Hedvig Object Lock Support

Hedvig supports the S3 Object Lock feature of AWS S3. The Object Lock feature protects objects from being overwritten or deleted for a specified period − or indefinitely.

This feature can be used to store objects in WORM (write once read many) mode or to prevent object deletion to meet certain requirements, as well as to provide protection against ransomware.

Object Lock is an object-level configuration with two configuration types: Retention and Legal Hold. With Retention, you must specify two parameters: RententionPeriod and RetentionMode. Legal Hold is a flag that you can switch ON or OFF for an object.


  • RetentionMode has two possible values: GOVERNANCE and COMPLIANCE. In GOVERNANCE mode, you cannot delete or overwrite an object or modify the object lock configuration within a specified amount of time, unless you have s3:BypassGovernanceRetention permission. In COMPLIANCE mode, no one can delete/overwrite or change the lock setting for the object, including the owner. And when an object is locked in COMPLIANCE mode, retention can only be extended, not shortened.

  • RetentionPeriod specifies the length of time for which the retention lock setting will protect this object from being deleted or overwritten. It is specified in setting the lock with the RetainUntilDate parameter, which is a timestamp stored with the retention mode as part of the metadata for a particular object.

Object retention lock settings can be set individually for each object when the object is created (normal object upload, copy object, or create multipart upload).

Legal Hold is another way to protect an object. It is also per object level, and there are two possible values: ON or OFF. When the Legal Hold status is set to be ON for an object, even if the object does not have Retention type lock settings, or the setting simply expired, it will keep protecting the object from overwriting and deletion. There is no expiration time to specify with Legal Hold status; it will remain effective forever until someone sets it to OFF status. Users with s3:PutObjectLegalHold permission can modify legal hold status of an object.

These two configurations do not conflict with each other. You can put both configurations on a single object, and if any of them becomes ineffective, but the other is still in effect, the latter will keep protecting the object.

Bucket level Object Lock Configuration

To avoid having to specify lock settings on an object one-by-one, you can set a bucket-level lock configuration to automatically apply a specified locking rule to all objects uploaded into the bucket onward.

This setting is only for specifying the Retention-type lock feature, where a RetentionMode can be chosen, and RetainUntilDate is specified through setting how many Days or Years from the object creation time.

Only the bucket owner and users with s3:GetBucketObjectLockConfiguration permission can set or modify a bucket's Object Lock Configuration.

JSON structure

{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "GOVERNANCE"|"COMPLIANCE", "Days": integer, "Years": integer } }



Hedvig S3 differs from AWS S3 in Object Lock Bucket Configuration in this way: With AWS S3, before you can apply a lock to any object, you must enable the feature at the time of a new bucket creation, and it will automatically become a Versioning-enabled bucket.

With Hedvig S3, there is no such restriction, and you can set the Lock Configuration anytime on any bucket, whether it is newly created or existing, or whether it is Unversioned or Versioning Enabled or Versioning Suspended. You do not need a bucket lock configuration to start applying lock settings on an individual object.