Overview
Amazon S3 is the trusted primary storage for millions of customers from all around the world. With 99.999999999% (11 9s) of data durability, customers can store and protect business-critical data for virtually any use case, including cloud-native applications, data lake analytics output, and media files. As with any data, it is best practice to have a backup and to put safeguards in place against malicious or accidental deletion.
S3 Object Lock blocks permanent object deletion during a customer-defined retention period so that you can enforce retention policies as an added layer of data protection or for regulatory compliance. With S3 Object Lock, S3 Versioning is automatically enabled, and these features work together to prevent locked object versions from being permanently deleted (accidental or intentional) or overwritten using a write-once-read-many (WORM) model. S3 Object Lock is the industry standard for object storage immutability for ransomware protection and is used in cloud storage, backup and data protection solutions by AWS Storage partners such as Cohesity, Commvault, Rubrik, Veeam, and Veritas.
Benefits
How does S3 Object Lock work?
You can use S3 Object Lock on the bucket or object-level, and it can be enabled when creating a new bucket or on existing buckets. To use S3 Object Lock with a bucket (or objects within a bucket), you must first enable versioning for the bucket, as you won’t be able to turn versioning on later. Retention periods and legal holds apply to individual object versions. When you lock an object version, Amazon S3 stores the lock information in the metadata for that object version. Placing a retention period or legal hold on an object protects only the version specified in the request. It doesn't prevent new versions of the object from being created.
S3 Object Lock protection is maintained regardless of which storage class the object resides in and throughout S3 Lifecycle transitions between storage classes. Used with S3 Versioning, which protects objects from being overwritten, you’re able to ensure that objects remain immutable for as long as S3 Object Lock protection is applied. You can migrate workloads from existing WORM storage systems into Amazon S3, and configure S3 Object Lock at the object- and bucket-levels to prevent object version deletions prior to pre-defined dates or legal hold dates.
You can also enable S3 Replication on a bucket that has S3 Object Lock enabled to replicate objects along with their retention settings. While replicating objects, if the source bucket has S3 Object Lock enabled, the destination bucket must also have S3 Object Lock enabled.
Managing object retention with S3 Object Lock
S3 Object Lock provides two ways to manage object retention: retention periods and legal holds. With S3 Object Lock enabled on a bucket, an object version can have both a retention period and a legal hold, one but not the other, or neither.
- Retention period — Specifies a fixed period of time during which an object remains locked. During this period, your object is WORM-protected and can't be overwritten or deleted. When you place a retention period on an object version, Amazon S3 stores a timestamp in the object version's metadata to show when the retention period expires. After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version. Using a bucket policy, you can set minimum and maximum allowable retention periods for a bucket to help you establish a range of allowable retention periods. For more information, see retention periods.
- Legal hold — Provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods. For more information, see legal holds.
Retention periods and retention modes are always configured in tandem, unlike legal holds, which are configured independently. S3 Object Lock provides two retention modes that apply different levels of protection to your objects. You can apply either retention mode to any object version that is protected by Object Lock.
- Governance mode — In governance mode, users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period.
- Compliance mode — In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, you cannot change the retention mode, and you cannot shorten the retention period. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period. S3 Object Lock has been assessed for SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31 by Cohasset Associates.
Using S3 Object Lock at scale with S3 Batch Operations
S3 Object Lock can be enabled easily on the bucket for all new objects with a default lock. For existing objects, you can use S3 Batch Operations with S3 Object Lock to place a lock or extend any existing retention, or enable or remove a legal hold for up to billions of objects at once. You specify the list of target objects in your manifest and submit it to Batch Operations for completion.
Like all other S3 Object Lock settings, retention periods apply to individual object versions. Different versions of a single object can have different retention modes and periods.
For example, suppose that you have an object that is 15 days into a 30-day retention period, and you upload a new object into Amazon S3 with the same name and a 60-day retention period. In this case, your upload succeeds, and Amazon S3 creates a new version of the object with a 60-day retention period. The older version maintains its original retention period and becomes deletable in 15 days.
You can extend a retention period after you've applied a retention setting to an object version. To do this, submit a new lock request using S3 Batch Operations for the object version with a Retain Until Date that is later than the one currently configured for the object version. Amazon S3 replaces the existing retention period with the new, longer period. Learn more.