0
0
AwsHow-ToBeginner · 4 min read

How to Use S3 Object Lock for Data Protection

To use S3 Object Lock, enable it on a new S3 bucket during creation, then apply retention settings or legal holds on objects to prevent deletion or modification. This ensures your data is immutable for a specified period or until a legal hold is removed.
📐

Syntax

S3 Object Lock is enabled at bucket creation and configured per object with retention modes and periods.

  • ObjectLockEnabledForBucket: Enables object lock on the bucket.
  • RetentionMode: Defines if objects are locked in GOVERNANCE or COMPLIANCE mode.
  • RetainUntilDate: The date until which the object is locked.
  • LegalHold: Optional flag to prevent deletion until removed.
bash
aws s3api create-bucket --bucket example-bucket --object-lock-enabled-for-bucket

aws s3api put-object-retention --bucket example-bucket --key example.txt --retention "{\"Mode\":\"COMPLIANCE\", \"RetainUntilDate\":\"2025-12-31T23:59:59Z\"}"
💻

Example

This example shows how to create an S3 bucket with Object Lock enabled and then apply a compliance retention of 1 year on an object.

bash
aws s3api create-bucket --bucket my-lock-bucket --region us-east-1 --object-lock-enabled-for-bucket

aws s3api put-object --bucket my-lock-bucket --key important-data.txt --body ./important-data.txt

aws s3api put-object-retention --bucket my-lock-bucket --key important-data.txt --retention '{"Mode":"COMPLIANCE","RetainUntilDate":"2025-06-01T00:00:00Z"}'
Output
Bucket created with Object Lock enabled. Object uploaded: important-data.txt Retention set: Compliance mode until 2025-06-01T00:00:00Z
⚠️

Common Pitfalls

  • Trying to enable Object Lock on an existing bucket will fail; it must be enabled at bucket creation.
  • Not setting a retention mode or date means the object is not locked.
  • Using COMPLIANCE mode prevents even the bucket owner from deleting objects until retention expires.
  • Legal holds must be explicitly removed to allow deletion.
bash
Wrong:
aws s3api put-object-retention --bucket existing-bucket --key file.txt --retention '{"Mode":"COMPLIANCE","RetainUntilDate":"2025-01-01T00:00:00Z"}'

Right:
aws s3api create-bucket --bucket new-lock-bucket --object-lock-enabled-for-bucket
aws s3api put-object-retention --bucket new-lock-bucket --key file.txt --retention '{"Mode":"COMPLIANCE","RetainUntilDate":"2025-01-01T00:00:00Z"}'
📊

Quick Reference

FeatureDescription
Object Lock EnabledMust enable at bucket creation
Retention ModesGOVERNANCE (soft lock), COMPLIANCE (strict lock)
Retention PeriodSet with RetainUntilDate ISO 8601 timestamp
Legal HoldPrevents deletion until removed, no time limit
ModificationObjects cannot be overwritten or deleted during lock

Key Takeaways

Enable Object Lock only when creating a new S3 bucket; it cannot be added later.
Use retention modes GOVERNANCE or COMPLIANCE to protect objects from deletion.
Set a RetainUntilDate to specify how long the object remains locked.
Legal holds can be applied or removed anytime to control object deletion.
COMPLIANCE mode enforces strict immutability even for bucket owners.

Related by keyword

How to Use User Data in EC2 InstancesEC2How to Encrypt Data Using AWS KMS: Simple GuideOther ServicesHow to Use AWS Shield for DDoS ProtectionSecurity

Up next

What is Placement Group in EC2: Explanation and Use CasesAWS Spot Instance: What It Is and How It WorksHow to Create AWS Lambda Function: Simple StepsHow to Create AWS Lambda Layer: Step-by-Step Guide

More in S3

ACL vs Bucket Policy in S3: Key Differences and Usage GuideHow to Create an S3 Bucket in AWS: Simple StepsHow to Delete a File from AWS S3 Bucket EasilyHow to Delete an S3 Bucket in AWS: Simple Steps