Soft Delete

Setup Usage

This page describes the soft delete feature which provides default bucket-level protection for your data from accidental or malicious deletion by preserving all recently deleted or overwritten objects for a specified period of time.

The objects stored in Cloud Storage buckets are immutable. If you overwrite or change the data of an object, Cloud Storage deletes its earlier version and replaces it with a new one. Soft delete retains all these deleted objects, whether from a delete command or because of an overwrite, essentially capturing all changes made to bucket data for the configured retention duration.

When you delete an object from your bucket with soft delete enabled, Cloud Storage performs the following actions:

  • Moves the deleted object to a soft-deleted state. In this state, the object is invisible to the bucket except when you explicitly list or restore soft-deleted objects.
  • Retains this soft-deleted object for the configured retention duration. During the duration, you cannot modify this object in any way, including by features like Object Lifecycle rules or Autoclass.
  • Protects the metadata of the most recent version (generation number) of the object. This metadata can either be the metadata for the most recently deleted version of an object or the live object, if one exists.
  • Deletes the object permanently from the bucket after the soft delete retention duration is over.

Soft delete policy

You can add a soft delete policy to a new or existing bucket. Adding the soft delete policy enables a default retention duration of seven days.

  • After you add a soft delete policy to a bucket, Cloud Storage retains any objects that you delete from the bucket for the specified soft delete retention duration.

You can update a bucket's existing soft delete policy by changing its retention duration.

  • The new soft delete retention duration only applies to objects that are deleted after the change is effective.
  • The updated retention duration does not apply to existing soft-deleted objects. The existing soft-deleted objects are retained for the duration that was in effect when they were deleted.

    For example, you have two objects in your bucket: Object A and Object B. You enable a soft delete policy in your bucket with a default retention duration of seven days. You delete Object A. After a couple of days, you change the soft delete retention duration to ten days, and you delete Object B. Cloud Storage continues to retain Object A until it has been protected for seven days, while Object B is retained for ten days.

You can remove the soft delete policy from your bucket.

  • Cloud Storage retains any soft-deleted objects in the bucket for the duration specified in the soft delete policy before it was removed.
  • Cloud Storage permanently removes any objects that you delete after the soft delete policy is disabled.

Soft delete retention duration

When you create a Cloud Storage bucket, the soft delete feature is enabled by default with a retention duration of seven days. During the retention duration, you can restore deleted objects, but after the duration ends, Cloud Storage permanently deletes the objects. By updating the bucket's configuration, you can increase the retention duration to 90 days or disable it by setting the retention duration to 0. The minimum number of days with soft delete enabled is seven days.

The soft delete retention duration is measured in seconds; however, some tools, like the Google Cloud console and the Google Cloud CLI, allow you to set and view retention duration with other units of time for convenience. The following conversions apply in such cases:

  • A day is considered to be 86,400 seconds.
  • A month is considered to be 31 days, which is 2,678,400 seconds.

For the gcloud CLI, when specifying a retention period, you specify an integer and a unit, where the unit can be s, d, or m to signify seconds, days, or months, respectively. For example, 7d43200s sets a retention period of 7 days and 43,200 seconds (seven and a half days).

You can set a maximum retention duration of 7,776,000 seconds (90 days) or a minimum retention duration is 604,800 seconds (7 days). When using REST APIs, you can also set the retention duration to a value of 0, which disables the soft delete policy.

Restore objects and buckets

When you restore a soft-deleted object, Cloud Storage creates a copy of the soft-deleted object in the same bucket the object was deleted from. The restored object's metadata is the same as the metadata of the deleted object at the time of deletion. At the end of the soft delete retention duration, Cloud Storage permanently deletes the soft-deleted object.

You can restore the soft-deleted objects before the soft delete retention duration ends.

  • For the restore to be successful, you must start the restore early enough to be able to complete it within the soft delete retention duration, as objects are permanently deleted after that duration ends.
  • You can restore the soft-deleted objects synchronously by specifying a list of objects, or you can create a long-running operation to bulk restore objects deleted between two timestamps.
  • Cloud Storage always restores objects to the same bucket from where they were originally deleted.

When soft delete is enabled on your bucket, you cannot permanently delete a live or a soft-deleted object. When you delete a live object, it becomes soft-deleted. Soft-deleted object is permanently deleted after the soft delete retention duration ends.

If you delete your project, Cloud Storage permanently deletes all the buckets and objects within that project. In such a scenario, you cannot restore objects and buckets using the soft delete feature. Therefore, it is important to take steps to limit access to project-level deletions, such as placing a lien on projects or backing up business-critical data to buckets in a different project.

When you restore a soft-deleted object version, Cloud Storage restores the copy of the soft-deleted object to a live version. If a live version already exists, the copy of the soft-deleted version replaces the live version, and the pre-existing live version becomes soft-deleted. In such a scenario, your bucket contains the following objects:

  • The replaced live object that is in the soft-deleted state
  • Two copies of the previously soft-deleted object – one live copy and one still-soft-deleted copy

All these object copies incur storage charges until the soft-deleted objects are permanently deleted after the retention duration is over.

Cloud Storage also copies the metadata of restored soft-deleted objects when replacing the live object. This means that object-level security metadata and settings like storage class are set to the last state of that specific object version upon restore.

Soft-deleted objects are not permanently deleted upon bucket deletion. However, the correct bucket version must be restored before it is possible to restore the soft-deleted objects inside it. To restore a soft-deleted bucket, contact Google Cloud Support.

Considerations with other features

Soft delete is compatible with all Cloud Storage features. When this feature is enabled, it has the following interactions with other Cloud Storage features:

  • Object Lifecycle Management

    Object Lifecycle Management rules only act on live and noncurrent objects and cannot affect soft-deleted objects. Any objects that object lifecycle management deletes are soft deleted instead of permanently deleted.

  • Object Versioning

    Soft delete provides an additional layer of protection on top of Object Versioning with the deletion of noncurrent objects being soft deleted instead of permanently deleted.

  • Multipart uploads

    Multipart uploads are protected by soft delete once the objects are finalized. Soft delete does not protect multipart upload fragments that are deleted before the objects are finalized.

  • Autoclass

    Autoclass does not have access to soft-deleted objects, so its management fees are not assessed for soft-deleted objects. After an object becomes soft deleted in an Autoclass-enabled bucket, that object's storage class is frozen until the soft delete retention duration ends. A restore of a soft-deleted object restores it back to the Standard storage class in the same way that reading a cold object in an Autoclass bucket also resets the storage class back to Standard storage.

  • Bucket Lock and Object Retention Lockfeatures

    When soft delete is enabled while using either, or both, of these features, you cannot delete live objects for the duration specified in the Bucket Lock and Object Lock retention policy. After any of these retention policies expire on the live objects, you can delete them. The object then moves to the soft-deleted state and is retained for the soft delete retention duration.

  • Organization policies

    You can set policy constraints on soft delete in your organization policies. Doing so forces you to set a specific soft delete retention duration when creating new buckets or updating existing buckets.

  • When you restore a soft-deleted version of an object, Pub/Sub triggers an OBJECT_FINALIZE event on every successful object restoration.

  • Soft delete cannot restore the IAM policies on managed folders. If you soft delete an object and delete a managed folder that grants IAM policies for the object, you might have to recreate those IAM policies before you have the necessary permissions to restore the soft-deleted object.

What's next