OtterStorage
en
EspañolEnglish
Become a Founding Otter
Documentation / Security / Legal Hold

Per-bucket Legal Hold

Freeze an entire bucket reversibly from the console to meet legal requirements, audits, and litigation.

OtterStorage's Legal Hold (or Litigation Hold) freezes an entire bucket: while it's active, no one can delete, overwrite, or reconfigure the bucket—not even the account administrator. It's a switch you turn on and off from the web console, designed for compliance, audits, and the preservation of evidence in legal proceedings.

What it is

A Legal Hold is a bucket-level legal retention. When you enable it, OtterStorage applies a lock that affects all access keys for that bucket. The goal is to ensure that the bucket's content and configuration remain intact for as long as a legal requirement or investigation lasts.

Unlike other mechanisms, it doesn't act object by object: it freezes the entire bucket with a single action and is fully reversible. The account administrator governs it from the console, with no need to touch each object or write policies by hand.

What it blocks while active

With Legal Hold ACTIVE, OtterStorage denies the following operations on the bucket and its content:

  • Deleting objects and versions: DeleteObject and DeleteObjectVersion.
  • Overwriting existing objects: PutObject.
  • Changing or removing the bucket policy: PutBucketPolicy and DeleteBucketPolicy.
  • Modifying the lifecycle: PutLifecycleConfiguration.
  • Deleting the bucket: DeleteBucket.
  • Creating new access keys for the bucket.

The lock applies equally to all of the client's keys on that bucket: there is no way to bypass it using another credential while the retention remains active. Read operations (for example, downloading or listing objects) keep working normally. With OtterStorage we don't charge for requests or deletions, so Legal Hold never adds cost for blocking or denying an operation.

How it's applied internally

The Legal Hold is implemented as a managed bucket policy: a Deny statement that OtterStorage adds and removes automatically when you turn the switch on or off. Do not edit this policy by hand; OtterStorage manages it for you. The following JSON is only illustrative of its shape:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OtterLegalHold",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutObject",
        "s3:PutBucketPolicy",
        "s3:DeleteBucketPolicy",
        "s3:PutLifecycleConfiguration",
        "s3:DeleteBucket"
      ],
      "Resource": [
        "arn:aws:s3:::mi-bucket",
        "arn:aws:s3:::mi-bucket/*"
      ]
    }
  ]
}

The OtterLegalHold statement targets both the bucket (arn:aws:s3:::mi-bucket) and its content (arn:aws:s3:::mi-bucket/*). While it exists, any attempt to perform one of those actions will receive an access-denied error. When you disable the Legal Hold, OtterStorage removes the statement and the bucket returns to its usual behavior.

Difference from Object Lock

It's important not to confuse Legal Hold with Object Lock:

  • Object Lock sets immutability per object with a WORM model (Write Once, Read Many): you define retention per object or version, and each object stays immutable for its period.
  • Legal Hold freezes the entire bucket at once, reversibly, and is governed from the console without touching each object. It's geared toward compliance and litigation, where you need to preserve the complete set for as long as the requirement lasts.

In short: Object Lock is granular, durable per-object immutability; Legal Hold is a total, reversible freeze of the bucket controlled with a switch.

Use cases

  • Legal requirements: a court order requires data to be kept without alteration.
  • Audits: you freeze the bucket's state while an auditor reviews its content.
  • Compliance: regulatory compliance that requires temporary preservation of information.
  • Evidence preservation: you ensure the integrity of evidence during litigation.

How to enable it

The account administrator manages the Legal Hold from the web console:

  • Sign in to the console and open the bucket you want to protect.
  • Open the "Legal Hold" side panel.
  • Flip the switch to enable it. You'll be asked for a confirmation before it's applied.

From that point on, the bucket is frozen for all of its keys. To disable it, return to the same panel and use the switch in the opposite direction.

Recommendations

  • Combine it with versioning: with versioning enabled you keep each object's history, which strengthens evidence preservation and compliance.
  • Plan your access keys: while the Legal Hold is active you won't be able to create new keys for the bucket. Create the ones you'll need before enabling it.
  • Enable the hold with margin: do it before starting the audit or legal process to avoid last-minute changes.
  • Document the period: record when you enable and disable the retention for your internal traceability.

For more details on buckets, access keys, and policies, see the documentation.

Ready to try it out?

Create your account and get your keys in minutes.

Hazte Founding Otter