Sign In
Sign In

Object Lock is used to protect objects in S3 from deletion and modification for a specified period. This feature ensures data immutability throughout the storage duration. Object Lock is especially useful for working with important archives, backups, and other critical information that needs protection from accidental or intentional actions.

Creating a Bucket with Object Lock

Object Lock can only be enabled when creating a bucket. Currently, this feature cannot be enabled through the management console, so the bucket must be created using third-party clients or tools. Below is an example of creating a bucket via AWS CLI.

Create a bucket:

aws s3api create-bucket \ --bucket object-lock-bucket \ --endpoint-url https://s3.hostman.com \ --object-lock-enabled-for-bucket

You can also create a bucket with a cold storage class:

aws s3api create-bucket \ --bucket object-lock-bucket \ --endpoint-url https://s3.hostman.com \ --create-bucket-configuration LocationConstraint=ru:ru-1-cold \ --object-lock-enabled-for-bucket

You cannot specify the bucket size at the time of creation. When creating a bucket through third-party clients, the minimum possible size is always set: 10 GB for the standard storage class and 1 GB for the cold storage class. After the bucket is created, its size can be increased through the control panel.

To verify that Object Lock is enabled, run:

aws s3api get-object-lock-configuration \ --bucket object-lock-bucket \ --endpoint-url https://s3.hostman.com

Expected response:

{ "ObjectLockConfiguration": { "ObjectLockEnabled": "Enabled" } }

Object Lock only works if versioning is enabled. To check if versioning is active, run:

aws s3api get-bucket-versioning \ --bucket object-lock-bucket \ --endpoint-url https://s3.hostman.com

The response will show the versioning status:

{ "Status": "Enabled", "MFADelete": "Disabled" }

Object Lock Modes

Object Lock supports two modes of object protection:

  1. COMPLIANCE Mode – A strict protection mode. The object and its versions cannot be deleted or modified until the lock period expires. Even with administrator privileges and special permissions, data deletion is impossible. This mode is suitable for scenarios where data immutability is critical.

  2. GOVERNANCE Mode – A flexible protection mode. Objects are protected from deletion and modification, but users with the BypassGovernanceRetention permission can delete data before the lock period expires. This mode is useful for preventing accidental deletions.

In the current S3 storage implementation, only one user is created with full permissions, including BypassGovernanceRetention. Therefore, when using GOVERNANCE Mode, this user will always be able to delete objects by bypassing the lock.

Using Object Lock

Let's go through examples of working with the COMPLIANCE and GOVERNANCE modes.

COMPLIANCE Mode

Upload a file with a 30-day lock:

aws s3api put-object \ --bucket object-lock-bucket \ --key compliance-file.txt \ --body compliance-file.txt \ --object-lock-mode COMPLIANCE \ --object-lock-retain-until-date "$(date -d '+30 days' --utc +%Y-%m-%dT%H:%M:%SZ)" \ --endpoint-url https://s3.hostman.com

Parameter descriptions:

  • --bucket – Name of the bucket where the object is uploaded.
  • --key – Name (path) of the object in the bucket.
  • --body – Path to the file being uploaded.
  • --object-lock-mode – Lock mode.
  • --object-lock-retain-until-date – Lock expiration date in YYYY-MM-DDTHH:MM:SSZ format. The object cannot be deleted before this date.

Verify that the lock is applied:

aws s3api get-object-retention \ --bucket object-lock-bucket \ --key compliance-file.txt \ --endpoint-url https://s3.hostman.com

Expected output:

{ "Retention": { "Mode": "COMPLIANCE", "RetainUntilDate": "2025-04-04T10:02:21.000000000Z" } }

Now let's attempting to delete the object:

aws s3api delete-object \ --bucket object-lock-bucket \ --key compliance-file.txt \ --endpoint-url https://s3.hostman.com

The file will disappear from the Objects tab in the control panel and from third-party clients. A deletion marker will be created, but the object remains in the bucket.

Check object versions:

aws s3api list-object-versions \ --bucket object-lock-bucket \ --prefix compliance-file.txt \ --endpoint-url https://s3.hostman.com

The version will be saved, and a deletion marker will be created. The deleted version can be restored following the recovery instructions.

You won't be able to delete a specific version with an active lock:

aws s3api delete-object \ --bucket object-lock-bucket \ --key compliance-file.txt \ --version-id <VersionId_of_object> \ --endpoint-url https://s3.hostman.com

Until the lock expiration date, the command will return an error:

An error occurred (AccessDenied) when calling the DeleteObject operation: forbidden by object lock

GOVERNANCE Mode

Upload a file with a 30-day lock:

aws s3api put-object \ --bucket object-lock-bucket \ --key governance-file.txt \ --body governance-file.txt \ --object-lock-mode GOVERNANCE \ --object-lock-retain-until-date "$(date -d '+30 days' --utc +%Y-%m-%dT%H:%M:%SZ)" \ --endpoint-url https://s3.hostman.com

Parameter descriptions:

  • --bucket – Name of the bucket where the object is uploaded.
  • --key – Name (path) of the object in the bucket.
  • --body – Path to the file being uploaded.
  • --object-lock-mode – Lock mode.
  • --object-lock-retain-until-date – Lock expiration date in YYYY-MM-DDTHH:MM:SSZ format. The object cannot be deleted before this date.

Verify that the lock is applied:

aws s3api get-object-retention \ --bucket object-lock-bucket \ --key governance-file.txt \ --endpoint-url https://s3.hostman.com

Expected output:

{ "Retention": { "Mode": "GOVERNANCE", "RetainUntilDate": "2025-04-04T10:07:44.000000000Z" } }

Try do delete the object:

aws s3api delete-object \ --bucket object-lock-bucket \ --key governance-file.txt \ --endpoint-url https://s3.hostman.com

The file will disappear from the Objects tab in the control panel and third-party clients. A deletion marker will be created, but the object remains in the bucket.

Check object versions:

aws s3api list-object-versions \ --bucket object-lock-bucket \ --prefix governance-file.txt \ --endpoint-url https://s3.hostman.com

The object's version and deletion marker will be visible. The deleted version can be restored following the recovery instructions.

Let's try deleting an object with lock bypass. Unlike COMPLIANCE mode, objects in GOVERNANCE mode can be deleted before the lock expires using the --bypass-governance-retention flag.

aws s3api delete-object \ --bucket object-lock-bucket \ --key governance-file.txt \ --bypass-governance-retention \ --version-id <VersionId_of_object> \ --endpoint-url https://s3.hostman.com

Now, check the object versions again:

aws s3api list-object-versions \ --bucket object-lock-bucket \ --prefix governance-file.txt \ --endpoint-url https://s3.hostman.com

Only the deletion marker will be displayed.

Was this page helpful?
Updated on 24 March 2025

Do you have questions,
comments, or concerns?

Our professionals are available to assist you at any moment,
whether you need help or are just unsure of where to start.
Email us
Hostman's Support