Ensure Data Compliance & Security with S3 Object Lock

Amazon S3 Object Lock lets you prevent objects in an S3 bucket from being deleted or overwritten for a set period. Organizations use this to meet regulations like SEC Rule 17a-4(f) and GDPR that require data retention and immutability.

Write Once Read Many (WORM)

WORM is a storage concept where you write data once, then lock it so nobody can modify or delete it. The data stays readable but protected. This matters for industries with strict record-keeping requirements, like finance and healthcare.

AWS implements WORM through S3 Object Lock. You can set retention periods and legal holds on objects to keep them immutable.

Object Lock Has Two Modes

Governance Mode: Most users cannot delete or alter objects under governance mode. However, if you have the s3:BypassGovernanceRetention permission, you can override this. This mode is useful when you want protection but also need some flexibility for testing or administrative tasks.

Compliance Mode: This is stricter. Even the root AWS account cannot delete, shorten, or modify the retention period on any object. The only way to remove a protected object early is to delete the entire AWS account. Compliance mode exists for situations where regulations demand absolute immutability.

Can I Delete Objects in Compliance Mode?

No. Once an object is under Compliance mode retention, it stays locked until the retention period expires, no matter what permissions you have. This is intentional—it exists precisely because some regulations require this level of protection.

In Governance mode, you have more options. Authorized users can delete or modify objects before retention expires if they have the right permissions.

Legal Hold vs. Retention Period

These serve different purposes.

A legal hold prevents deletion or modification indefinitely, until someone explicitly removes it. Use this when you’re involved in litigation or an audit and need to preserve evidence. The hold stays in place regardless of any retention period.

A retention period locks an object for a specific duration, like 1 year or 7 years. After that period ends, the object becomes deletable again.

You can actually use both at the same time. For example, you might set a 7-year retention period AND apply a legal hold—the object stays protected by both rules until you remove the hold, and even then the retention period must expire first.

Delete Markers

When you delete an object in a versioned S3 bucket, AWS doesn’t actually remove it. Instead, it creates a delete marker—a placeholder that becomes the current version. The original object version remains intact and protected by any retention settings.

Delete markers are essentially zero-byte objects with their own version IDs. You can see them when listing object versions.

Removing a Hold

Through the AWS Console:

1. Open the S3 console and select your bucket
2. Find the object and click on its name
3. Go to the “Object Lock” tab
4. Choose “Legal Hold” or “Retention” depending on what’s applied
5. Click “Remove”

Through AWS CLI:

aws s3api put-object-retention \
  --bucket my-bucket \
  --key my-object \
  --bypass-governance-retention \
  --no-legal-hold

The --bypass-governance-retention flag lets you skip governance mode protections if they’re enabled.

Granting Permission to Remove Holds

To let a user remove a hold, create an IAM policy that grants the necessary permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObjectRetention",
        "s3:PutObjectRetention"
      ],
      "Resource": "arn:aws:s3:::my-bucket/my-object"
    }
  ]
}

This gives the user permission to read and modify retention settings on that specific object.

Requirements for Using S3 Object Lock

1. S3 Bucket: You need a bucket to host the locked objects
2. Versioning Enabled: Object Lock only works with versioning turned on—each version can have its own retention settings
3. IAM Permissions: You need permissions like s3:GetBucketObjectLockConfiguration, s3:PutBucketObjectLockConfiguration, and s3:GetObjectRetention
4. Object Lock Enabled: You can enable this when creating a new bucket or on an existing empty bucket
5. Choose a Mode: Pick Compliance or Governance based on your protection needs

Object Lock doesn’t work in every region, and some storage classes don’t support it. Check AWS documentation for your specific region and use case.

Supported Storage Classes

S3 Object Lock works with most storage classes, but not all modes are available everywhere:

• S3 Standard: Supports both Compliance and Governance modes
• S3 Intelligent-Tiering: Supports both modes
• S3 Glacier: Supports Compliance mode only
• S3 Glacier Deep Archive: Supports Compliance mode only
• S3 One Zone-Infrequent Access: Supports both modes

S3 Glacier and S3 Glacier Deep Archive only work with Compliance mode because these archival storage classes are typically used for long-term retention where Governance mode flexibility isn’t needed.

S3 Object Lock with S3 Inventory

S3 Inventory can generate reports showing the retention and legal hold status of all your objects. This helps in a few ways:

1. Compliance reporting: See which objects are under retention and whether their status is current
2. Policy verification: Check if objects follow your retention policies
3. Change monitoring: Track when retention settings are modified
4. Audit automation: Combine with Lambda and SNS to alert on compliance issues

Costs

Using S3 Object Lock adds a few cost considerations:

Direct costs:

• Standard S3 storage fees for the locked objects
• Per-object charges that vary by retention mode—Compliance mode charges per object per month, while Governance mode bills based on how many objects have retention periods

Indirect costs:

• Additional API requests for managing retention settings
• Data transfer costs if you’re moving locked data around
• Operational overhead for monitoring and managing retention policies

The AWS Pricing Calculator helps estimate costs based on your specific setup.

Can You Use Object Lock with Replication?

Yes. When you enable replication, locked objects in one bucket can copy to another bucket in the same or different region. Keep these points in mind:

1. Replication rules must match: Configure rules so they preserve both the objects and their retention settings
2. Retention timing: Account for replication lag—make sure your retention period is long enough that objects are still protected when they arrive at the destination
3. Cross-region support: Confirm the destination region supports the same retention settings
4. Compliance overlap: If you’re under regulatory requirements, verify that replication still meets your compliance obligations

FAQ

What’s the difference between Governance and Compliance modes?

Governance mode lets authorized users delete objects before the retention period ends. Compliance mode doesn’t allow this for anyone, not even the root account.

Can I apply Object Lock to an existing bucket?

Yes, but the bucket must have Object Lock enabled first. If the bucket already has objects, they won’t automatically get protected—you’d need to re-upload them or create new versions.

What happens when transitioning from Governance to Compliance mode?

Existing object retention periods don’t reset. However, once in Compliance mode, you cannot shorten any retention period.

What’s the maximum retention period?

There’s no maximum—you can set retention for any duration that meets your needs.

How is Object Lock different from Lifecycle policies?

Lifecycle policies automate object transitions or deletions. Object Lock prevents deletions and modifications regardless of Lifecycle rules.

Does Object Lock work with server-side encryption?

Yes, you can use both together. They’re independent features.

S3 Object Lock gives you a practical way to meet data retention requirements. The choice between Compliance and Governance mode comes down to whether you need absolute immutability (Compliance) or some operational flexibility (Governance). Legal holds add another layer of protection when you don’t know how long preservation is needed.

The main costs to factor in are storage fees, per-object charges, and API usage. Most teams find the compliance benefits justify the costs, especially in regulated industries.