Storage and databasesStorage and data managementIntermediate39 min read

What Is S3 Object Lock in Databases?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

S3 Object Lock is a feature that lets you protect your files in Amazon S3 from being changed or deleted for a specific period of time. You can set a retention date, after which the file can be changed again, or you can place a legal hold that stays until you remove it. This helps you follow rules that require you to keep records safe and unchanged.

Common Commands & Configuration

aws s3api put-object-legal-hold --bucket my-bucket --key sensitive.pdf --legal-hold Status=ON

Places a legal hold on the specified object version. This prevents deletion or overwrite indefinitely until the legal hold is explicitly removed.

Tests understanding that legal hold is independent of retention period and must be removed separately. Often appears in questions about indefinite WORM protection.

aws s3api put-object-retention --bucket my-bucket --key report.xlsx --retention '{"Mode":"GOVERNANCE","RetainUntilDate":"2026-01-01T00:00:00Z"}'

Applies a Governance mode retention until January 1, 2026. Users with s3:BypassGovernanceRetention permission can still overwrite or delete the object.

Governance mode vs Compliance mode is a classic exam differentiator. Know that Governance can be bypassed with proper IAM permissions.

aws s3api put-object-retention --bucket my-bucket --key transcript.pdf --retention '{"Mode":"COMPLIANCE","RetainUntilDate":"2028-12-31T23:59:59Z"}'

Applies Compliance mode retention until end of 2028. No user, including root, can delete or overwrite this object version until the date passes.

Compliance mode is absolute. Questions often ask which mode meets regulatory requirements that prohibit any override. Answer: Compliance mode.

aws s3api get-object-retention --bucket my-bucket --key archived.log --version-id "VERSION_ID"

Retrieves the retention settings (mode and retain until date) for a specific object version. Useful for auditing or troubleshooting.

Tests the relationship between versioning and Object Lock. Without a version ID, the command returns the latest version's retention settings.

aws s3api get-object-legal-hold --bucket my-bucket --key legal-doc.pdf --version-id "VERSION_ID"

Checks if a legal hold is active on the specified object version. Returns Status: ON or OFF.

Often used in troubleshooting scenarios where an admin cannot delete an object despite expired retention. The clue is to check for legal hold.

aws s3api put-object --bucket my-bucket --key confidential.docx --body confidential.docx --object-lock-mode GOVERNANCE --object-lock-retain-until-date "2025-06-01"

Uploads an object and applies Governance mode retention at the time of upload. This sets per-object retention, overriding any bucket default.

Exams test that retention can be set per PUT request, and that it overrides bucket defaults. Also checks understanding of versioning requirement.

aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Enabled

Enables versioning on a bucket. Required before enabling Object Lock. If Object Lock is already enabled, versioning cannot be suspended.

Know that versioning is a prerequisite for Object Lock, and once enabled, versioning becomes locked. This is a common true/false question.

aws s3api put-bucket-object-lock-configuration --bucket my-bucket --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"GOVERNANCE","Days":365}}}'

Enables Object Lock on a new bucket and sets a default retention of 365 days in Governance mode. This can only be done at bucket creation.

Tested as a configuration step. Remember that you must enable Object Lock during bucket creation; cannot be added later. The default retention applies to all new objects unless overridden.

S3 Object Lock appears directly in 3exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on SAA-C03. Practise them →

Must Know for Exams

S3 Object Lock appears prominently in several AWS certification exams, particularly the AWS Certified Solutions Architect – Associate (SAA-C03), AWS Certified SysOps Administrator – Associate (SOA-C02), and AWS Certified Developer – Associate (DVA-C02). For the Cloud Practitioner exam (CLF-C02), it appears as a supporting concept, usually tested at a high level of understanding what it does rather than how to configure it. For the Google Cloud and Azure exams listed, S3 Object Lock is not directly tested because it is an AWS-specific feature, but the concept of immutable storage appears in those exams under different names (like Azure Blob Storage immutability policies or Google Cloud Object holds). Therefore, for Google ACE and Azure exams, the knowledge is light supporting background but not primary.

On AWS exams, common objectives that cover S3 Object Lock include: "Design secure and compliant storage solutions" and "Implement data protection mechanisms." Exam questions often ask you to choose between Governance and Compliance modes, identify when a legal hold is more appropriate than a retention period, or determine the correct steps to set up Object Lock. You may also see questions that combine Object Lock with S3 Versioning, Lifecycle Policies, or Bucket Policies.

For example, you might be asked: "A company needs to store financial records that must not be deleted or modified for seven years, and even the root user should not be able to override this. Which configuration should you choose?" The correct answer would involve S3 Object Lock with Compliance mode and a retention period of seven years. Another typical question is: "An organization is under a litigation hold and needs to prevent deletion of specific objects indefinitely. What should you use?" Answer: Legal hold.

Understanding the differences between Governance and Compliance modes is critical. You also need to know that Object Lock can only be enabled at bucket creation time, that versioning must be turned on, and that you cannot disable Object Lock after enabling it. These details are often tested in scenario-based questions where you must identify why a configuration failed or how to modify a setup to meet a requirement.

Simple Meaning

Think of S3 Object Lock like a high-tech safety deposit box for your digital files. When you store important documents or data in Amazon S3, you often need to make sure that nobody, not even you or your system administrators, can accidentally delete or modify those files before a certain time. This is crucial for things like financial records, legal documents, or audit logs that must be kept exactly as they were created.

S3 Object Lock works by putting a digital lock on each file (or on an entire storage bucket). You can choose one of two ways to lock a file. The first way is called a retention period. You set a specific date in the future, and until that date arrives, nobody can delete or overwrite the file. It is like putting a document in a sealed envelope with a note saying "Do not open until January 1, 2030." After that date, the lock automatically releases, and you can manage the file normally again.

The second way is called a legal hold. This is like a court order that says "This evidence must be kept safe until the case is over." You can put a legal hold on a file, and it stays locked forever, or until you manually remove the legal hold. There is no automatic expiration. This is very useful when you are involved in a lawsuit or an investigation and need to preserve specific data.

You can imagine S3 Object Lock as a security guard standing next to your files. The guard checks every request to delete or change a file. If the file has an active lock, the guard politely says "Sorry, this file is protected, you cannot touch it until the lock expires or is removed." This gives you peace of mind that your critical data stays exactly as it was, even if someone makes a mistake or tries to tamper with it.

This feature is especially important for companies that need to follow regulations like GDPR, HIPAA, or SEC rules. These laws often require that certain records be kept unchanged for a number of years. S3 Object Lock makes it easy to meet those requirements without building complex custom systems. You simply enable the lock, set your rules, and AWS handles the enforcement automatically.

Full Technical Definition

S3 Object Lock is an Amazon S3 feature that enforces a Write Once Read Many (WORM) model on objects within a versioned S3 bucket. It is designed to prevent objects from being deleted or overwritten for a defined retention period or until a legal hold is explicitly removed. This feature is essential for organizations that need to comply with regulatory standards such as SEC Rule 17a-4, FINRA, GDPR, and HIPAA, which require immutable data storage.

S3 Object Lock operates on two distinct but complementary mechanisms: Retention Periods and Legal Holds.

A Retention Period uses a combination of a retention mode and a retention date. The two retention modes are Governance Mode and Compliance Mode. In Governance Mode, most users cannot delete or overwrite an object, but users with special permissions (such as the s3:PutObjectRetention or s3:BypassGovernanceRetention permissions) can still modify or delete the object if needed. This mode is useful for internal compliance where you want a safety net but also need the flexibility to correct mistakes. In Compliance Mode, an object is absolutely locked. No user, including the AWS account root user, can delete or overwrite the object until the retention date has passed. This mode provides the highest level of protection and is often required by strict regulations.

The retention date is a timestamp that must be in the past to allow modification. When you set a retention date in the future, the object becomes immutable until that date. If you attempt to delete an object with an active retention period, the request fails with an AccessDenied error. If you try to overwrite the object, S3 creates a new version of the object (because the bucket is versioned), but the old version remains locked and visible.

A Legal Hold is a simple on/off flag that can be placed on an object independently of any retention period. When a legal hold is applied, the object cannot be deleted or overwritten, regardless of its retention settings. The legal hold remains in effect until a user with the s3:PutObjectLegalHold permission removes it. There is no automatic expiration for legal holds, they are entirely manual. This makes them ideal for situations like litigation holds, where you need to preserve data indefinitely until a case is resolved.

Under the hood, S3 Object Lock relies on the versioning feature of the bucket. Without versioning, S3 Object Lock cannot function because overwriting an object would destroy the original data. Versioning keeps every version of an object, and Object Lock uses version IDs to enforce immutability at the object version level. You can also apply default retention settings at the bucket level, which will automatically apply to any new objects added to the bucket. Default settings can include a mode (Governance or Compliance) and a default retention period in days or years.

S3 Object Lock also integrates with S3 Bucket Policies and IAM policies. For example, you can use a bucket policy to deny all DeleteObject requests if a legal hold is present. You can also use lifecycle policies to transition locked objects to colder storage tiers (like Glacier or Deep Archive) but you cannot delete them until the lock expires.

Important implementation details: You must enable Object Lock when creating the bucket. You cannot enable Object Lock on an existing bucket. The bucket must also have versioning enabled. Once Object Lock is enabled, you cannot disable it. However, you can remove default retention settings or modify them as long as no objects are under a compliance lock. Also, if you set a retention period in Compliance mode, you cannot shorten the retention period or remove it. You can only wait for it to expire.

S3 Object Lock is also available for objects stored in all S3 storage classes, including S3 Standard, S3 Intelligent-Tiering, S3 Glacier, and S3 Deep Archive. However, if an object has a retention period or legal hold, you cannot transition it to the S3 One Zone-IA storage class (because that class does not support Object Lock). The feature is replicated across all AWS regions, including AWS GovCloud and China regions, making it suitable for global compliance needs.

Real-Life Example

Imagine you are the office manager for a growing company that handles many legal contracts. Your boss gives you a cabinet and a big stack of important paper contracts. She says, "Please keep these safe for at least seven years. Nobody should be able to take them out or change them before that time." You think of two ways to protect them.

First, you put each contract in a sealed envelope. On each envelope, you write the date exactly seven years from today. You also write on the envelope: "Do not open until this date." That is like setting a retention period. Until the date arrives, anyone who tries to open the envelope would be violating the rule, and you would know because the envelope is sealed.

Second, you also have a special red folder. Your boss says, "We are in a lawsuit right now, so put any documents related to the lawsuit in this red folder. The red folder must not be opened until I say so." That is like a legal hold. There is no expiration date, the folder stays closed until someone with authority says it is okay to open it.

Now, you put all the envelopes and the red folder into the cabinet. You lock the cabinet with a special lock that only you have the key for. As manager, you can unlock the cabinet and open an envelope if the date has passed, or you can remove something from the red folder if the lawsuit ends. But everyone else in the office, even the CEO, cannot open the cabinet without you. In our AWS world, S3 Object Lock is that special lock. The cabinet is the S3 bucket, the envelopes are objects with retention periods, and the red folder objects have legal holds.

This system works beautifully because it prevents accidents. Suppose a new employee comes in and thinks the contracts are old and should be thrown away. Without the lock, they might shred the contracts. But with the lock, the shredder cannot even touch them until the lock date expires. The feature gives you a safety net that protects your most important data from human error or intentional tampering.

Why This Term Matters

In the world of IT and cloud computing, data integrity is non-negotiable. Companies store vast amounts of critical information, customer records, financial transactions, legal documents, medical records, in the cloud. If someone accidentally deletes a database backup or a malicious insider modifies audit logs, the consequences can be devastating. Fines, legal penalties, loss of customer trust, and even criminal charges are possible. S3 Object Lock matters because it provides a simple, reliable, and auditable way to protect data from deletion or alteration.

For IT professionals, S3 Object Lock is a tool that helps meet compliance requirements without building custom software. Many regulations explicitly require WORM storage for certain types of records. For example, the SEC requires broker-dealers to retain electronic records in a non-rewritable, non-erasable format for at least six years. S3 Object Lock in Compliance mode satisfies that requirement. Similarly, healthcare organizations subject to HIPAA can use Object Lock to ensure that patient records are not tampered with.

Beyond compliance, Object Lock adds a layer of defense against ransomware. If an attacker gains access to your S3 bucket and tries to encrypt or delete your files, Object Lock prevents them from succeeding, provided the lock is already in place. This is why many organizations use Object Lock as part of their backup and disaster recovery strategy. They store immutable backups that cannot be altered even by a compromised admin account.

From an operational perspective, S3 Object Lock also reduces the risk of human error. System administrators sometimes run scripts that accidentally delete data. Versioning alone is not enough because old versions can still be overwritten or deleted. Object Lock adds a hard barrier that prevents data loss even when mistakes happen. It gives teams confidence that their critical data is safe.

How It Appears in Exam Questions

Exam questions about S3 Object Lock typically fall into three categories: scenario-based, configuration-based, and troubleshooting-based.

Scenario-based questions present a business requirement and ask you to choose the correct AWS service or configuration. For example: "A financial firm must store trade records for seven years in a way that prevents any user, including administrators, from deleting the data. Which solution meets this requirement?" The answer would involve S3 Object Lock in Compliance mode with a seven-year retention period. Another scenario might describe a legal requirement that allows for temporary overrides under strict conditions, which points to Governance mode.

Configuration-based questions test your knowledge of how to set up Object Lock. For instance: "A developer is creating a new S3 bucket and wants to enable Object Lock. What must they do during bucket creation?" Answer: Enable Object Lock or Object Lock and versioning. You might also be asked: "An admin tries to delete an object that has a legal hold but receives an error. What is the cause?" The answer: The legal hold prevents deletion regardless of other permissions.

Troubleshooting questions focus on why something is not working as expected. For example: "A security team enabled Object Lock with Governance mode on a bucket. However, a user with full admin permissions is still able to delete objects. Why?" The correct answer might be that the user has the s3:BypassGovernanceRetention permission or that the retention period had already expired. Another example: "An organization applies a default retention setting of 30 days on a bucket. When they upload an object, they notice it is not locked. What is the most likely cause?" Answer: The bucket does not have versioning enabled, or they uploaded the object before versioning was turned on, or they uploaded it directly with a null version ID.

Multiple-choice questions often include distractors like S3 Glacier Vault Lock, S3 Object Lock Governance vs Compliance, and S3 Versioning alone. You need to distinguish between these. Vault Lock is for Glacier archives, not for S3 objects. Versioning alone does not prevent deletion, it only creates a delete marker. Object Lock is the WORM solution for S3.

Practise S3 Object Lock Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine you are an IT administrator for a healthcare company that must comply with HIPAA regulations. Your company stores patient medical records in Amazon S3. HIPAA requires that these records be kept unchanged for at least six years after the patient’s last visit. You need to make sure that no one, not even your most senior administrator, can accidentally or intentionally delete or modify these records before that six-year period ends.

You create a new S3 bucket called patient-records-2024. During the creation wizard, you enable S3 Object Lock and also enable versioning (which is required). You decide to use Compliance mode because the data is extremely sensitive and you want the highest level of protection. You set a default retention period of 6 years, meaning every new object uploaded to this bucket will automatically be locked until six years from the upload date.

A month later, a junior admin runs a cleanup script that tries to delete old files. The script attempts to delete a patient record uploaded five years ago, but because the retention period has not yet expired (one more year to go), the delete request fails with an Access Denied error. The junior admin is confused, but your audit log shows the blocked attempt. The data remains safe.

If, instead, you had used Governance mode, the senior admin could have bypassed the lock if needed, but in a HIPAA audit, that flexibility might be seen as a risk. Compliance mode gives you absolute certainty. This scenario illustrates why choosing the right mode is critical. On an exam, you might be asked: "Which method should you use to meet HIPAA requirements for immutable storage?" The answer would be S3 Object Lock with Compliance mode.

Common Mistakes

Thinking that S3 Versioning alone provides the same protection as Object Lock.

Versioning keeps old versions of objects, but users with appropriate permissions can still permanently delete versioned objects or overwrite them. Object Lock adds an additional layer that prevents deletion or modification even with delete permissions until the lock expires.

Use Object Lock on top of versioning for WORM protection. Versioning alone does not prevent deletion or overwrite of objects.

Believing that you can enable S3 Object Lock on an existing bucket.

AWS requires you to enable Object Lock during bucket creation. Once the bucket is created, you cannot enable Object Lock retroactively.

Plan ahead and create a new bucket with Object Lock enabled if you need immutable storage. You cannot add it later.

Confusing S3 Object Lock with S3 Glacier Vault Lock.

Glacier Vault Lock is a separate feature for locking Glacier vaults, not S3 objects. Object Lock applies to objects in S3 buckets, while Vault Lock applies to archives in Glacier.

Use S3 Object Lock for S3 standard storage classes and Glacier Vault Lock for Glacier archive storage. They are not interchangeable.

Assuming that Governance mode is as strict as Compliance mode and cannot be bypassed.

In Governance mode, users with the s3:BypassGovernanceRetention permission can still delete or modify locked objects. Compliance mode provides a stricter lock that no user can override.

Choose Compliance mode for absolute immutability required by regulations. Use Governance mode for internal safeguards where occasional overrides may be needed.

Thinking that a legal hold automatically expires after a certain time.

A legal hold does not have an expiration date. It remains in effect until someone with the correct permissions explicitly removes it. It stays active indefinitely.

Manage legal holds manually. Monitor which objects have legal holds and remove them only when the legal obligation ends.

Believing that Object Lock works without bucket versioning enabled.

Object Lock requires versioning to be enabled on the bucket. Without versioning, you cannot apply retention periods or legal holds because overwriting an object would destroy the original.

Always enable versioning when you enable Object Lock. The bucket will not allow Object Lock without versioning.

Exam Trap — Don't Get Fooled

{"trap":"A question presents a scenario where a company wants to protect data from deletion for a fixed period, and the answer options include both S3 Object Lock with Governance mode and S3 Object Lock with Compliance mode. Many learners choose Governance mode because they think 'it is enough' or 'more flexible,' but the question explicitly states that even the root user should not be able to delete the data.","why_learners_choose_it":"Learners often see Governance mode as simpler or easier to manage, and they might not read the question carefully enough to see that absolute immutability is required.

They also sometimes confuse the two modes, thinking Governance is the strictest because of its name.","how_to_avoid_it":"Read the question carefully. If it says 'no user, including the root user, can delete or modify the data,' then Compliance mode is the only correct choice.

Governance mode allows bypass by users with specific permissions. Know the difference: Governance = flexible lock, Compliance = absolute lock."

Commonly Confused With

S3 Object LockvsS3 Versioning

S3 Versioning keeps multiple versions of an object, so if you delete or overwrite an object, the previous version still exists. However, versioning does not prevent deletion of objects, users can still permanently delete versions or overwrite them. Object Lock prevents any modification or deletion entirely during the retention period, making it a true WORM solution.

With versioning, you could delete an object and restore it from an old version. With Object Lock, you cannot delete it at all until the lock expires.

S3 Object LockvsS3 Glacier Vault Lock

Glacier Vault Lock is a feature for Amazon S3 Glacier that enforces a WORM policy on archives stored in a Glacier vault. While both features provide immutability, they apply to different services: Object Lock is for S3 objects, Vault Lock is for Glacier archives. The configuration and management are also different.

If you store a file in S3 Standard and need WORM protection, use Object Lock. If you archive data in Glacier, use Vault Lock.

S3 Object LockvsIAM Policies

IAM policies control who can perform actions on S3 objects, such as who can delete or modify them. An IAM policy can deny DeleteObject for all users, but this is a permission-based control that can be changed. Object Lock provides a data-plane lock that is enforced by S3 itself, independent of IAM. Even if an IAM policy grants delete permissions, Object Lock will block the deletion.

An IAM policy can say 'no one can delete this file,' but an admin could change the policy. Object Lock prevents deletion even if the policy changes, because the lock is on the object itself.

S3 Object LockvsS3 Bucket Policies with Deny

A bucket policy can include a Deny effect to prevent deletion of objects, but bucket policies can be modified by authorized users. Object Lock is immutable at the object level and cannot be overridden by policy changes for objects locked in Compliance mode. Bucket policies also affect all objects, whereas Object Lock can be applied per object or with default settings.

If you rely solely on a bucket policy to prevent deletion, someone with PutBucketPolicy permission could remove the policy. Object Lock in Compliance mode cannot be removed by anyone.

Step-by-Step Breakdown

1

Plan and create a new S3 bucket

S3 Object Lock can only be enabled when you create a new bucket. You cannot add it later. During bucket creation in the AWS Management Console, select the option 'Enable Object Lock.' You must also enable versioning because Object Lock depends on version IDs to track locked objects. Without versioning, the feature will not work.

2

Choose a retention mode (Governance or Compliance)

You choose the retention mode when you set up default retention settings or when you apply a lock to an individual object. Governance mode allows users with special permissions (s3:BypassGovernanceRetention) to override the lock. Compliance mode does not allow any override, even by the root user. Select the mode that matches your regulatory requirements.

3

Set a default retention period (optional)

You can configure a default retention period at the bucket level. This period is measured in days or years and applies to all new objects uploaded to the bucket. The default setting includes a mode and a duration. Objects inherit these settings unless you override them during upload. This simplifies management when all data has the same retention requirements.

4

Upload objects to the bucket

When you upload an object, S3 applies any default retention settings automatically. You can also specify custom retention settings for each object at the time of upload by providing a RetentionMode and a RetainUntilDate in the upload request (using the console, SDK, or CLI). The object is then locked from the moment it is stored.

5

Apply a legal hold (optional)

If needed, you can add a legal hold to an object. This is done separately from retention periods. Legal holds are on/off flags. When enabled, the object cannot be deleted or overwritten until the legal hold is removed. Legal holds are useful for litigation or investigations where you need to preserve data indefinitely.

6

Monitor locked objects

Use AWS CloudTrail, S3 Server Access Logs, or AWS Config to track changes to locked objects. CloudTrail records who attempted to delete or overwrite a locked object and whether the action was denied. This helps with auditing and compliance verification. You can also use S3 Inventory to list objects with active retention periods or legal holds.

7

Manage lock expiration and removal

For retention periods, once the RetainUntilDate passes, the object becomes mutable again. You can then delete or overwrite it normally. For legal holds, you must manually remove the hold using the s3:PutObjectLegalHold permission. There is no automatic expiration. Always verify that the legal obligation has ended before removing a hold.

Practical Mini-Lesson

S3 Object Lock is one of the most powerful features in AWS for data protection, but it requires careful planning and understanding. As an IT professional, you need to know when to use it, how to configure it, and what pitfalls to avoid.

First, never assume that versioning is enough. Versioning is a prerequisite for Object Lock, but it does not provide immutability on its own. If you only enable versioning, any user with delete permissions can delete an object, and though the delete marker is created, the underlying data might still be accessible. However, if they perform a permanent delete (DeleteVersion), the data is gone. Object Lock prevents even that permanent delete.

Second, understand the cost implications. S3 Object Lock does not incur additional charges beyond the standard S3 storage costs for the objects. However, storing objects for longer periods (because you cannot delete them) will increase your storage costs. Also, if you use Governance mode and occasionally bypass the lock, you are paying for protection you are not fully using. Choose your mode wisely based on actual compliance needs.

Third, be aware that Object Lock complicates lifecycle policies. You can still transition locked objects to colder storage classes (like Glacier) as part of a lifecycle policy, but you cannot expire (delete) them until the lock expires. Make sure your lifecycle rules do not attempt to delete locked objects, as those actions will fail silently or produce errors in logs.

Fourth, practice configuring Object Lock via AWS CLI or SDK in a lab environment. Use commands like put-object-retention, put-object-legal-hold, and get-object-retention. For example: aws s3api put-object-legal-hold --bucket my-bucket --key my-file.txt --legal-hold Status=ON --version-id abc123. This hands-on experience will help you in exam scenarios and real work.

Fifth, remember that you cannot disable Object Lock once it is enabled on a bucket. You can remove default settings, but the bucket will forever have the Object Lock capability. This is a design choice by AWS to ensure the immutability guarantee cannot be revoked. So only enable it on buckets that genuinely need it.

Finally, when preparing for certification exams, practice with sample questions that mix Object Lock with other S3 features like MFA Delete, S3 Bucket Policies, and S3 Access Points. Questions may ask you to combine these to meet complex security requirements.

Understanding S3 Object Lock: Governance vs. Compliance Modes and Retention Periods

S3 Object Lock is an Amazon S3 feature that allows you to enforce write-once-read-many (WORM) policies on objects within a bucket. This is critical for meeting regulatory requirements such as SEC Rule 17a-4, FINRA regulations, and other data retention mandates. The feature works at the object level, meaning that individual versions of an object can be locked for a specified retention period or indefinitely.

There are two lock modes: Governance mode and Compliance mode. In Governance mode, most users cannot overwrite or delete an object version, but special permissions (specifically the s3:BypassGovernanceRetention permission) allow authorized users to bypass the lock. This is useful for testing or when you need to make emergency changes. In Compliance mode, no user-not even the root user-can overwrite or delete the locked object version until the retention period expires. Compliance mode provides the strongest WORM guarantee and is often required for regulated industries.

Each object version can have a retention period defined by a retention until date (RUD) and optionally a legal hold. Legal hold is independent of retention mode and prevents deletion or overwrite regardless of any retention period. You can place a legal hold on an object indefinitely, and it remains in effect until explicitly removed.

When configuring S3 Object Lock, you must enable it at bucket creation time. You cannot enable Object Lock on an existing bucket. Once enabled, you can set default retention settings for the bucket, but you can also override these on individual PUT requests. The retention mode and period can be extended (lengthened) but not shortened. This is important for audit compliance because it ensures that once data is locked, it cannot be prematurely deleted.

For exam purposes, you need to understand the difference between Governance and Compliance modes, know that Compliance mode is irreversible by any user, and remember that legal hold acts as a separate, indefinite lock. Also be aware that S3 Object Lock works with versioned buckets only, and that you can mix both modes across objects in the same bucket.

Mandatory Versioning and S3 Object Lock: Why Versioning Is Required

A critical prerequisite for using S3 Object Lock is that the bucket must have versioning enabled. In fact, when you enable S3 Object Lock on a new bucket, versioning is automatically enabled and then locked-it cannot be suspended or disabled for the lifetime of the bucket. This design is intentional. Without versioning, any attempt to overwrite or delete an object would simply remove the only copy, violating the WORM principle. With versioning, each object version is immutable, so locking a version prevents that specific version from being deleted or overwritten, even if newer versions are added.

When you delete an object that has a locked version, a delete marker is added, and the locked version remains intact. This means that you cannot permanently delete the underlying data until the retention period expires and the lock is removed. If you need to purge data after compliance requirements are met, you must first remove the legal hold (if any) and wait for the retention period to expire, or in Governance mode, bypass the retention with appropriate permissions.

For cloud architects and developers, this interplay between versioning and Object Lock means that storage costs can increase because every locked version consumes space. You cannot simply delete old versions; they must age out naturally. This is often tested in AWS certification exams, especially the AWS Certified Solutions Architect – Associate (SAA) and AWS Certified SysOps Administrator – Associate.

Also note that S3 Object Lock is different from S3 bucket policies that prevent deletion. Bucket policies can be changed by an administrator, whereas an object locked in Compliance mode is truly immutable. This is a key distinction in exam scenarios where a regulatory requirement demands no possible override.

When troubleshooting, remember that if you cannot delete a version, check whether the version has a retention period still active or a legal hold applied. Use the AWS CLI or console to list the retention settings. In exam questions, you might see a scenario where an admin tries to delete a version and gets an AccessDenied error even though they have full S3 permissions-this points to an active Object Lock.

Cost Implications of S3 Object Lock: Storage, Requests, and Data Lifecycle

Enabling S3 Object Lock affects your AWS bill in several ways. The most obvious cost factor is that every locked object version remains in the bucket until its retention period expires, even if you would prefer to delete it. This can lead to accumulation of old versions, especially if you are ingesting large volumes of data with long retention periods. For example, if you have a 7-year retention mandate, every object version you store will incur S3 standard storage costs for that entire period.

You also pay for storage of legal hold markers, although the marker itself is tiny. The bigger cost is the storage of the object data plus metadata. S3 Object Lock itself has no additional per-object charge; you pay the standard S3 storage rates based on the storage class you choose. However, if you use S3 Glacier or S3 Glacier Deep Archive for long-term retention, remember that those classes have minimum storage durations (90 days for Glacier, 180 days for Deep Archive) and retrieval costs. If you need to access locked data in Glacier, you must initiate a restore, and the object remains locked in the original class until the retention expires.

Another cost consideration is lifecycle policies. You can transition objects to colder storage classes to reduce cost, but the transition must respect the retention period. For instance, if you set a lifecycle rule to transition objects to Glacier after 30 days, but the object has a 1-year retention, the object will move to Glacier after 30 days but still cannot be deleted until the retention ends. This is often a good cost-saving strategy.

S3 Object Lock is compatible with S3 Intelligent-Tiering, but be aware that automated tiering can increase monitoring costs. For exam scenarios, especially in the AWS Cloud Practitioner and AWS Certified Developer – Associate exams, you might be asked which storage class is cheapest for long-term retention with Object Lock. Often, the answer is S3 Glacier Deep Archive, as long as you account for the minimum storage duration.

Finally, remember that you cannot delete a bucket that has locked objects. If you want to reduce costs by deleting a bucket, you must first unlock all objects-either by waiting for retention periods to expire or by removing legal holds. In Governance mode, you can bypass retention with proper permissions to delete versions. In Compliance mode, you must wait for expiration. This can lead to unexpected storage bills if the retention period is long.

Troubleshooting Clues

Cannot delete an object version from an S3 bucket

Symptom: An administrator receives an AccessDenied error when trying to delete a specific object version, even though they have full S3 permissions.

The object version likely has an active retention period (Governance or Compliance) or a legal hold applied. S3 Object Lock prevents deletion until the retention period expires and any legal hold is removed.

Exam clue: Exam questions often present this scenario to test whether you identify an active Object Lock rather than a permissions issue. The correct answer usually involves checking the retention settings or legal hold.

Cannot enable Object Lock on an existing bucket

Symptom: When attempting to run put-bucket-object-lock-configuration on an existing bucket, AWS returns an error indicating the bucket does not support Object Lock.

Object Lock can only be enabled at bucket creation time. Once a bucket exists without Object Lock, you cannot enable it retroactively. You must create a new bucket with Object Lock enabled.

Exam clue: This is a classic exam trick: the question describes an existing bucket and asks how to enable Object Lock. The answer is to create a new bucket, not modify the existing one.

Unable to delete a bucket because it is not empty

Symptom: When trying to delete an S3 bucket, the AWS console or CLI reports that the bucket is not empty, even though all visible objects appear to be deleted.

The bucket likely contains object versions that are locked with S3 Object Lock. Locked versions are not visible in the default object listing but are still present. You must remove the locks (by waiting for retention expiration or removing legal holds) and then permanently delete the versions.

Exam clue: Questions may ask why a bucket cannot be deleted despite appearing empty. Look for mention of versioning and Object Lock. The solution involves managing versioned objects with retention.

Object retention period cannot be shortened

Symptom: An administrator tries to modify an existing object retention to an earlier date, but the API call fails with an error.

S3 Object Lock does not allow shortening of retention periods. You can only extend the retention until date (or add a legal hold). This is by design to maintain compliance integrity.

Exam clue: Questions about compliance often include a trap where someone tries to reduce a retention period. The correct response is that retention can only be extended, not shortened.

Unable to apply a legal hold to a new object

Symptom: After uploading an object with --legal-hold-status ON, the command succeeds but the object is not actually locked.

Legal hold must be applied after the object is uploaded, or the upload must include the legal hold parameter correctly. Also, the bucket must have versioning enabled. If versioning is suspended, legal hold may not behave as expected.

Exam clue: Tests knowledge that legal hold can be set at upload or after, and that versioning must be enabled. Exam may present a scenario where versioning is off and legal hold fails.

Lifecycle policy not transitioning locked objects

Symptom: Objects with S3 Object Lock retention are not moving to a cheaper storage class as defined in a lifecycle rule.

Lifecycle policies respect retention periods. If an object has a retention period that extends beyond the transition date, the transition may be delayed or not applied. Some storage class transitions are blocked if the object is locked.

Exam clue: Exams may ask why objects are not transitioning. The answer often involves the interaction between lifecycle rules and Object Lock retention. Remember that you cannot delete a locked object via lifecycle.

Cannot overwrite an existing object even with Governance mode

Symptom: An IAM user with s3:PutObject permission tries to overwrite an object, but gets a 403 error.

If the object version has a Governance retention, the user needs the s3:BypassGovernanceRetention permission to overwrite it. Without that permission, the overwrite is blocked.

Exam clue: Tests the difference between Governance and Compliance modes. In Governance, bypass requires explicit permission. In Compliance, no one can overwrite.

Legal hold removal still leaves object undeletable

Symptom: After removing a legal hold, an administrator still cannot delete the object version.

The object likely still has an active retention period (either Governance or Compliance) set. Legal hold and retention period are independent; removing the legal hold does not remove the retention lock.

Exam clue: Exam questions often have two conditions: legal hold and retention. Students must remember to check both. The symptom suggests checking retention settings after legal hold removal.

Memory Tip

Think of S3 Object Lock as a bank vault with two locks: one timed (retention period) and one manual (legal hold). Compliance mode is the vault door made of titanium, no one opens it. Governance mode is a locked drawer that a manager can unlock with a special key.

Learn This Topic Fully

This glossary page explains what S3 Object Lock means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.A company must store financial records for 7 years and ensure that no user, including the root user, can delete the records before the retention period ends. Which S3 Object Lock configuration meets this requirement?

2.An administrator attempts to apply a retention period to an object that is already locked, setting a later retention until date. What is the outcome?

3.A user wants to enable S3 Object Lock on a bucket that already contains data. Which of the following is correct?

4.An object has a Compliance retention period that expires on December 1, 2025. The administrator removes a legal hold on the same object on November 1, 2025. When can the object be deleted?

5.A developer uploads an object with a legal hold set to ON. Later, the developer wants to overwrite the object with a new version. What must happen first?

6.Which of the following is required for S3 Object Lock to function?

Frequently Asked Questions

Can I enable S3 Object Lock on an existing bucket?

No, S3 Object Lock must be enabled at the time of bucket creation. You cannot enable it on an existing bucket. If you need Object Lock on existing data, you must create a new bucket with Object Lock enabled and copy your data into it.

What is the difference between Governance and Compliance mode?

Governance mode allows users with the s3:BypassGovernanceRetention permission to delete or overwrite locked objects, whereas Compliance mode does not allow any user, including the root user, to modify or delete locked objects until the retention period expires.

Can I delete an object that has an active legal hold?

No, you cannot delete or overwrite any object that has an active legal hold, regardless of retention settings. The legal hold must be removed first by a user with the s3:PutObjectLegalHold permission.

Does S3 Object Lock work with all storage classes?

S3 Object Lock works with all S3 storage classes except S3 One Zone-IA. If you apply a retention period or legal hold to an object, you cannot transition it to One Zone-IA. All other classes, including S3 Standard, Intelligent-Tiering, Glacier, and Deep Archive, are supported.

Can I use S3 Object Lock with a lifecycle policy?

Yes, you can use lifecycle policies to transition locked objects to colder storage classes, but you cannot expire (delete) them until the retention period expires. Lifecycle actions that attempt to delete locked objects will fail.

Can I change the retention period after it has been applied?

You can extend a retention period (make it longer) at any time, but you cannot shorten it. If the object is in Governance mode, you can shorten it with the bypass permission. In Compliance mode, you cannot shorten it at all.

Is S3 Object Lock available in all AWS regions?

Yes, S3 Object Lock is available in all commercial AWS regions, including AWS GovCloud and China regions. Availability may vary in very new or isolated regions, so check the regional services list.

Summary

S3 Object Lock is an essential AWS feature for any organization that needs to protect data from accidental or malicious deletion or modification. It enforces a Write Once Read Many (WORM) model on objects stored in Amazon S3, using either retention periods or legal holds. The feature requires bucket versioning and must be enabled at bucket creation time. Two retention modes, Governance and Compliance, offer different levels of strictness, with Compliance being the absolute lock that not even the root user can override. Legal holds provide an indefinite lock that must be manually removed.

For certification exams, especially AWS Solutions Architect, SysOps, and Developer Associate, you must understand the differences between Governance and Compliance modes, when to use legal holds, and the prerequisites for enabling Object Lock. Exam questions often test your ability to choose the correct configuration for a given compliance scenario. Common mistakes include confusing Object Lock with versioning or Glacier Vault Lock, thinking you can enable it on an existing bucket, and misunderstanding the strictness of Governance mode.

In real-world practice, S3 Object Lock is a powerful tool for compliance, ransomware protection, and data integrity. IT professionals should plan carefully before enabling it, monitor locked objects with CloudTrail, and ensure lifecycle policies do not try to delete locked data. By mastering S3 Object Lock, you add a critical layer of security to your cloud storage infrastructure.