Web Services in their Simple Storage Service. It's designed to help you protect your data from being accidentally or intentionally deleted or overwritten. Cloudback supports S3 Object Lock feature for customer-managed storages and allows you to enable it for your backups.

Key Benefits of Amazon S3 Object Lock Support

Enhanced Data Protection: With Amazon S3 Object Lock, you can implement retention policies to ensure your GitHub repository backups remain untouched during a specified period. This prevents the accidental or malicious deletion of your backups and offers greater peace of mind.
Compliance with Industry Regulations: For organizations that need to comply with industry-specific regulations such as HIPAA, GDPR, or SEC Rule 17a-4, Amazon S3 Object Lock offers a convenient solution to meet data retention requirements.

Get Started with Amazon S3 Object Lock

Create a AWS S3 bucket with Object Lock enabled:
1. Sign in to Amazon S3 Console
2. Enable Object Lock for your bucket: Bucket configuration
Configure your Cloudback's storage with Object Lock:
1. Sign in to your Cloudback account and navigate to the repository details page
2. Open repository settings and click the 'New Storage' button to open the New Storage page
3. Select Amazon S3 AccessKey storage provider and fill in Step 4 with HTTP headers

S3 Bucket Configuration in AWS Console

Before you can lock any objects, you have to configure a bucket to use S3 Object Lock. To do this, you specify when you create the bucket that you want to enable Object Lock. After you configure a bucket for Object Lock, you can lock objects in that bucket using retention periods, legal holds, or both. You can find more information in the official documentation.

Storage Configuration in Cloudback Dashboard

New Storage page

In general, S3 object Lock parameters are specified using HTTP headers for the PutObject API call. There is an additional step in the New Storage page where you can provide additional HTTP headers for backups.

Additional HTTP headers are supported for all S3 compatible storage, such as:

Amazon S3 Bucket: Access Point
Amazon S3 Bucket: Access Key
OpenStack Swift Container: S3 API
Wasabi S3 Bucket: Access Key

The New Storage page with additional HTTP headers looks like this:

HTTP headers for S3 Object Lock

The headers are specified in the format key:value divided by a new line. For example:

x-amz-object-lock-mode: COMPLIANCE
x-amz-object-lock-retain-until-date: 2025-01-01T00:00:00Z

Below is the list of S3 Object Lock related headers:

x-amz-object-lock-mode

Must be COMPLIANCE (case-sensitive).
If you specify x-amz-object-lock-mode, you must also specify x-amz-object-lock-retain-until-date.
s3:PutObjectRetention permission is required to use this header.

x-amz-object-lock-retain-until-date

Format yyyy-MM-ddThh:mm:ssZ. The retain-until-date value must be in the format 2023-04-23T11:28:00Z. Fractional seconds are allowed, but only 3 decimal digits are preserved (milliseconds precision). Other ISO 8601 formats are not allowed.
The retain-until-date must be in the future.
Dynamic values for retain-until-date can be used.

x-amz-object-lock-legal-hold

Can be ON or OFF (case-sensitive). If legal hold is ON, the object is placed under a legal hold. If legal hold is OFF, no legal hold is placed. Any other value results in a 400 Bad Request (InvalidArgument) error.
s3:PutObjectLegalHold permission is required to use this header.

Content-MD5

The required Content-MD5 header is added by Cloudback automatically, no need to specify it manually.

Dynamic values for headers

Cloudback uses liquid templates to dynamically calculate values. The scriban template engine is in use. It evaluates expressions inside braces {{ }}. You can see how it works in the examples given below. If you need more scripting options, you can consult the scriban documentation:

For date functions, visit here
For a list of built-in functions, check this link
General documentation can be found here

Examples of HTTP headers

Retain the object for 1 month from the current date:

x-amz-object-lock-mode:COMPLIANCE
x-amz-object-lock-retain-until-date:{{ date.now | date.add_months 1 }}

Retain the object for 1 year from the current date:

x-amz-object-lock-mode:COMPLIANCE
x-amz-object-lock-retain-until-date:{{ date.now | date.add_years 1 }}

Learn more

Customer Managed Storages
External Article: Using S3 Object Lock
External Article: Managing S3 Object Lock

PreviousAccess Review: Vanta Integration NextEncryption: Password-Protected Archives

Last updated 1 month ago

Was this helpful?

hashtagKey Benefits of Amazon S3 Object Lock Support

hashtagGet Started with Amazon S3 Object Lock

hashtagS3 Bucket Configuration in AWS Console

hashtagStorage Configuration in Cloudback Dashboard

hashtagNew Storage page

hashtagHTTP headers for S3 Object Lock

hashtagx-amz-object-lock-mode

hashtagx-amz-object-lock-retain-until-date

hashtagx-amz-object-lock-legal-hold

hashtagContent-MD5

hashtagDynamic values for headers

hashtagExamples of HTTP headers

hashtagRetain the object for 1 month from the current date:

hashtagRetain the object for 1 year from the current date:

hashtagLearn more