Posted On: Nov 26, 2018

Amazon S3 Object Lock is a new S3 feature that blocks object version deletion during a customer-defined retention period so that you can enforce retention policies as an added layer of data protection or for regulatory compliance. You can migrate workloads from existing write-once-read-many (WORM) systems into Amazon S3, and configure S3 Object Lock at the object- and bucket-levels to prevent object version deletions prior to pre-defined Retain Until Dates or Legal Hold Dates. S3 Object Lock protection is maintained regardless of which storage class the object resides in and throughout S3 Lifecycle transitions between storage classes.

Used with S3 Versioning, which protects objects from being overwritten, you’re able to ensure that objects remain immutable for as long as S3 Object Lock protection is applied. You can apply S3 Object Lock protection by either assigning a Retain Until Date or a Legal Hold to an object using the AWS SDK, AWS CLI, REST API, or the S3 Management Console. You can apply retention settings within a PUT request, or apply them to an existing object after it has been created. To track what objects have S3 Object Lock, you can refer to an S3 Inventory report that includes the WORM status of objects.

S3 Object Lock can be configured in one of two modes. When deployed in Governance mode, AWS accounts with specific IAM permissions are able to remove object locks from objects. If you require stronger immutability to comply with regulations, you can use Compliance Mode. In Compliance Mode, the protection cannot be removed by any user, including the root account.

S3 Object Lock has been assessed for SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31 by Cohasset Associates. Cohasset Associates is a management consulting firm specializing in records management and information governance. A copy of the Cohasset Associates Assessment report can be downloaded from the S3 Object Lock technical documentation. You can then provide the assessment report to your regulator when you notify them of your decision to use Amazon S3 for your regulated data.

Amazon S3 Object Lock is now generally available in all AWS Regions and AWS GovCloud (US) Regions. To learn more about S3 Object Lock, please visit the Amazon S3 Developer Guide.