Permissions for viewing lock information Bypassing governance mode Using Object Lock with S3 Replication Using Object Lock with Amazon S3 Inventory Managing S3 Lifecycle policies with Object Lock Managing delete markers with Object Lock Using S3 Storage Lens with Object Lock Uploading objects to an Object Lock enabled bucket Configuring events and notifications Setting limits on retention periods with a bucket policy

Object Lock considerations

Amazon S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.

You can use the Amazon S3 console, Amazon Command Line Interface (Amazon CLI), Amazon SDKs, or Amazon S3 REST API to view or set Object Lock information. For general information about S3 Object Lock capabilities, see Using S3 Object Lock.

Important

After you enable Object Lock on a bucket, you can't disable Object Lock or suspend versioning for that bucket.
S3 buckets with Object Lock can't be used as destination buckets for server access logs. For more information, see Logging requests with server access logging.

Topics

Permissions for viewing lock information
Bypassing governance mode
Using Object Lock with S3 Replication
Using Object Lock with Amazon S3 Inventory
Managing S3 Lifecycle policies with Object Lock
Managing delete markers with Object Lock
Using S3 Storage Lens with Object Lock
Uploading objects to an Object Lock enabled bucket
Configuring events and notifications
Setting limits on retention periods with a bucket policy

Permissions for viewing lock information

You can programmatically view the Object Lock status of an Amazon S3 object version by using the HeadObject or GetObject operations. Both operations return the retention mode, retain until date, and legal hold status for the specified object version. Additionally, you can view the Object Lock status for multiple objects in your S3 bucket using S3 Inventory.

To view an object version's retention mode and retention period, you must have the s3:GetObjectRetention permission. To view an object version's legal hold status, you must have the s3:GetObjectLegalHold permission. To view a bucket's default retention configuration, you must have the s3:GetBucketObjectLockConfiguration permission. If you make a request for an Object Lock configuration on a bucket that doesn't have S3 Object Lock enabled, Amazon S3 returns an error.

Bypassing governance mode

If you have the s3:BypassGovernanceRetention permission, you can perform operations on object versions that are locked in governance mode as if they were unprotected. These operations include deleting an object version, shortening the retention period, or removing the Object Lock retention period by placing a new PutObjectRetention request with empty parameters.

To bypass governance mode, you must explicitly indicate in your request that you want to bypass this mode. To do this, include the x-amz-bypass-governance-retention:true header with your PutObjectRetention API operation request, or use the equivalent parameter with requests made through the Amazon CLI or Amazon SDKs. The S3 console automatically applies this header for requests made through the S3 console if you have the s3:BypassGovernanceRetention permission.

Note

Bypassing governance mode doesn't affect an object version's legal hold status. If an object version has a legal hold enabled, the legal hold remains and prevents requests to overwrite or delete the object version.

Using Object Lock with S3 Replication

You can use Object Lock with S3 Replication to enable automatic, asynchronous copying of locked objects and their retention metadata, across S3 buckets. This means that for replicated objects, Amazon S3 takes the object lock configuration of the source bucket. In other words, if the source bucket has Object Lock enabled, the destination buckets must also have Object Lock enabled. If an object is directly uploaded to the destination bucket (outside of S3 Replication), it takes the Object Lock set on the destination bucket. When you use replication, objects in a source bucket are replicated to one or more destination buckets.

To set up replication on a bucket with Object Lock enabled, you can use the S3 console, Amazon CLI, Amazon S3 REST API, or Amazon SDKs.

Note

To use Object Lock with replication, you must grant two additional permissions on the source S3 bucket in the Amazon Identity and Access Management (IAM) role that you use to set up replication. The two additional permissions are s3:GetObjectRetention and s3:GetObjectLegalHold. If the role has an s3:Get* permission statement, that statement satisfies the requirement. For more information, see Setting up permissions.

For general information about S3 Replication, see Replicating objects.

For examples of setting up S3 Replication, see Walkthroughs: Examples for configuring replication.

Using Object Lock with Amazon S3 Inventory

You can configure Amazon S3 Inventory to create lists of the objects in an S3 bucket on a defined schedule. You can configure Amazon S3 Inventory to include the following Object Lock metadata for your objects:

The retain until date
The retention mode
The legal hold status

For more information, see Amazon S3 Inventory.

Managing S3 Lifecycle policies with Object Lock

Object lifecycle management configurations continue to function normally on protected objects, including placing delete markers. However, a locked version of an object cannot be deleted by a S3 Lifecycle expiration policy. Object Lock is maintained regardless of which storage class the object resides in and throughout S3 Lifecycle transitions between storage classes.

For more information about managing object lifecycles, see Managing your storage lifecycle.

Managing delete markers with Object Lock

Although you can't delete a protected object version, you can still create a delete marker for that object. Placing a delete marker on an object doesn't delete the object or its object versions. However, it makes Amazon S3 behave in most ways as though the object has been deleted. For more information, see Working with delete markers.

Note

Delete markers are not WORM-protected, regardless of any retention period or legal hold in place on the underlying object.

Using S3 Storage Lens with Object Lock

To see metrics for Object Lock-enabled storage bytes and object count, you can use Amazon S3 Storage Lens. S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object-storage usage and activity.

For more information, see Using S3 Storage Lens to protect your data.

For a complete list of metrics, see Amazon S3 Storage Lens metrics glossary.

Uploading objects to an Object Lock enabled bucket

The Content-MD5 header is required for any request to upload an object with a retention period configured using Object Lock. The MD5 digest is a way to verify the integrity of your object after uploading it to a bucket. After uploading the object, Amazon S3 calculates the MD5 digest of the object and compares it to the value that you provided. The request succeeds only if the two digests match. The S3 console automatically adds this header, however you must specify this header when using the PutObject API.

For more information, see Using Content-MD5 when uploading objects.

Configuring events and notifications

You can use Amazon S3 Event Notifications to track access and changes to your Object Lock configurations and data by using Amazon CloudTrail. For information about CloudTrail, see What is Amazon CloudTrail? in the Amazon CloudTrail User Guide.

You can also use Amazon CloudWatch to generate alerts based on this data. For information about CloudWatch, see the What is Amazon CloudWatch? in the Amazon CloudWatch User Guide.

Setting limits on retention periods with a bucket policy

You can set minimum and maximum allowable retention periods for a bucket by using a bucket policy. The maximum retention period is 100 years.

The following example shows a bucket policy that uses the s3:object-lock-remaining-retention-days condition key to set a maximum retention period of 10 days.


{
    "Version": "2012-10-17",
    "Id": "SetRetentionLimits",
    "Statement": [
        {
            "Sid": "SetRetentionPeriod",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:PutObjectRetention"
            ],
            "Resource": "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1/*",
            "Condition": {
                "NumericGreaterThan": {
                    "s3:object-lock-remaining-retention-days": "10"
                }
            }
        }
    ]
}

Note

If your bucket is the destination bucket for a replication configuration, you can set up minimum and maximum allowable retention periods for object replicas that are created by using replication. To do so, you must allow the s3:ReplicateObject action in your bucket policy. For more information about replication permissions, see Setting up permissions.

For more information about bucket policies, see the following topics:

Actions, resources, and condition keys for Amazon S3 in the Service Authorization Reference
Object operations
Amazon S3 condition key examples

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Using Object Lock

Configuring Object Lock