S3 Object Lock legal hold - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

S3 Object Lock legal hold

The Object Lock legal hold operation enables you to place a legal hold on an object version. Like setting a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated retention period and remains in effect until removed.

You can use S3 Batch Operations with Object Lock to add legal holds to many Amazon S3 objects at once. You can do this by listing the target objects in your manifest and submitting that list to Batch Operations. Your S3 Batch Operations job with Object Lock legal hold runs until completion, until cancellation, or until a failure state is reached.

S3 Batch Operations verifies that Object Lock is enabled on your S3 bucket before processing any keys in the manifest. To perform the object operations and bucket level validation, S3 Batch Operations needs s3:PutObjectLegalHold and s3:GetBucketObjectLockConfiguration in an IAM role allowing S3 Batch Operations to call S3 Object Lock on your behalf.

When you create the S3 Batch Operations job to remove the legal hold, you just need to specify Off as the legal hold status. For more information, see Object Lock considerations.

For information about how to use this operation with the REST API, see S3PutObjectLegalHold in the CreateJob operation in the Amazon Simple Storage Service API Reference.

For an example use of this operation, see Using the Amazon SDK for Java.

  • S3 Batch Operations does not make any bucket level changes.

  • All objects listed in the manifest must be in the same bucket.

  • Versioning and S3 Object Lock must be configured on the bucket where the job is performed.

  • The operation works on the latest version of the object unless a version is explicitly specified in the manifest.

  • s3:PutObjectLegalHold permission is required in your IAM role to add or remove legal hold from objects.

  • s3:GetBucketObjectLockConfiguration IAM permission is required to confirm that S3 Object Lock is enabled for the S3 bucket.