Amazon S3 Object Lock Overview
Amazon S3 Object Lock is a feature for securing data in Amazon S3. It helps you enforce a Write Once, Read Many (WORM) model to prevent accidental or malicious deletion or modification of objects in S3.
This is particularly useful for industries with strict data retention requirements, such as financial services, healthcare, and compliance-focused organizations.
Here are some key points about Amazon S3 Object Lock:
- WORM Model: once an object is written to S3 and locked, it cannot be deleted or modified for a specified retention period.
- Retention Period: You can set a retention period at the object level, which specifies how long the object should be locked. There are two modes for retention periods: Governance mode and Compliance mode.
- Governance Mode: In governance mode, users with the necessary permissions can apply a retention period to an object, and they can also remove the retention or extend it if required. It provides some flexibility for authorized users to manage retention policies.
- Compliance Mode: In compliance mode, the retention period is strictly enforced, and it cannot be shortened or removed by any user, including the root AWS account. This mode ensures that data remains immutable for the entire retention period.
- Legal Hold: Object Lock also supports legal holds, which allow you to place a legal hold on objects, preventing them from being deleted or modified until the hold is removed.
Object Lock is commonly used for scenarios where data integrity and retention are critical, such as maintaining financial records, preserving medical records, or adhering to regulatory requirements.
How to enable Object Lock for a Bucket
Before you can lock any objects, you need to configure a bucket to use S3 Object Lock. This can only be done when you creating a new bucket. Once you've created a bucket with Object Lock enabled, you can then lock objects in that bucket using retention periods, legal holds, or both.
Please note:
- Object Lock can only be enabled for new buckets. If you wish to activate Object Lock for an existing bucket, please contact AWS Support.
- When you create a bucket with Object Lock enabled, Amazon S3 automatically enables versioning for the bucket.
- Please note that if you create a bucket with Object Lock enabled, you will not be able to disable Object Lock or suspend versioning for that bucket.
To create a bucket with Object Lock enabled:
1. Start S3 Browser and click Buckets, Create new bucket..:
You may also use Ctrl+N keyboard shortcut to create a new Amazon S3 Bucket.The Create New Bucket dialog will open:
Create New Bucket dialog allows you to enter new bucket name and specify bucket location.2. Click show more settings, additional settings will open:
Create New Bucket dialog - Additional Settings3. Check the Enable S3 Object Lock checkbox and click Create new bucket.
If you wish to configure default retention settings for the bucket, you can also click on the configure default retention settings link. Please refer to the retention settings description below for more details.
How to configure default retention settings
When you enable Object Lock for a bucket, it allows the bucket to store protected objects. However, this setting does not automatically protect objects that you add to the bucket.
If you wish to automatically protect new versions of objects added to the bucket, you can set up a default retention period.
These default settings will apply to all new objects added to the bucket, unless you explicitly specify a different retention mode and period for an object at the time of its creation.
To configure default retention settings:
1. Select the bucket you wish to configure default retention settings for and click:
Buckets, Object Lock, Default retention settings..
Click Buckets, Object Lock, Default retention settings..The Object Lock Configuration dialog will open:
The Object Lock Configuration dialog2. Configure Retention mode and Retention period and click OK.
Governance mode: - Users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. Objects are protected against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary.
Compliance mode: - Protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened.
Retention period: - A retention period protects an object version for a fixed amount of time. When you place a retention period on an object version, Amazon S3 stores a timestamp in the object version's metadata to indicate when the retention period expires. After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version.
An alternative method to automatically apply retention settings is by configuring Object Lock Retention Rules.
Viewing the lock information for an object
You can check the object lock status for individual files by following the instructions provided below. The Properties tab displays the retention mode, 'Retain Until Date', and the legal-hold status for the specified object version.
1. Select the file for which you would like to check the object lock status and click:
Files, Properties:
Select the file and click Files, Properties..The Properties tab will open:
The Properties tab shows retention informationThe Retention row displays the Object Lock status (Active or Expired), the retention mode, and the 'Retain Until Date' information.
Another way to check the object lock status is to select the file and then click:
Files, Object Lock, Retention:
Select the file and click Files, Object Lock, Retention..The Object Lock Retention dialog will open:
The Object Lock Retention dialogThe dialog displays retention information and lets you update retention settings.
How to apply retention settings for one or multiple files
With S3 Browser you can conveniently update the retention settings for one or multiple files.
Retention can be disabled for files protected by the Governance mode (S3 Browser includes the x-amz-bypass-governance-retention:true header).
For files protected by the Compliance mode, the retention period can only be extended.
To apply or update retention settings for one or multiple files:
1. Select one or more files and/or folders and click:
Files, Object Lock, Retention:
Select the file and click Files, Object Lock, Retention..The Object Lock Retention dialog will open:
The Object Lock Retention dialog2. Adjust the retention settings as needed, then click OK.
How to apply retention settings for all files in a bucket
With S3 Browser, you can also update the retention settings for all files in a bucket.
This can be particularly useful if you need to change the retention mode or update the retention period for every file in a bucket. S3 Browser provides a convenient and efficient way to do this due to its support for multi-threading, allowing you to process multiple files in parallel. This can greatly speed up the process, especially for large buckets.
To adjust the retention settings for all files in a bucket:
1. Select the bucket you want to work with and click:
Buckets, Object Lock, Update retention for all objects..:
Click Buckets, Object Lock, Update retention for all objects..The Object Lock Retention dialog will open:
The Object Lock Retention dialog2. Adjust the retention settings as needed, then click OK.
S3 Browser will enumerate all files in a bucket and create a PutObjectRetention task for each file. You can monitor the progress on the Tasks tab.
Related materials
"S3 Browser is an invaluable tool to me as a web developer to easily manage my automated site backups" -Bob Kraft, Web Developer
"Just want to show my appreciation for a wonderful product. I use S3 Browser a lot, it is a great tool." -Gideon Kuijten, Pro User
"Thank You Thank You Thank You for this tool. A must have for anyone using S3!" -Brian Cummiskey, USA