1. Home
  2. Training Library
  3. Storage (SAP-C02)

Object Lock

Contents

keyboard_tab
Course Introduction
1
Introduction
PREVIEW2m 16s
AWS Storage
2
Introduction to Amazon EFS
Amazon EC2
36
Amazon Elastic Block Store (EBS)
Optimizing Storage
40
41
AWS Backup
PREVIEW3m 50s
AWS Storage Gateway
Performance Factors Across AWS Storage Services
49

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
4h 13m
Students
41
Ratings
5/5
starstarstarstarstar
Description

This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core storage concepts and services relevant to the SAP-C02 exam. We start with an introduction to AWS storage services, understand the options available, and learn how to select and apply AWS storage services to meet specific requirements. 

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Obtain an in-depth understanding of Amazon S3 - Simple Storage Service
  • Learn how to improve your security posture in S3
  • Get both a theoretical and practical understanding of EFS
  • Learn how to create an EFS file system, manage EFS security, and import data in EFS
  • Learn about EC2 storage and Elastic Block Store
  • Learn about the different performance factors associated with AWS storage services
Transcript

Hello and welcome to this lecture looking at the Object lock property which is considered an ‘advanced’ property of an S3 bucket.

This feature is often used to meet a level of compliance known as WORM, meaning Write Once Read Many. It allows you to offer a level of protection against your objects in your bucket and prevents them from being deleted, either for a set period of time that is defined by you or alternatively prevents it from being deleted until the end of time! The ability to add retention periods using Object Lock help S3 to comply with regulations such as FINRA, the Financial Industry Regulatory Authority.

Setting Object Lock on a bucket can only be achieved at the time of the creation of the bucket. If you attempted to enable it on an existing bucket by clicking on the Object Lock tile in the bucket properties, you would receive the following error.

To enable and configure object lock during the creation of the bucket, you first need to ensure that you have Versioning enabled. Without first enabling versioning, it is NOT possible to enable object lock, which can be found under the ‘Advanced’ setting of Step 2 ‘Configure Options’ during creating your bucket.

Once you have created your bucket with object lock enabled it will be permanently enabled and can’t be disabled.

Although your bucket is now configured for ‘object lock’, any object your place into it at this stage is NOT automatically protected, to ensure they are you need to enable some default options on the bucket first. 

When you select the Object-lock tile, which will now say ‘Permanently enabled.’

You will be presented with two retention modes, and the settings selected here will define the default retention of an object when it is added to the bucket and therefore applying the required protection that object lock provides.

These retention modes are Governance Mode and Compliance Mode.

By enabling Governance Mode it prevents your users from performing a delete or an overwrite of any of the versions of your objects in the bucket throughout the duration set by the retention period. However, if you have very specific permissions, including s3:BypassGovernanceMode, s3:GetObjectLockConfiguration, s3:GetObjectRetention, then a user will still be able to delete an object version within the retention period or change any retention settings set on the bucket.

When setting Governance Mode you will be asked to add a retention period in days and therefore defines how long the object is protected by object lock preventing it from being deleted. When an object is added to the bucket, a timestamp is added to the metadata reflecting the retention period. When the retention period is over, the object can then be deleted again.

Compliance Mode. The key difference between Compliance Mode and Governance Mode is that there are NO users that can override the retention periods set or delete an object, and that also includes your AWS root account which has the highest privileges. Essentially, any object added to a bucket configured for Compliance Mode means that the object will remain for the duration of the retention period.

Again, much like with Governance Mode, you will be asked to enter a retention period based upon a number of days.

You can also set object-lock on a per-object by object basis if you didn’t want to set a default retention mode of Governance or Compliance. To do so, you need to select the object-lock option of the object’s properties itself. When doing so, you will see the following screen.

Again, you can set either the governance or compliance retention mode for that specific object. The ‘Retain until date’ shows that this object is already bound by a retention mode with a retention period, and as a result, it shows the date in which this object is to be protected until. When this date has passed, the object is no longer protected and can be deleted.

The legal hold element only appears for object versions and not at the bucket level and acts much like a retention period and prevents the object from being deleted, however, legal holds do not have an expiration date. Therefore, the object will remain protected until a user with permissions of s3:PutObjectLegalHold disables the legal hold on the object. If an object is already protected by a retention period, a legal hold can also be placed on the object. When the retention period expires, the object will still be protected by the legal hold regardless of the fact that the retention period has expired.

 

Lectures

Introduction - Versioning - Server-Access Logging - Static Website Hosting - Object-Level Logging - Default Encryption - Tags - Transfer Acceleration - Events - Requester Pays - Summary

About the Author
Students
26715
Courses
21
Learning Paths
11

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.