A storage-level rule that prevents objects from being altered or deleted for a set period.
Object Lock is a write-once-read-many rule defined by the AWS S3 Object Lock specification, enforced by the storage provider, that prevents objects from being modified or deleted until a retention date expires.
The S3 Object Lock specification defines two modes. Compliance mode is the strict one: once an object is written with a retention date, nothing can shorten or lift that lock until the date passes — not an account admin, not the root user of the account, not support tickets, not leaked credentials. Governance mode is softer: privileged users with a specific permission can remove the lock early. For ransomware resistance, compliance mode is the one that counts, because the whole point is that an attacker who compromises your credentials cannot instruct the storage layer to delete your backups.
This matters because ransomware attackers now specifically target backups. If they can reach your repository and issue deletes, encrypting your Mac becomes leverage; if they cannot, it becomes an inconvenience. Object Lock makes the delete impossible at the storage layer, not just discouraged at the application layer.
In macup, every macup Cloud bucket is provisioned with the S3 Object Lock specification in compliance mode — no toggle, no opt-out. Every snapshot is written with a retention date aligned to your retention policy, so even if someone walks off with your Mac and your password, they cannot quietly erase your history from the cloud.