Amazon S3 Object Lock - prevent accidental or malicious deletion or modification of objects in S3
S3 Browser
Free Windows Client for Amazon S3 and Amazon CloudFront
 
Follow:
Twitter
Telegram
Facebook
RSS
Share:

Amazon S3 Object Lock

Amazon S3 Object Lock Overview

Amazon S3 Object Lock is a feature for securing data in Amazon S3. It helps you enforce a Write Once, Read Many (WORM) model to prevent accidental or malicious deletion or modification of objects in S3.

This is particularly useful for industries with strict data retention requirements, such as financial services, healthcare, and compliance-focused organizations.

Here are some key points about Amazon S3 Object Lock:

  • WORM Model: once an object is written to S3 and locked, it cannot be deleted or modified for a specified retention period.
  • Retention Period: You can set a retention period at the object level, which specifies how long the object should be locked. There are two modes for retention periods: Governance mode and Compliance mode.
  • Governance Mode: In governance mode, users with the necessary permissions can apply a retention period to an object, and they can also remove the retention or extend it if required. It provides some flexibility for authorized users to manage retention policies.
  • Compliance Mode: In compliance mode, the retention period is strictly enforced, and it cannot be shortened or removed by any user, including the root AWS account. This mode ensures that data remains immutable for the entire retention period.
  • Legal Hold: Object Lock also supports legal holds, which allow you to place a legal hold on objects, preventing them from being deleted or modified until the hold is removed.

Object Lock is commonly used for scenarios where data integrity and retention are critical, such as maintaining financial records, preserving medical records, or adhering to regulatory requirements.


How to enable Object Lock for a Bucket

Before you can lock any objects, you need to configure a bucket to use S3 Object Lock. This can only be done when you creating a new bucket. Once you've created a bucket with Object Lock enabled, you can then lock objects in that bucket using retention periods, legal holds, or both.

Please note:

  • Object Lock can only be enabled for new buckets. If you wish to activate Object Lock for an existing bucket, please contact AWS Support.
  • When you create a bucket with Object Lock enabled, Amazon S3 automatically enables versioning for the bucket.
  • Please note that if you create a bucket with Object Lock enabled, you will not be able to disable Object Lock or suspend versioning for that bucket.

To create a bucket with Object Lock enabled:

1. Start S3 Browser and click Buckets, Create new bucket..:

new amazon s3 bucket menu

You may also use Ctrl+N keyboard shortcut to create a new Amazon S3 Bucket.

The Create New Bucket dialog will open:

Create New Bucket dialog will appear

Create New Bucket dialog allows you to enter new bucket name and specify bucket location.

2. Click show more settings, additional settings will open:

Additional settings for create new bucket dialog

Create New Bucket dialog - Additional Settings

3. Check the Enable S3 Object Lock checkbox and click Create new bucket.

If you wish to configure default retention settings for the bucket, you can also click on the configure default retention settings link. Please refer to the retention settings description below for more details.


How to configure default retention settings

When you enable Object Lock for a bucket, it allows the bucket to store protected objects. However, this setting does not automatically protect objects that you add to the bucket.

If you wish to automatically protect new versions of objects added to the bucket, you can set up a default retention period.

These default settings will apply to all new objects added to the bucket, unless you explicitly specify a different retention mode and period for an object at the time of its creation.

To configure default retention settings:

1. Select the bucket you wish to configure default retention settings for and click:

Buckets, Object Lock, Default retention settings..

Buckets, Object Lock, Default retention settings

Click Buckets, Object Lock, Default retention settings..

The Object Lock Configuration dialog will open:

Object Lock Configuration dialog will appear

The Object Lock Configuration dialog

2. Configure Retention mode and Retention period and click OK.

Governance mode: - Users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. Objects are protected against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary.

Compliance mode: - Protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened.

Retention period: - A retention period protects an object version for a fixed amount of time. When you place a retention period on an object version, Amazon S3 stores a timestamp in the object version's metadata to indicate when the retention period expires. After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version.

An alternative method to automatically apply retention settings is by configuring Object Lock Retention Rules.


Viewing the lock information for an object

You can check the object lock status for individual files by following the instructions provided below. The Properties tab displays the retention mode, 'Retain Until Date', and the legal-hold status for the specified object version.

1. Select the file for which you would like to check the object lock status and click:

Files, Properties:

Click Files, Properties

Select the file and click Files, Properties..

The Properties tab will open:

The Properties tab with the Retention row highlighted

The Properties tab shows retention information

The Retention row displays the Object Lock status (Active or Expired), the retention mode, and the 'Retain Until Date' information.

Another way to check the object lock status is to select the file and then click:

Files, Object Lock, Retention:

Click Files, Object Lock, Retention

Select the file and click Files, Object Lock, Retention..

The Object Lock Retention dialog will open:

Object Lock Retention dialog

The Object Lock Retention dialog

The dialog displays retention information and lets you update retention settings.


How to apply retention settings for one or multiple files

With S3 Browser you can conveniently update the retention settings for one or multiple files.

Retention can be disabled for files protected by the Governance mode (S3 Browser includes the x-amz-bypass-governance-retention:true header).

For files protected by the Compliance mode, the retention period can only be extended.

To apply or update retention settings for one or multiple files:

1. Select one or more files and/or folders and click:

Files, Object Lock, Retention:

Click Files, Object Lock, Retention

Select the file and click Files, Object Lock, Retention..

The Object Lock Retention dialog will open:

Object Lock Retention dialog

The Object Lock Retention dialog

2. Adjust the retention settings as needed, then click OK.


How to apply retention settings for all files in a bucket

With S3 Browser, you can also update the retention settings for all files in a bucket.

This can be particularly useful if you need to change the retention mode or update the retention period for every file in a bucket. S3 Browser provides a convenient and efficient way to do this due to its support for multi-threading, allowing you to process multiple files in parallel. This can greatly speed up the process, especially for large buckets.

To adjust the retention settings for all files in a bucket:

1. Select the bucket you want to work with and click:

Buckets, Object Lock, Update retention for all objects..:

Buckets, Object Lock, Update retention for all objects menu item

Click Buckets, Object Lock, Update retention for all objects..

The Object Lock Retention dialog will open:

Object Lock Retention dialog

The Object Lock Retention dialog

2. Adjust the retention settings as needed, then click OK.

S3 Browser will enumerate all files in a bucket and create a PutObjectRetention task for each file. You can monitor the progress on the Tasks tab.


Bypass governance retention for file deletion

In order to delete object versions protected by the Governance mode, you either need to disable the retention for the file or include the x-amz-bypass-governance-retention header with your delete request.

S3 Browser automatically includes the x-amz-bypass-governance-retention header when you edit retention settings for file(s).

However, to delete file versions without disabling retention for the file, you need to include the x-amz-bypass-governance-retention header with your delete request.

Below are the steps required to configure S3 Browser to include the x-amz-bypass-governance-retention header with delete requests.

1. Click Tools, Default HTTP Headers

Click Tools, Default HTTP Headers

Click Tools, Default HTTP Headers

The Default HTTP Headers dialog will open:

Default HTTP headers

Default HTTP headers dialog

2. Click Add, the Add New Default HTTP Header dialog will open:

The Add new default HTTP header dialog

The Add New Default HTTP Headers dialog

3. Add the following header

  • Bucket name or mask: enter your bucket name here
  • File name: *
  • Header name: x-amz-bypass-governance-retention
  • Header value: true

4. Click Add and Save changes


Related materials







































S3 Browser 12.2.9 Freeware
Powered by Amazon Web Services and Rated by CNET Editors!
Social Connection
S3 Client Logo
 
People like S3 Browser!
Our customers say

"S3 Browser is an invaluable tool to me as a web developer to easily manage my automated site backups" -Bob Kraft, Web Developer

"Just want to show my appreciation for a wonderful product. I use S3 Browser a lot, it is a great tool." -Gideon Kuijten, Pro User

"Thank You Thank You Thank You for this tool. A must have for anyone using S3!" -Brian Cummiskey, USA

Related Products
TntDrive
Easily mount Amazon S3 Bucket as a Windows Drive.
RdpGuard
protects your Windows Server from RDP Brute-force Attacks.
"Amazon Web Services", "AWS", "Amazon S3", "Amazon Simple Storage Service", "Amazon CloudFront", "CloudFront", the "Powered by Amazon Web Services" logo are trademarks of Amazon.com, Inc. or its affiliates in the US and/or other countries.
Copyright © 2008-2025 Netsdk Software FZE. All rights reserved.  Terms of Use.  Privacy Policy.  S3 Drive.  RDP brute-force protection.