S3 Object Lock is a feature that enforces a Write-Once-Read-Many (WORM) model, preventing objects from being deleted or overwritten for a fixed period or indefinitely, with its 'security guards' being the two retention modes (Governance and Compliance) and Legal Hold that enforce different levels of protection.
Amazon S3 Object Lock is a feature designed to store objects using a Write-Once-Read-Many (WORM) model [citation:2][citation:3]. This means that once an object is written to an S3 bucket with Object Lock enabled, it becomes immutable, preventing it from being deleted or modified for a specified duration or until a legal hold is removed [citation:9][citation:10]. It is a crucial tool for meeting regulatory compliance requirements and protecting data from threats like ransomware [citation:3][citation:10].
The foundation of S3 Object Lock is its integration with bucket versioning. Object Lock can only be enabled on a bucket at the time of creation, and it automatically activates versioning [citation:2][citation:3][citation:9]. The lock is then applied to specific versions of an object, ensuring that each iteration is individually protected [citation:2][citation:8][citation:10].
The 'security guards' of S3 Object Lock are its two retention modes, which control the rigidity of the immutability, and Legal Hold, which provides indefinite protection.
This mode acts as a flexible guard. It protects objects from being deleted or overwritten by most users for a pre-defined retention period [citation:2][citation:3][citation:5].
However, it allows specially authorized users with the
s3:BypassGovernanceRetentionpermission to override, delete, or change retention settings [citation:2][citation:3][citation:5].Use Case: Ideal for scenarios where you need to protect data from accidental deletion but still allow for administrative flexibility, such as temporary project files or internal backups [citation:10].
This is the most stringent guard, providing absolute data protection. When Compliance mode is set on an object version, it cannot be overwritten or deleted by any user, including the root user, during the entire retention period [citation:2][citation:3][citation:5].
The retention mode cannot be changed, and the retention period cannot be shortened [citation:2][citation:5][citation:10].
Use Case: Essential for meeting strict regulatory and compliance mandates, such as those in financial services, healthcare, or government, where records must be kept in an unalterable state for a fixed number of years [citation:3][citation:4][citation:9].
Legal Hold is another protective mechanism, functioning independently of retention periods. It acts like an ON/OFF switch that you can apply to an object to protect it indefinitely [citation:2][citation:3][citation:9].
It provides the same protections as a retention period (blocks deletion or overwrite) but has no expiration date [citation:2][citation:7][citation:8].
The hold remains in effect until a user with the
s3:PutObjectLegalHoldpermission explicitly removes it [citation:2][citation:3].It can be applied to objects with or without an existing retention period. If both are active, the deletion is blocked [citation:9][citation:10].
Use Case: Perfect for situations where the preservation timeline is unknown, such as during an ongoing investigation, litigation, or audit [citation:2][citation:3][citation:9].
While S3 Object Lock is a powerful security tool, particularly in Compliance mode, it presents a significant operational risk if misused. If an attacker or a misconfigured application sets Compliance mode for a long period on a massive amount of data, it becomes impossible to delete that data prematurely. This can result in significant and unavoidable storage costs [citation:5]. Because of this risk, security best practices sometimes recommend blocking the use of Compliance mode unless absolutely necessary, to reduce potential financial damage from compromised accounts [citation:5].