π What Is S3 Object Lock?
Amazon S3 Object Lock is a feature that prevents objects from being deleted or overwritten for a fixed or indefinite amount of time. Itβs designed to help you meet regulatory requirements (like WORM β Write Once, Read Many) and protect critical data.
π Object Lock Modes
There are two protection modes:
| Mode | Description |
|---|---|
| Governance Mode | Protects objects from most users, but AWS account root or special users can remove/reduce retention |
| Compliance Mode | Absolutely no one can delete or overwrite the object during the retention period |
π Retention Methods
| Type | Description |
|---|---|
| Retention Period | Specifies the number of days or a date until which the object cannot be deleted |
| Legal Hold | Similar to Compliance Mode, but flexible β holds objects indefinitely until removed |
π How to Enable Object Lock
- When creating a bucket, enable “Object Lock” (must be done at bucket creation β cannot be enabled later)
- Upload objects with lock configuration
AWS CLI Example:
aws s3api put-object-retention --bucket my-bucket --key myfile.txt --retention '{"Mode": "GOVERNANCE", "RetainUntilDate": "2025-12-31T00:00:00"}'
π What Is S3 Versioning?
Amazon S3 Versioning enables you to keep multiple variants of an object in the same bucket.
Whenever you upload an object with the same key name:
- A new version is created.
- Previous versions are preserved.
- You can retrieve, restore, or permanently delete specific versions.
π How Versioning Works
| Action | Result |
|---|---|
| Upload new object (same key) | New version created, old version retained |
| Delete an object | A delete marker is added, older versions remain available |
| Restore a version | Specify the version ID to retrieve an older version |
AWS CLI Example:
aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Enabled
π How Versioning & Object Lock Work Together
When both Versioning and Object Lock are enabled:
- Each version of an object can have its own Object Lock configuration
- Prevents accidental or malicious deletions of specific versions
- Ensures regulatory compliance with WORM storage rules
π Key Exam Scenarios (SOA-C02)
π Scenario 1:
A company needs to prevent accidental deletion of S3 objects and maintain previous versions.
β Use S3 Versioning
π Scenario 2:
A company must store audit records in a WORM-compliant way for 7 years.
β Use S3 Object Lock in Compliance Mode with a 7-year retention
π Scenario 3:
An organization wants to prevent users from deleting critical data, but allow certain admins to override this protection when necessary.
β Use S3 Object Lock in Governance Mode
π Object Lock vs. Versioning Comparison
| Feature | Object Lock | Versioning |
|---|---|---|
| Purpose | Prevents object deletion/overwrite | Keeps multiple versions of objects |
| Protection Levels | Governance / Compliance | N/A |
| Can Be Enabled After Bucket Creation? | No (must be at bucket creation) | Yes |
| Default Retention | Optional Retention / Legal Hold | Retains all versions |
| Use Case | Regulatory WORM data protection | Data recovery, rollback, auditing |
β Summary
- S3 Versioning is for tracking and restoring object versions
- S3 Object Lock is for protecting objects from deletion/overwrite
- Use both together for secure, auditable, WORM-compliant storage
- Remember Object Lock must be enabled when the bucket is created