Understanding Object Lock for Amazon S3
What You Need to Know About Object Lock in Amazon S3
Table of contents
Introduction
S3 Object Lock can help prevent Amazon S3 objects from being deleted or overwritten for a fixed amount of time or indefinitely. Object Lock uses a write-once-read-many (WORM) model to store objects. You can use Object Lock to help meet regulatory requirements that require WORM storage, or to add another layer of protection against object changes or deletion.
Object Lock provides two ways to manage object retention: retention periods and legal holds. An object version can have a retention period, a legal hold, or both.
Retention period – A retention period specifies a fixed period of time during which an object remains locked. You can set a unique retention period for individual objects.
Legal hold – A legal hold provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods and are placed on individual object versions.
Object Lock works only in buckets that have S3 Versioning enabled. When you lock an object version, Amazon S3 stores the lock information in the metadata for that object version. Placing a retention period or a legal hold on an object protects only the version that's specified in the request. Retention periods and legal holds don't prevent new versions of the object from being created, or delete markers to be added on top of the object. For information about S3 Versioning, see Using versioning in S3 buckets.
If you put an object into a bucket that already contains an existing protected object with the same object key name, Amazon S3 creates a new version of that object. The existing protected version of the object remains locked according to its retention configuration.
Steps for Object Lock in Amazon S3
Open the AWS Management Console and navigate to the S3 dashboard.
Click Create bucket.
Select General purpose bucket type.
Write a bucket name, this name must be globally unique.
Select ACLs enabledObject Ownership.
Uncheck Block all public access -> Check the Acknowledgement.
Enable Bucket Versioning.
Under Additional setting, enable Object Lock.
Click Create bucket.
Open the newly created bucket by clicking on its name.
Click Properties.
Scroll and click Edit on Object Lock.
Enable Default retention, set Default retention mode to Governance, and set Default retention period to 1 Days.
Governance: Users with specific IAM permissions can overwrite or delete protected object versions during the retention period.
Compliance: No users can overwrite or delete protected object versions during the retention period.
Click Save changes.
Now Click on Objects.
Click Upload.
Now click on Add files.
Select any file you want to upload.
Scroll and click Upload.
Select the file and permanently delete the file. You'll see the file is permanently deleted. The reason for this is that the file is in Governance lock.
Note: Make sure Show Versions is enabled while you delete the file. If it is not, while will not be permanently deleted.
Now upload the file again.
Open the file by clicking on its name.
Under Properties, Edit Object Lock retention.
Set Retention mode to Compliance mode.
Note: You'll not be able to delete the file before the retention period.
Click Save Changes.
Now select the object and try to permanently delete the file. You'll get an error when you try. Wait until the retention period is over, then you will be able to delete it.