Dell ECS Object Lock protects object versions from accidental or malicious deletion such as a ransomware attack. It provides this protection by allowing object versions to enter a write-once, read-many (WORM) state where access is restricted based on attributes set on the object version.
There are two lock types for Object Lock:
- Retention period—Specifies a fixed period of time during which an object version remains locked. During this period, your object version is WORM-protected and cannot be overwritten or deleted.
- Legal hold—Provides the same protection as a retention period but has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods.
The retention period has two modes:
- Governance mode—Users cannot overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects from being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period.
- Compliance mode—A protected object version cannot be overwritten or deleted by any user, including the root user in your account. When an object is locked in compliance mode, its retention mode cannot be changed, and its retention period cannot be shortened. Compliance mode helps ensure that an object version cannot be overwritten or deleted during the retention period.
Object Lock requires the use of versioned buckets. Enabling Object Lock on a bucket automatically enables versioning. Once Object Lock is enabled, it is not possible to disable it or suspend versioning for the bucket. Object locks apply to individual object versions only; different versions of a single object can have different retention modes and periods.
- Be careful when using compliance mode retention because it cannot be decreased or removed.
- Keep in mind that only locked object versions are protected from deletion; it is still possible to delete the objects.
Note: - Compliance mode is stricter than governance mode; locks cannot be removed, decreased, or downgraded to governance mode.
- Governance mode is less strict, it can be removed, bypassed, or elevated to compliance mode.
- In ECS 3.8.0.1, Object Lock and ADO can be enabled together in a namespace for new buckets. However, there is a risk of losing locked versions during a TSO. Consult Dell Support Service first to open it.
|