Posted On: Nov 27, 2018

Amazon S3 Object Lock is a new S3 feature that blocks object version deletion during a customer-defined retention period so that you can enforce retention policies as an added layer of data protection or for regulatory compliance. You can migrate workloads from existing write-once-read-many (WORM) systems into Amazon S3, and configure S3 Object Lock at the object- and bucket-levels to prevent object version deletions prior to pre-defined Retain Until Dates or Legal Hold Dates. S3 Object Lock protection is maintained regardless of which storage class the object resides in and throughout S3 Lifecycle transitions between storage classes.

Used with S3 Versioning, which protects objects from being overwritten, you’re able to ensure that objects remain immutable for as long as S3 Object Lock protection is applied. You can apply S3 Object Lock protection by either assigning a Retain Until Date or a Legal Hold to an object using the Amazon SDK, Amazon CLI, REST API, or the S3 Management Console. You can apply retention settings within a PUT request, or apply them to an existing object after it has been created. To track what objects have S3 Object Lock, you can refer to an S3 Inventory report that includes the WORM status of objects.

S3 Object Lock can be configured in one of two modes. When deployed in Governance mode, Amazon Web Services accounts with specific IAM permissions are able to remove object locks from objects. If you require stronger immutability to comply with regulations, you can use Compliance Mode. In Compliance Mode, the protection cannot be removed by any user, including the root account.

You can use Amazon S3 Object Lock in Amazon Web Services China (Beijing) region, operated by Sinnet, and in Amazon Web Services China (Ningxia) region, operated by NWCD. To learn more about S3 Object Lock, please visit the Amazon S3 Developer Guide.