Object Lock is used to protect objects in S3 from deletion and modification for a specified period. This feature ensures data immutability throughout the storage duration. Object Lock is especially useful for working with important archives, backups, and other critical information that needs protection from accidental or intentional actions.
Object Lock can only be enabled when creating a bucket. Currently, this feature cannot be enabled through the management console, so the bucket must be created using third-party clients or tools. Below is an example of creating a bucket via AWS CLI.
Create a bucket:
aws s3api create-bucket \
--bucket object-lock-bucket \
--endpoint-url https://s3.hostman.com \
--object-lock-enabled-for-bucket
You can also create a bucket with a cold storage class:
aws s3api create-bucket \
--bucket object-lock-bucket \
--endpoint-url https://s3.hostman.com \
--create-bucket-configuration LocationConstraint=ru:ru-1-cold \
--object-lock-enabled-for-bucket
You cannot specify the bucket size at the time of creation. When creating a bucket through third-party clients, the minimum possible size is always set: 10 GB for the standard storage class and 1 GB for the cold storage class. After the bucket is created, its size can be increased through the control panel.
To verify that Object Lock is enabled, run:
aws s3api get-object-lock-configuration \
--bucket object-lock-bucket \
--endpoint-url https://s3.hostman.com
Expected response:
{
"ObjectLockConfiguration": {
"ObjectLockEnabled": "Enabled"
}
}
Object Lock only works if versioning is enabled. To check if versioning is active, run:
aws s3api get-bucket-versioning \
--bucket object-lock-bucket \
--endpoint-url https://s3.hostman.com
The response will show the versioning status:
{
"Status": "Enabled",
"MFADelete": "Disabled"
}
Object Lock supports two modes of object protection:
COMPLIANCE Mode – A strict protection mode. The object and its versions cannot be deleted or modified until the lock period expires. Even with administrator privileges and special permissions, data deletion is impossible. This mode is suitable for scenarios where data immutability is critical.
GOVERNANCE Mode – A flexible protection mode. Objects are protected from deletion and modification, but users with the BypassGovernanceRetention permission can delete data before the lock period expires. This mode is useful for preventing accidental deletions.
In the current S3 storage implementation, only one user is created with full permissions, including
BypassGovernanceRetention
. Therefore, when using GOVERNANCE Mode, this user will always be able to delete objects by bypassing the lock.
Let's go through examples of working with the COMPLIANCE and GOVERNANCE modes.
Upload a file with a 30-day lock:
aws s3api put-object \
--bucket object-lock-bucket \
--key compliance-file.txt \
--body compliance-file.txt \
--object-lock-mode COMPLIANCE \
--object-lock-retain-until-date "$(date -d '+30 days' --utc +%Y-%m-%dT%H:%M:%SZ)" \
--endpoint-url https://s3.hostman.com
Parameter descriptions:
--bucket
– Name of the bucket where the object is uploaded.--key
– Name (path) of the object in the bucket.--body
– Path to the file being uploaded.--object-lock-mode
– Lock mode.--object-lock-retain-until-date
– Lock expiration date in YYYY-MM-DDTHH:MM:SSZ
format. The object cannot be deleted before this date.Verify that the lock is applied:
aws s3api get-object-retention \
--bucket object-lock-bucket \
--key compliance-file.txt \
--endpoint-url https://s3.hostman.com
Expected output:
{
"Retention": {
"Mode": "COMPLIANCE",
"RetainUntilDate": "2025-04-04T10:02:21.000000000Z"
}
}
Now let's attempting to delete the object:
aws s3api delete-object \
--bucket object-lock-bucket \
--key compliance-file.txt \
--endpoint-url https://s3.hostman.com
The file will disappear from the Objects tab in the control panel and from third-party clients. A deletion marker will be created, but the object remains in the bucket.
Check object versions:
aws s3api list-object-versions \
--bucket object-lock-bucket \
--prefix compliance-file.txt \
--endpoint-url https://s3.hostman.com
The version will be saved, and a deletion marker will be created. The deleted version can be restored following the recovery instructions.
You won't be able to delete a specific version with an active lock:
aws s3api delete-object \
--bucket object-lock-bucket \
--key compliance-file.txt \
--version-id <VersionId_of_object> \
--endpoint-url https://s3.hostman.com
Until the lock expiration date, the command will return an error:
An error occurred (AccessDenied) when calling the DeleteObject operation: forbidden by object lock
Upload a file with a 30-day lock:
aws s3api put-object \
--bucket object-lock-bucket \
--key governance-file.txt \
--body governance-file.txt \
--object-lock-mode GOVERNANCE \
--object-lock-retain-until-date "$(date -d '+30 days' --utc +%Y-%m-%dT%H:%M:%SZ)" \
--endpoint-url https://s3.hostman.com
Parameter descriptions:
--bucket
– Name of the bucket where the object is uploaded.--key
– Name (path) of the object in the bucket.--body
– Path to the file being uploaded.--object-lock-mode
– Lock mode.--object-lock-retain-until-date
– Lock expiration date in YYYY-MM-DDTHH:MM:SSZ
format. The object cannot be deleted before this date.Verify that the lock is applied:
aws s3api get-object-retention \
--bucket object-lock-bucket \
--key governance-file.txt \
--endpoint-url https://s3.hostman.com
Expected output:
{
"Retention": {
"Mode": "GOVERNANCE",
"RetainUntilDate": "2025-04-04T10:07:44.000000000Z"
}
}
Try do delete the object:
aws s3api delete-object \
--bucket object-lock-bucket \
--key governance-file.txt \
--endpoint-url https://s3.hostman.com
The file will disappear from the Objects tab in the control panel and third-party clients. A deletion marker will be created, but the object remains in the bucket.
Check object versions:
aws s3api list-object-versions \
--bucket object-lock-bucket \
--prefix governance-file.txt \
--endpoint-url https://s3.hostman.com
The object's version and deletion marker will be visible. The deleted version can be restored following the recovery instructions.
Let's try deleting an object with lock bypass. Unlike COMPLIANCE mode, objects in GOVERNANCE mode can be deleted before the lock expires using the --bypass-governance-retention
flag.
aws s3api delete-object \
--bucket object-lock-bucket \
--key governance-file.txt \
--bypass-governance-retention \
--version-id <VersionId_of_object> \
--endpoint-url https://s3.hostman.com
Now, check the object versions again:
aws s3api list-object-versions \
--bucket object-lock-bucket \
--prefix governance-file.txt \
--endpoint-url https://s3.hostman.com
Only the deletion marker will be displayed.