Object Lock considerations - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Object Lock considerations

Amazon S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.

You can use the Amazon S3 console, Amazon Command Line Interface (Amazon CLI), Amazon SDKs, or Amazon S3 REST API to view or set Object Lock information. For general information about S3 Object Lock capabilities, see Using S3 Object Lock.

  • After you enable Object Lock on a bucket, you can't disable Object Lock or suspend versioning for that bucket.

  • S3 buckets with Object Lock can't be used as destination buckets for server access logs. For more information, see Logging requests with server access logging.

Permissions for viewing lock information

You can programmatically view the Object Lock status of an Amazon S3 object version by using the HeadObject or GetObject operations. Both operations return the retention mode, retain until date, and legal hold status for the specified object version.

To view an object version's retention mode and retention period, you must have the s3:GetObjectRetention permission. To view an object version's legal hold status, you must have the s3:GetObjectLegalHold permission. To view a bucket's default retention configuration, you must have the s3:GetBucketObjectLockConfiguration permission. If you make a request for an Object Lock configuration on a bucket that doesn't have S3 Object Lock enabled, Amazon S3 returns an error.

Bypassing governance mode

If you have the s3:BypassGovernanceRetention permission, you can perform operations on object versions that are locked in governance mode as if they were unprotected. These operations include deleting an object version, shortening the retention period, or removing the Object Lock retention period by placing a new PutObjectRetention request with empty parameters.

To bypass governance mode, you must explicitly indicate in your request that you want to bypass this mode. To do this, include the x-amz-bypass-governance-retention:true header with your PutObjectRetention API operation request, or use the equivalent parameter with requests made through the Amazon CLI or Amazon SDKs. The S3 console automatically applies this header for requests made through the S3 console if you have the s3:BypassGovernanceRetention permission.


Bypassing governance mode doesn't affect an object version's legal hold status. If an object version has a legal hold enabled, the legal hold remains and prevents requests to overwrite or delete the object version.

Using Object Lock with S3 Replication

You can use Object Lock with S3 Replication to enable automatic, asynchronous copying of locked objects and their retention metadata, across S3 buckets. When you use replication, objects in a source bucket are replicated to one or more destination buckets. If the source bucket has Object Lock enabled, the destination buckets must also have Object Lock enabled.

To set up replication on a bucket with Object Lock enabled, you can use the S3 console, Amazon CLI, Amazon S3 REST API, or Amazon SDKs.


To use Object Lock with replication, you must grant two additional permissions on the source S3 bucket in the Amazon Identity and Access Management (IAM) role that you use to set up replication. The two additional permissions are s3:GetObjectRetention and s3:GetObjectLegalHold. If the role has an s3:Get* permission statement, that statement satisfies the requirement. For more information, see Setting up permissions.

For general information about S3 Replication, see Replicating objects.

For examples of setting up S3 Replication, see Walkthroughs: Examples for configuring replication.

Using Object Lock with Amazon S3 Inventory

You can configure Amazon S3 Inventory to create lists of the objects in an S3 bucket on a defined schedule. You can configure Amazon S3 Inventory to include the following Object Lock metadata for your objects:

  • The retain until date

  • The retention mode

  • The legal hold status

For more information, see Amazon S3 Inventory.

Configuring events and notifications

You can use Amazon S3 Event Notifications to track access and changes to your Object Lock configurations and data by using Amazon CloudTrail. For information about CloudTrail, see What is Amazon CloudTrail? in the Amazon CloudTrail User Guide.

You can also use Amazon CloudWatch to generate alerts based on this data. For information about CloudWatch, see the What is Amazon CloudWatch? in the Amazon CloudWatch User Guide.

Setting limits on retention periods with a bucket policy

You can set minimum and maximum allowable retention periods for a bucket by using a bucket policy. The maximum retention period is 100 years.

The following example shows a bucket policy that uses the s3:object-lock-remaining-retention-days condition key to set a maximum retention period of 10 days.

{ "Version": "2012-10-17", "Id": "SetRetentionLimits", "Statement": [ { "Sid": "SetRetentionPeriod", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObjectRetention" ], "Resource": "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1/*", "Condition": { "NumericGreaterThan": { "s3:object-lock-remaining-retention-days": "10" } } } ] }

If your bucket is the destination bucket for a replication configuration, you can set up minimum and maximum allowable retention periods for object replicas that are created by using replication. To do so, you must allow the s3:ReplicateObject action in your bucket policy. For more information about replication permissions, see Setting up permissions.

For more information about bucket policies, see the following topics:

Managing delete markers and object lifecycles

Although you can't delete a protected object version, you can still create a delete marker for that object. Placing a delete marker on an object doesn't delete the object or its object versions. However, it makes Amazon S3 behave in most ways as though the object has been deleted. For more information, see Working with delete markers.


Delete markers are not WORM-protected, regardless of any retention period or legal hold in place on the underlying object.

Object lifecycle management configurations continue to function normally on protected objects, including placing delete markers. However, protected object versions remain safe from being deleted or overwritten by a lifecycle configuration. For more information about managing object lifecycles, see Managing your storage lifecycle.

Using S3 Storage Lens with Object Lock

To see metrics for Object Lock-enabled storage bytes and object count, you can use Amazon S3 Storage Lens. S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object-storage usage and activity.

For more information, see Using S3 Storage Lens to protect your data.

For a complete list of metrics, see Amazon S3 Storage Lens metrics glossary.