Help Center/ Object Storage Service/ User Guide/ Data Security/ Configuring WORM to Protect Objects from Being Overwritten or Deleted
Updated on 2024-11-05 GMT+08:00
View PDF
Share

Configuring WORM to Protect Objects from Being Overwritten or Deleted

You can determine whether to enable WORM when creating a bucket. For details, see Creating a Bucket. When creating a bucket, if you enable WORM, you can continue to configure WORM after the bucket is created; if you do not enable it, you are not allowed to enable or configure it for that bucket later.

The following describes how to configure WORM retention after you create a bucket with WORM enabled.

OBS provides write-once-read-many (WORM) to protect objects from being deleted or tampered with within a specified period. WORM works at both the bucket and object levels in compliance mode.

Scenarios

In compliance mode, a WORM-protected object version cannot be overwritten or deleted by anyone, including the root user in your account.

When WORM is configured for a bucket, the protection applies to all objects in the bucket. When WORM is configured for an object version, the protection applies to the current object version only. No matter which type of WORM protection you want to use, you must enable WORM for the bucket first. A bucket-level WORM retention policy takes effect only for objects uploaded after the policy was configured. If an object is protected by a bucket-level WORM policy and an object-level WORM policy at the same time, the object-level WORM policy takes precedence.

Precautions

  • When you enable WORM for a bucket, OBS automatically enables versioning and versioning cannot be suspended later for that bucket. WORM protects objects based on the object version IDs. Only object versions with any WORM retention policy configured can be protected. Assume that object test.txt 001 is protected by WORM. If another file with the same name is uploaded, a new object version test.txt 002 with no WORM policy configured will be generated. In such case, test.txt 002 is not protected and can be deleted. When you download an object without specifying a version ID, the current object version (test.txt 002) will be downloaded.
  • A lifecycle rule cannot delete WORM-protected objects, but can transition their storage class. After an object is no longer protected, it will be deleted when meeting the expiration rule in a lifecycle configuration.
  • If you do not enable WORM when creating a bucket, you cannot enable or configure it for that bucket later. If you cannot configure WORM for a bucket, it may be because you did not enable WORM when you created the bucket or your bucket was created before this feature was released. In such case, to use WORM, you need to create a new bucket and enable WORM for it.
  • Once you enable WORM for a bucket, you cannot disable it or suspend versioning for the bucket, but you can disable the default WORM policy for the bucket.
  • Buckets with WORM enabled do not support cross-region replication.
  • If you have deregistered your account or your account has been frozen, the WORM-protected objects will be permanently deleted.
  • WORM-based protection is not available for migration.
  • The metadata of a WORM-protected object can still be modified.

Prerequisites

You have enabled WORM for the bucket when you create it.

Configuring WORM for a Bucket

You can use OBS Console or APIs to configure WORM for a bucket.

Using OBS Console

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. In the navigation pane, choose Overview.
  4. In the Basic Configurations area, click WORM Retention. The Configure WORM Retention dialog box is displayed.
  5. Choose Configure and specify a default retention period. The default retention mode is Compliance.

    • Only the compliance retention mode is currently supported. In this mode, no users can delete protected object versions or change their retention mode during the specified retention period.
    • During the specified default retention period, OBS prevents WORM-protected object versions from being deleted. You can configure a retention period in either days (from 1 to 36500) or years (from 1 to 100). The upper limit is 100 years.
    • When you upload an object to a WORM-protected bucket, the object inherits the WORM retention from the bucket by default. You can also configure a different WORM retention for the object under advanced settings. If both a bucket-level and object-level WORM retention policy are applied to an object, the object-level retention policy will be used.
    Figure 1 Configuring a WORM retention policy

  6. Click OK.

Using the API

Creating a Bucket

Configuring a Default WORM Policy for a Bucket

Obtaining the Default WORM Policy of a Bucket

Configuring WORM Retention for an Object

Querying Object Metadata that helps obtain the object-level WORM retention configuration

Skipping the WORM Retention Configuration

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. In the navigation pane, choose Overview.
  4. In the Basic Configurations area, click WORM Retention. The Configure WORM Retention dialog box is displayed.
  5. Select Skip and click OK.

    Figure 2 Skipping the WORM retention configuration

Extending the Retention Period

After WORM is configured for an object, you can go to the object details page and extend the retention period of an object version on the Versions page. Before the specified date, OBS prevents protected object versions from being deleted.

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. In the object list, click the object you want to go to the object details page.
  4. On the Versions tab page, view all versions of the object.
  5. Locate the object version for which you want to extend the retention period, choose More > Extend Retention Period, and select a date.

    Figure 3 Extending the retention period

    A retention period can only be extended, but not shortened.

    Assume that an object version was configured to be protected until March 30, 2023. If you want to extend the retention period on March 1, 2023, you can extend it to March 31, 2023 or a later date. If you extend the retention period on April 1, 2023, you can extend it to the current day (April 1, 2023) or a later date. If the current day is used, the object version will no longer be protected by WORM after 24:00 on that day.

Manually and Permanently Deleting Objects from a WORM-Enabled Bucket

In a WORM-enabled bucket, if an object has no retention policy configured or its retention policy has expired, you can delete a desired version of the object. If an object version is within the retention period, it cannot be deleted.

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. Enable Historical Versions.
  4. Select the object version to be permanently deleted and click Permanently Delete above the search bar.

    Figure 4 Permanently deleting an object version

  5. Click OK.

Using a Lifecycle Rule to Delete Objects from a WORM-Enabled Bucket

You can configure a lifecycle rule to let OBS automatically expire and delete objects in a WORM enabled bucket. To realize this, the objects must have no retention policies configured or their retention policies have expired. If the objects are within their retention period, they cannot be deleted.

In a WORM-enabled bucket, folders cannot be permanently deleted from the Deleted Objects list. To permanently delete a folder, you can only configure a lifecycle rule.

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. In the navigation pane, choose Basic Configurations > Lifecycle Rules.
  4. Click Create.

    Figure 5 Creating a lifecycle rule

  5. Configure a lifecycle rule.

    Configure parameters under Basic Information:
    • Status: Select Enable to enable this lifecycle rule after the configuration.
    • Rule Name: It identifies a lifecycle rule. The rule name must be no longer than 255 characters.
    • Prefix: It is optional.
      • If this field is configured, objects with the specified prefix will be managed by the lifecycle rule. The prefix cannot start with a slash (/) or contain two consecutive slashes (//), and cannot contain the following special characters: \:*?"<>|
      • If this field is not configured, all objects in the bucket will be managed by the lifecycle rule.

    Configure parameters under Current Version or Historical Version:

    Delete Objects After (Days): After this number of days since the last update, OBS will expire and then delete the objects meeting the specified conditions. The days set here must be larger than any of the days configured for the transition actions.

    Suppose that you last updated the following files in OBS on November 7, 2023:
    • log/notConfigured-1.log (This file has no WORM retention policy configured.)
    • log/expired-1.log (The WORM retention policy configured for this file has expired.)
    • doc/withinRetention-1.doc (The WORM retention policy configured for this file expires on November 30, 2023.)
    Then on November 10, 2023, you last updated the following files:
    • log/notConfigured-2.log (This file has no WORM retention policy configured.)
    • log/expired-2.log (The WORM retention policy configured for this file has expired.)
    • doc/withinRetention-2.doc (The WORM retention policy configured for this file expires on November 30, 2023.)

    On November 10, 2023, you set the objects prefixed with log to expire one day later. You might encounter the following situations:

    • Objects log/notConfigured-1.log and log/expired-1.log last updated on November 7, 2023 might be deleted after the last system scan. The deletion could happen on November 10, 2023 or November 11, 2023, depending on the time of the last system scan. doc/withinRetention-1.doc will not be deleted.
    • Objects log/notConfigured-2.log and log/expired-2.log last uploaded on November 10, 2023 might be deleted on November 11, 2023 or November 12, 2023, depending on whether they have been stored for over one day (since their last update) when the system scan happened. doc/withinRetention-2.doc will not be deleted.

    For more information, see Creating a Lifecycle Rule.

  6. Click OK.

Related Operations

When uploading an object, configure a retention policy for the object. For details, see Streaming Upload (PUT).

To normally delete objects from a WORM-enabled bucket, see Deleting an Object.

Parent Topic: Data Security