A
Arun's Blog
← Back to all posts

Governance & Compliance with S3 Object Lock

S3SecurityCompliance
TL;DR

S3 Object Lock prevents object deletion/modification using two modes: Governance (overridable with permissions) and Compliance (immutable until retention expires). Enable on bucket creation, set retention periods, and optionally apply Legal Holds. Monitor with CloudTrail and S3 Inventory.

Introduction

Amazon S3 Object Lock is a powerful feature that helps in maintaining governance and compliance by preventing the deletion or overwriting of objects within an S3 bucket. It allows users to enforce retention policies on data objects and protect them from accidental or malicious deletion.

Overview

S3 Object Lock is designed to help users meet regulatory and compliance requirements by providing a way to set retention policies and legal holds on objects.

Important

Once you enable Object Lock on a bucket, you cannot disable it. For existing buckets, you must enable versioning first and then contact AWS Support to enable Object Lock. Object Lock only applies to new objects added after enabling.

Retention Modes

There are two retention modes to choose from:

  • Governance mode - Allows users with specific permissions (s3:BypassGovernanceRetention) to override the lock settings or delete objects before the retention period ends
  • Compliance mode - Prevents anyone, including the root user, from deleting or modifying the object until the retention period expires
Note

Choose Compliance mode carefully - once set, even AWS cannot remove it before the retention period expires. This is by design to meet strict regulatory requirements like SEC 17a-4.

Retention Period

The retention period is specified in days, months, or years, and determines how long the object is protected.

Legal Holds

Legal holds act as an additional layer of protection, preventing objects from being deleted or modified regardless of the retention period or mode. Legal holds can be applied or removed independently of the retention mode or period.

Pro Tip

Use Legal Holds for litigation or regulatory investigations where you need to preserve data indefinitely, separate from your standard retention policies. They can be removed when the preservation requirement ends.

Implementation

Applying Legal Holds

AWS Management Console

  1. Navigate to the S3 bucket containing the object
  2. Locate the object and click on its name to view details
  3. In the "Object details" panel, click on the "Object Lock" tab
  4. Click on "Edit" and check the "Legal hold status" box
  5. Save your changes

AWS CLI

# Apply legal hold
aws s3api put-object-legal-hold --bucket my-bucket --key my-object-key --legal-hold 'Status=ON'

# Remove legal hold
aws s3api put-object-legal-hold --bucket my-bucket --key my-object-key --legal-hold 'Status=OFF'

Applying Object Lock Policies

AWS Management Console

  1. Navigate to the S3 bucket containing the object
  2. Locate the object and click on its name
  3. Click on the "Object Lock" tab
  4. Click "Edit" and select the retention mode (governance or compliance)
  5. Specify the retention period in days, months, or years
  6. Optionally enable legal hold
  7. Save your changes

AWS CLI

# Create policy file (object-lock-policy.json)
{
  "Mode": "GOVERNANCE",
  "RetainUntilDate": "2025-01-01T00:00:00Z"
}

# Apply the policy
aws s3api put-object-retention --bucket my-bucket --key my-object-key --retention file://object-lock-policy.json

Monitoring and Auditing

CloudTrail

CloudTrail captures all API calls including Object Lock activities:

  • Enabling/disabling Object Lock on a bucket
  • Applying, modifying, or removing retention policies and legal holds
  • Deleting objects protected by Object Lock

Filter logs by event names: "PutObjectRetention", "PutObjectLegalHold", or "DeleteObject".

Amazon S3 Inventory

S3 Inventory provides reports containing Object Lock settings including retention mode, retention period, and legal hold status.

  1. Navigate to the S3 console and select your bucket
  2. Click on "Management" tab, then "Inventory"
  3. Add new inventory configuration
  4. In "Optional fields", select "Object Lock Retain Until Date", "Object Lock Mode", and "Object Lock Legal Hold Status"
  5. Save the configuration

Common Pitfalls

  • Forgetting to enable Object Lock before uploading - Enable it during bucket creation or contact AWS Support for existing buckets
  • Setting incorrect retention periods - Too short may not meet compliance; too long may prevent necessary modifications
  • Misunderstanding Governance vs Compliance mode - Governance allows overrides; Compliance does not
  • Granting too many bypass permissions - Limit s3:BypassGovernanceRetention to only those who absolutely need it
  • Not testing Object Lock settings - Test both modes and verify behavior before production use
  • Failing to monitor activity - Use CloudTrail and S3 Access Logs to monitor Object Lock operations
  • Relying solely on Object Lock - Implement a comprehensive backup strategy including cross-region replication

Troubleshooting

  • Cannot delete object - Check if object has retention policy or legal hold. For Governance mode, ensure you have s3:BypassGovernanceRetention permission and include the x-amz-bypass-governance-retention header.
  • Object Lock not applying to objects - Verify Object Lock is enabled on the bucket and versioning is enabled. Object Lock only works with versioned buckets.
  • Cannot enable Object Lock on existing bucket - You must contact AWS Support to enable Object Lock on existing buckets. It cannot be done via console or CLI.
  • Compliance mode object needs deletion - This is by design - you must wait until the retention period expires. There is no override, even by AWS.
  • Legal hold not removing - Ensure you have s3:PutObjectLegalHold permission. Check if there's also a retention policy preventing deletion.
  • S3 Inventory not showing Object Lock fields - Verify you selected the Object Lock optional fields when configuring the inventory report.

Conclusion

Amazon S3 Object Lock is a powerful feature designed to help maintain governance and compliance by preventing the deletion or overwriting of objects. By understanding the differences between Governance and Compliance modes, properly configuring retention periods and legal holds, and monitoring your implementation with CloudTrail and S3 Inventory, you can effectively protect your data while meeting regulatory requirements.