S3 Object Lock allows you to allows you to protect an S3 object from being modified for a period of time, it’s very useful if you need to comply with regulations or to simply add another layer of protection.
Retention modes for Object Locks
There are 2 retention modes for Object Locks:
|Governance||This is a lenient mode where deletes and overwrites are protected against for most users. It’s possible to grant users permissions to override this type of object lock. This mode can also be useful for testing settings before switching to compliance mode.|
|Compliance||This is a strict mode where deletes and overwrites are protected against for all users. Retention modes and periods also cannot be changed during the retention period.|
Setting up S3 Object Lock
Object Lock can only be enabled by users on new buckets, however it’s possible to enable it on existing buckets by contacting AWS support. When creating a bucket, it’s located under “Advanced Settings”, but can only be enabled after versioning has been turned on.
After creating your bucket you need to enable an object lock on the individual objects in your bucket. For this example I’ve uploaded an image to the S3 bucket I just created. Click on the object, go to the properties tab, and click on the “Object Lock” box to open the below screen:
We looked at retention modes earlier, the only new thing on this screen is “Legal Hold”.
A legal hold is an additional layer of protection that prevents an object from being overwritten or deleted. Unlike the retention mode, there is no expiry date for a legal hold. If a legal hold is enabled for an object as well as a retention mode, when the retention mode expires the legal hold will continue to protect the object in S3.
S3 Object Lock is compliant with all of the below regulations:
- SEC 17a-4
S3 Object Lock is fantastic for protecting your objects for regulatory/legal reasons.
Know of any other usages for Object Lock I’ve missed? Leave a comment below!