Skip to content
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

How to delete objects or buckets protected by Object Lock

Removing Object Lock-protected data in Governance and Compliance retention modes

Overview

Object Lock prevents objects from being deleted or overwritten during a retention period. The way you remove locked objects depends on the retention mode applied to them: Governance or Compliance.

This article covers how to handle deletion in each mode and what to do when the retention period has not expired yet.

For general bucket emptying and deletion steps (unlocked objects), see How to Fix "Cannot remove bucket - not empty".

Governance mode

In Governance mode, protected objects cannot be deleted or overwritten by default. However, the root user of the storage account can override Governance retention. IAM users can also override it if they have the s3:BypassGovernanceRetention permission.

To delete a Governance-locked object before its retention period expires:

  1. Sign in as the root user or an IAM user with the s3:BypassGovernanceRetention permission.
  2. Delete the object versions using the AWS CLI or the Storage Console, the same way you would delete any other object.
  3. Once all objects are removed, delete the bucket.

If you do not have the required permission and cannot obtain it, wait for the retention period to expire, then delete the objects normally.

You can also use the 'Empty bucket' feature to completely clean up a bucket. This will override the Governance retention as well.

Compliance mode

In Compliance mode, no user (including the root user) can delete or overwrite a protected object version before the retention period expires. The retention period cannot be shortened, and the mode cannot be changed.

If the retention period has expired: delete the objects and the bucket normally. Use the "Empty Bucket" feature in the Storage Console as described in How to Fix "Cannot remove bucket - not empty".

If the retention period has not expired: the only way to remove the data is to delete the entire storage account. This removes all buckets, objects, and configurations within that account, regardless of Object Lock status.

There are two paths depending on your role:

Partners (channel partners using ICMC)

A partner can delete a storage account directly from the Impossible Cloud Management Console (ICMC):

  1. Sign in to the ICMC.
  2. Navigate to the Storage accounts tab.
  3. Click on the storage account you want to delete.
  4. Click the three-dot menu in the bottom right and select Delete Storage Account.
  5. The deletion enters a 30-day cooldown period. During this period, you can cancel the deletion.

For detailed ICMC instructions, see Managing a Storage Account.

End users (storage account owners)

An end user (root user of the storage account) cannot delete the storage account directly. To request deletion:

  1. Submit a support request through the Impossible Cloud support portal.
  2. Include the storage account name and confirm that you want to delete the entire account.
  3. The deletion enters a 30-day cooldown period. During this period, you can cancel the deletion by contacting support.

Summary

Retention mode Can you delete before expiry? How
Governance Yes (with permission) Root user or IAM user with s3:BypassGovernanceRetention deletes objects directly
Compliance No (at object level) Delete the entire storage account (partner via ICMC, end user via support request)
Any mode (expired) Yes Delete objects normally, then delete the bucket

Related resources