Accidental deletions and overwrites can disrupt business operations — and recovery depends on having protection in place before the incident occurs. OSS provides four mechanisms to protect your data from accidental operations: versioning, retention policies, cross-region replication (CRR), and scheduled backups. Each addresses a different threat profile and recovery scenario.
The following guidance reflects general best practices and is not a comprehensive security solution. Evaluate each option against your specific business and compliance requirements.
Choose a protection strategy
Use the table below to match your scenario to the right protection option.
| Scenario | Option | What it protects against |
|---|---|---|
| Objects are accidentally overwritten or deleted | Versioning | Overwrites and deletions of individual objects |
| You need to prevent anyone — including bucket owners — from modifying or deleting objects during a fixed period | Retention policy (WORM) | All modifications and deletions during the retention period |
| Data deleted in one region needs to be recoverable from another region | CRR with Add/Change policy | Data loss in the source bucket |
| You need point-in-time object recovery independent of OSS versioning | Scheduled backup (Cloud Backup) | Accidental deletion, even if versioning is not enabled |
Basic protection recommendations
If you're not sure where to start, enable these two options first:
Enable versioning on production buckets. This provides immediate protection against overwrites and deletions with no additional configuration overhead.
Configure scheduled backup for critical data that requires point-in-time recovery independent of versioning.
For stricter compliance requirements, add a retention policy. For multi-region resilience, configure CRR.
Enable versioning
When versioning is enabled, OSS preserves every version of an object rather than overwriting it. Each version gets a unique ID. Deleting an object inserts a delete marker rather than removing the data permanently, and overwriting an object saves the previous content as a prior version.
To recover a previous version, retrieve it using its version ID.
For setup instructions, see Overview.
Configure a retention policy
A retention policy applies Write Once Read Many (WORM) semantics to a bucket: no user — including the bucket owner — can modify or delete objects during the retention period. Only uploads and reads are permitted until the period expires.
For setup instructions, see Retention policies.
Enable CRR
Cross-region replication (CRR) automatically copies objects from a source bucket to a destination bucket in a different OSS region. Replication is asynchronous and near real-time.
CRR addresses two distinct needs:
Disaster recovery: If data is lost in the source region, retrieve it from the destination bucket.
Compliance: Some regulations require data to be stored at geographically separate locations.
To protect against accidental deletions specifically, set the replication policy to Add/Change. This policy syncs object creations and overwrites but does not propagate deletions to the destination bucket. If an object is accidentally deleted from the source bucket, its copy remains in the destination bucket.
For more information, see CRR overview.
Configure scheduled backup
OSS integrates with Cloud Backup to run scheduled backups of bucket contents. Cloud Backup stores backups in a vault with a configurable retention period.
After Cloud Backup completes a full backup, create an OSS restore job in the Cloud Backup console to recover objects to their state before deletion. This approach works independently of OSS versioning and is useful when you need point-in-time recovery guarantees managed outside of OSS.
For setup instructions:
Scheduled backup — configure a backup plan for a bucket
Restore OSS objects — create an OSS restore job to recover deleted objects