How to managing object immutability with Object Lock (WORM)

Oldies but goldies
1

Hello everyone,

I use Object Storage (Standard - S3):

I would like to set up object immutability with Object Lock (WORM: Write Once, Read Many)
It is for backup from our production servers and protext from accidental delte or attack.

I follow this article: https://help.ovhcloud.com/csm/en-gb-public-cloud-storage-s3-managing-object-lock?id=kb_article_view&sysparm_article=KB0047401

Also I configure user whith "Import S3 Policy (JSON)"

After all of this, I still can delete objets from S3. ¿I'm mising somthing?

And ¿some one is using succesfully Object Lock on OVH?


Used "Import S3 Policy (JSON)":
{
"Statement": [
{
"Sid": "RWContainerLock",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:PutBucketObjectLockConfiguration",
"s3:GetBucketObjectLockConfiguration"
],
"Resource": [
"arn:aws:s3:::",
"arn:aws:s3:::/"
]
}
]
}


This is the script I use for test:
#!/bin/bash -eu
err_report() {
echo >&2 "** $0 ABORTED Linea $1 ***"
echo >&2 ">> " $(sed "$1!d" $0)
exit 1
}
trap 'err_report $LINENO' ERR

export AWS_PAGER=""


export AWS_ENDPOINT=https://s3.waw.io.cloud.ovh.net

date >> example_file.log

BUCKET_PREFIX=example-bucket-worm-
BUCKET_NAME=$BUCKET_PREFIX$(openssl rand -hex 5 )

echo "BUCKET_NAME: $BUCKET_NAME"

aws --endpoint-url "$AWS_ENDPOINT" <br /> s3api create-bucket <br /> --bucket "$BUCKET_NAME" <br /> --object-lock-enabled-for-bucket | cat

aws --endpoint-url "$AWS_ENDPOINT" s3api put-object-lock-configuration <br /> --bucket "$BUCKET_NAME" <br /> --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 2 }}} '

echo "Bucket lock configuration:"
aws --endpoint-url "$AWS_ENDPOINT" s3api get-object-lock-configuration --bucket "$BUCKET_NAME"

echo "Upload file"
aws --endpoint-url "$AWS_ENDPOINT" s3 cp example_file.log s3://"$BUCKET_NAME"

echo "View files"

echo "Files lock configuration:"
aws --endpoint-url "$AWS_ENDPOINT" s3api get-object-retention <br /> --bucket "$BUCKET_NAME" <br /> --key example_file.log

echo "Delete file:"
aws --endpoint-url "$AWS_ENDPOINT" s3 rm "s3://$BUCKET_NAME/example_file.log"

echo "List files:"
aws --endpoint-url "$AWS_ENDPOINT" s3 ls "$BUCKET_NAME"