S3 Object Lock is an AWS S3 API feature that allows you to store objects using a write once, read many (WORM) model. You can use WORM protection for scenarios where it is imperative that data is not changed or deleted for a predetermined duration after it has been written. Whether your business has a requirement to satisfy compliance regulations in the financial or healthcare sector, or you simply want to capture a golden copy of business records for later auditing and reconciliation, S3 Object Lock is the right tool for you.
StorageGRID supports S3 Object Lock. I’m happy to share that recently we have successfully completed an audit of StorageGRID 11.6 with KPMG to comply with regulations in Germany and Switzerland.
the legal requirements of commercial and tax law (Sections 238 et seqq. of the German Commercial Code [HGB] and Sections 140 through 148 of the German Fiscal Code [AO]) and the German principles of proper accounting and the related requirements in terms of the appropriateness and security of accounting-related program functions, in particular
the circular issued by the German Federal Minister of Finance (BMF) on November 14, 2014, entitled “Principles of proper maintenance and preservation of ledgers, records and documents in electronic form and of data access” (GoBD)
the opinion on accounting by the Technical Committee on Information Technology (FAIT) of the Institute of Public Auditors in Germany (IDW), “Principles of proper accounting, use of information technology” (IDW RS FAIT 1),
the opinion on accounting by FAIT relative to the IDW “Principles of proper accounting, usage of electronic archiving procedures” (IDW RS FAIT 3)
the statutory provisions of the Code of Obligations (OR Sections 957 et seqq.) and
the Accounting Ordinance [GeBüV]
This feature is available with the standard StorageGRID license. You can download the certificate from KPMG here.
S3 Object Lock has been also assessed for SEC Rule 17a-4(f), FINRA Rule 4511(c), which defers to the format and media requirements of SEC Rule 17a-4(f) and CFTC Regulation 1.31(c)-(d) by Cohasset Associates too. You can view the report here.
How it works
S3 Object Lock is based on versioned buckets. The lock is applied at an individual object version. Enabling WORM retention on the object means applying it at the current object version.
Please note that object version metadata can be modified if it’s WORM protected as specified in the AWS S3 specification. If you need to protect the metadata in addition to the object, you may want to store it in a separate object.
How to enable
S3 Object Lock capability must be enabled once in the grid management interface (GMI) or via grid management Rest API.
S3 Object Lock can only be activated at bucket creation.
You can now use the Web UI, or the tenant management Rest API to create buckets with S3 Object Lock.
WORM Functionality supported with StorageGRID
StorageGRID supports S3 Object Lock compliance mode. Bucket policies can be configured to allow for minimum and maximum retention settings to be applied.
You can either lock individual object versions with an explicit retention applying a ‘Retain Until Date’ or set a default retention using bucket-lock configuration.
A default retention period is described not as a timestamp, but as a period either in days or in years. When you place an object version in a bucket with a default retention period, Object Lock calculates a 'Retain Until Date'. It does this by adding the default retention period to the creation timestamp for the object version. StorageGRID stores the resulting timestamp as the object version's Retain Until Date, as if you had calculated the timestamp manually and placed it on the object version yourself.
Legal Holds are used when you don’t know for how long you want your objects to stay immutable. This may because you have an active litigation, or an upcoming external audit of your data, or any other reason and want to keep objects in a WORM state till the audit is complete. You may have an ongoing project utilizing a dataset that you want to keep in a WORM state until the project is complete.
Legal Hold works as an infinite retention period. Once applied it is not possible to delete any object until the hold is released manually. The hold can only be removed by users with special permissions.
StorageGRID supports the AWS standard for object-level WORM protection, S3 Object Lock. Combined with its powerful ILM policy engine, StorageGRID provides highest durability and availability to data. The KPMG certificate enables you to use StorageGRID for environments requiring strict compliance (using WORM media) with country regulations, specifically tax and trade laws in Germany and/or in Switzerland. As no additional hardware, software or license is required, you can start using StorageGRID object storage at any time to retain regulated content.