This chapter covers S3 Versioning and Object Lock, two critical features for data protection and compliance in Amazon S3. For the DVA-C02 exam, these topics appear in roughly 5-8% of questions, often integrated with lifecycle policies, bucket policies, and cross-region replication. You will need to understand how versioning works at the object level, how to enable and suspend versioning, the behavior of delete markers, and how Object Lock enforces retention. Mastering these concepts is essential for designing durable, compliant applications on AWS.
Jump to a section
Imagine a company's document storage room where every document has a unique ID. Without versioning, if someone revises a contract and places it in the same folder, the old version is permanently destroyed. With versioning enabled, every time a document is saved, the system automatically keeps the previous version stacked underneath. The document ID remains the same, but each version gets a unique version ID. Deleting a document doesn't actually remove it; instead, a delete marker (a special placeholder) is placed on top, hiding all previous versions. To permanently delete, you must specify the exact version ID. Object Lock works like a safe-deposit box within this room: you can place a document in a box with a lock that prevents anyone (even the room manager) from overwriting or deleting it for a specified retention period. Legal hold is like a court order that locks the box indefinitely until explicitly removed. This system ensures compliance, prevents accidental or malicious deletion, and allows point-in-time recovery.
What is S3 Versioning and Why It Exists
S3 Versioning is a bucket-level feature that preserves every object version written to a bucket, including overwrites and deletions. Without versioning, when you upload an object with the same key, it replaces the existing object permanently. Versioning provides a safety net: you can recover from accidental overwrites, deletions, and application failures. It also serves as a foundation for other S3 features like Lifecycle Policies, Cross-Region Replication, and S3 Object Lock.
How Versioning Works Internally
When you enable versioning on a bucket, S3 assigns a unique version ID to each object upload. The version ID is a string generated by S3 (e.g., ydlagOWnU0uA9jV.zf7W7TlWUuIqB3). If you upload an object with the same key, S3 does not overwrite the existing object; instead, it creates a new version with a new version ID. The previous version remains accessible. The bucket can have multiple versions of the same key, each with its own version ID.
When you delete an object in a versioned bucket, S3 does not actually delete the object. Instead, it inserts a delete marker—a zero-length object with a version ID—which becomes the current version. The delete marker hides all previous versions. To permanently delete an object, you must specify the exact version ID of the object version you want to delete. Delete markers themselves can be deleted, which restores the previous version as the current version.
Versioning states: - Unversioned (default): Bucket starts unversioned. You cannot recover overwrites or deletions. - Enabled: S3 assigns version IDs to all objects. Previous versions are preserved. - Suspended: Once enabled, you can suspend versioning. New uploads get a null version ID, but existing versions remain. You can still access and delete previous versions.
Key Components, Values, and Defaults
Version ID: A unique string assigned by S3. Cannot be set by the user. For objects uploaded before versioning was enabled, version ID is null.
Delete Marker: A placeholder object with a version ID. It has no data. It is the current version after a delete request.
MFA Delete: Optional additional protection requiring MFA to permanently delete versions or suspend versioning. Must be enabled at bucket creation or by the root user.
Versioning Cost: You pay for all stored versions. Each version incurs storage charges. Lifecycle policies can expire old versions to save costs.
Object Versions Limit: No hard limit on number of versions, but each version adds metadata overhead.
Configuration and Verification Commands
Enable versioning via AWS Console, CLI, or SDK. CLI example:
aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=EnabledTo suspend versioning:
aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=SuspendedTo list object versions:
aws s3api list-object-versions --bucket my-bucketTo delete a specific version:
aws s3api delete-object --bucket my-bucket --key mykey --version-id <versionId>To delete a delete marker:
aws s3api delete-object --bucket my-bucket --key mykey --version-id <deleteMarkerVersionId>Interaction with Other Features
Lifecycle Policies: Can transition noncurrent versions to cheaper storage classes (e.g., S3 Glacier) or expire them permanently. Actions include NoncurrentVersionTransition and NoncurrentVersionExpiration.
Cross-Region Replication (CRR): Replicates both current and noncurrent versions if versioning is enabled on both source and destination buckets. Delete markers are replicated by default only if configured.
S3 Object Lock: Requires versioning to be enabled. Object Lock provides Write Once Read Many (WORM) protection.
Presigned URLs: Can be used to access specific versions by including version ID in the URL.
Bucket Policies: Can restrict actions based on version ID using condition keys like s3:VersionId.
S3 Object Lock: Retention Modes and Legal Hold
S3 Object Lock prevents objects from being deleted or overwritten for a fixed retention period or indefinitely. It works only on versioned buckets. There are two retention modes:
Governance Mode: Users with special permissions (e.g., s3:BypassGovernanceRetention) can override retention settings. Useful for testing or emergencies.
Compliance Mode: No one, including the root user, can overwrite or delete an object version during the retention period. The retention mode and period cannot be shortened or removed once applied.
Legal Hold is a separate setting that prevents deletion regardless of retention period. It can be set on individual object versions. Legal hold has no expiration; it must be explicitly removed.
Retention period can be specified in days or years. You can set default retention settings on the bucket (default mode and period) that apply to all new objects, or you can set retention on individual objects via PUT requests.
Object Lock Configuration
To enable Object Lock on a bucket, you must enable versioning first. Object Lock can only be enabled at bucket creation. CLI example:
aws s3api create-bucket --bucket my-bucket --object-lock-enabled-for-bucketTo set default retention:
aws s3api put-object-lock-configuration --bucket my-bucket --object-lock-configuration '{"ObjectLockEnabled": "Enabled", "Rule": {"DefaultRetention": {"Mode": "GOVERNANCE", "Days": 365}}}'To apply retention on an object during upload:
aws s3api put-object --bucket my-bucket --key mykey --body file.txt --object-lock-mode GOVERNANCE --object-lock-retain-until-date 2025-12-31T00:00:00ZTo set legal hold:
aws s3api put-object-legal-hold --bucket my-bucket --key mykey --legal-hold Status=ON --version-id <versionId>How Object Lock Interacts with Lifecycle and Replication
Lifecycle policies cannot expire objects that are under Object Lock. You must remove retention first.
Replication: Object Lock settings are replicated to the destination bucket if the destination has Object Lock enabled. Retention periods are based on the destination bucket's clock.
Multipart Uploads: Object Lock can be applied to objects uploaded via multipart upload by specifying retention settings in the complete multipart upload request.
Enable Versioning on Bucket
First, you must enable versioning on the S3 bucket. This can be done via the AWS Management Console by going to the bucket's Properties tab and selecting 'Enable versioning'. Alternatively, use the AWS CLI: `aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Enabled`. Once enabled, all future object uploads will receive a unique version ID. Existing objects remain with a null version ID. Versioning cannot be disabled; you can only suspend it, which stops assigning new version IDs but preserves existing versions.
Upload Object Versions
When you upload an object to a versioned bucket, S3 creates a new version. Each subsequent upload of the same key creates another version. For example, uploading 'report.pdf' three times results in three versions, each with a distinct version ID. The latest upload becomes the current version. You can retrieve a specific version by including the version ID in the GET request: `aws s3api get-object --bucket my-bucket --key report.pdf --version-id <versionId>`. Without a version ID, you get the current version.
Delete Object Creates Delete Marker
When you delete an object from a versioned bucket, S3 does not remove any data. Instead, it inserts a delete marker as the current version. The delete marker is a zero-length object with its own version ID. The object appears deleted when listing, but all previous versions remain. To see all versions including delete markers, use `aws s3api list-object-versions`. You can delete a delete marker explicitly, which makes the previous version current again.
Permanently Delete a Version
To permanently delete an object version, you must specify the exact version ID. Use the CLI command: `aws s3api delete-object --bucket my-bucket --key mykey --version-id <versionId>`. This removes that version permanently. You cannot recover a deleted version. If you delete the current version (not a delete marker), the next most recent version becomes current. If you delete a delete marker, the object becomes visible again.
Enable Object Lock on Bucket
Object Lock must be enabled at bucket creation. You cannot enable it on an existing bucket. Create a bucket with Object Lock: `aws s3api create-bucket --bucket my-bucket --object-lock-enabled-for-bucket`. Versioning is automatically enabled. After creation, you can configure default retention settings and legal hold. Object Lock works per object version. Once applied, retention and legal hold protect the version from deletion or overwrite.
Apply Retention and Legal Hold
For each object version, you can apply a retention mode (GOVERNANCE or COMPLIANCE) with a retention period. You can also apply a legal hold (ON/OFF). Retention period is specified as a date until which the object is protected. For example, `--object-lock-retain-until-date 2025-12-31T00:00:00Z`. Legal hold has no expiration. You can apply these settings at upload or later using the API. To modify retention, you need permissions to bypass governance retention (for governance mode) or you cannot modify compliance mode at all.
Enterprise Scenario 1: Financial Records Compliance
A financial services company must retain transaction records for 7 years per regulatory requirements. They use S3 Object Lock in Compliance mode with a 7-year retention period. Versioning is enabled to capture every modification. The bucket policy prevents deletion of any object version. Lifecycle policies transition noncurrent versions to S3 Glacier after 30 days to reduce costs. MFA Delete is enabled to prevent accidental suspension of versioning. Misconfiguration example: If the retention period is set too short, records could become deletable before the compliance deadline. If Object Lock is not enabled at bucket creation, they would have to migrate data to a new bucket, causing downtime.
Enterprise Scenario 2: Backup and Disaster Recovery
A media company stores critical assets in an S3 bucket with versioning enabled. They use lifecycle rules to expire noncurrent versions after 90 days to manage storage costs. Cross-Region Replication sends all versions to a bucket in a different region for disaster recovery. MFA Delete is enabled on the source bucket. A developer accidentally deletes an important asset. The delete marker is created, but the IT team can easily remove the delete marker to restore the asset. Without versioning, the asset would be permanently lost. Common pitfall: Not testing the restore process; they discovered that versioning was suspended on the replica bucket, so only the current version was replicated.
Enterprise Scenario 3: Collaborative Editing with Version Control
A software development team uses an S3 bucket to store configuration files and build artifacts. Versioning allows them to roll back to previous configurations. They use presigned URLs with version IDs to share specific versions with team members. Object Lock is not needed here. However, they must manage version proliferation: without lifecycle policies, the bucket accumulates thousands of versions, increasing storage costs. They implement a lifecycle rule to expire noncurrent versions after 30 days. Misconfiguration: They accidentally set the lifecycle to expire current versions, causing data loss.
DVA-C02 Exam Focus: S3 Versioning and Object Lock
Objective Code: Domain 1: Development with AWS Services, Objective 1.4: Implement data protection and compliance mechanisms. Specific topics tested: enabling/suspending versioning, delete marker behavior, version ID usage, MFA Delete, Object Lock modes (Governance vs Compliance), legal hold, retention periods, and integration with lifecycle and replication.
Common Wrong Answers and Traps:
1. Confusing delete behavior: Many candidates think deleting an object in a versioned bucket permanently removes it. The correct answer is that a delete marker is placed. The exam will ask what happens to previous versions after deletion.
2. Object Lock enabled after bucket creation: Candidates often assume you can enable Object Lock on an existing bucket. Reality: it must be enabled at bucket creation.
3. Governance vs Compliance mode: The exam tests that Compliance mode cannot be overridden by anyone, including root. Governance mode can be bypassed with s3:BypassGovernanceRetention. A common wrong answer is that root can always override.
4. MFA Delete requirement: MFA Delete is required to permanently delete a versioned object? No—MFA Delete is an optional setting to protect versioning configuration. Permanent deletion of a version does not require MFA unless the bucket policy enforces it.
5. Object Lock and lifecycle: Lifecycle expiration can delete objects under Object Lock? No—lifecycle cannot expire locked objects. You must remove retention first.
Specific Values and Terms:
- Version ID: unique string, e.g., ydlagOWnU0uA9jV.zf7W7TlWUuIqB3.
- Delete marker: special object with no data.
- Retention period: in days or years, must be a future date.
- Legal hold: ON/OFF, no expiration.
- MFA Delete: must be enabled via CLI or console with root.
Edge Cases: - Suspending versioning: new uploads get null version ID; existing versions remain. - Deleting a delete marker: restores previous version as current. - Object Lock on multipart uploads: retention can be applied only after completion. - Replication of Object Lock: retention periods are based on destination bucket's clock; time zone differences can cause issues.
Elimination Strategy: - If a question involves data recovery from accidental deletion, versioning is the answer. - If a question requires preventing deletion for compliance, Object Lock is needed. - If a question mentions 'can't delete even by root', it's Compliance mode. - If a question mentions 'override by authorized users', it's Governance mode. - If a question involves MFA, it's about protecting versioning configuration, not object deletion.
Versioning must be enabled per bucket; it cannot be disabled, only suspended.
Delete markers are zero-length objects that hide previous versions; deleting a delete marker restores the previous version.
Object Lock requires versioning and must be enabled at bucket creation.
Compliance mode retention cannot be shortened or removed by anyone, including root.
Governance mode retention can be bypassed with the `s3:BypassGovernanceRetention` permission.
Legal hold has no expiration and must be explicitly removed.
Lifecycle policies cannot expire objects under Object Lock until retention is removed.
These come up on the exam all the time. Here's how to tell them apart.
S3 Versioning
Preserves all object versions automatically.
Protects against accidental overwrites and deletions via delete markers.
Does not enforce retention periods; versions can be deleted if you specify version ID.
Works on any bucket; no special setup at creation required.
Costs based on number of versions stored.
S3 Object Lock
Provides WORM protection with retention periods and legal hold.
Prevents deletion or overwrite for a fixed period or indefinitely.
Retention modes: Governance (overridable) and Compliance (absolute).
Must be enabled at bucket creation.
Works per object version; retention settings are applied to individual versions.
Mistake
Enabling versioning on a bucket automatically protects all existing objects.
Correct
Versioning only applies to objects uploaded after it is enabled. Existing objects have a null version ID and are not versioned. To protect them, you must re-upload them or use other mechanisms.
Mistake
You can enable Object Lock on an existing bucket.
Correct
Object Lock can only be enabled at bucket creation. To add Object Lock to an existing bucket, you must create a new bucket with Object Lock enabled and migrate data.
Mistake
Deleting an object in a versioned bucket permanently removes all versions.
Correct
Deleting an object only creates a delete marker. All previous versions remain. To permanently delete, you must specify the version ID.
Mistake
Compliance mode retention can be bypassed by the root user.
Correct
Compliance mode cannot be overridden by anyone, including the root user. The retention period is absolute.
Mistake
MFA Delete is required to delete individual object versions.
Correct
MFA Delete only protects the versioning configuration (e.g., suspending versioning). Deleting a specific version does not require MFA unless a bucket policy enforces it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, once you delete an object version by specifying its version ID, it is permanently removed and cannot be recovered. To protect against accidental permanent deletion, use MFA Delete or Object Lock. Always ensure you have backups or replication.
Existing objects are not versioned; they have a null version ID. New uploads will get unique version IDs. To version existing objects, you must re-upload them. The null version ID objects can still be overwritten or deleted without creating a new version.
You must delete each version individually by specifying the version ID. Use the CLI: `aws s3api delete-object --bucket my-bucket --key mykey --version-id <versionId>`. To delete all versions, you can iterate through the list. Alternatively, you can delete the bucket (if empty) or use a lifecycle policy to expire noncurrent versions.
Governance mode allows authorized users (with `s3:BypassGovernanceRetention`) to override retention settings for testing or emergencies. Compliance mode prevents any user, including root, from shortening or removing retention. Compliance mode is used for strict regulatory requirements.
No, Object Lock requires versioning to be enabled on the bucket. If you try to enable Object Lock on a bucket without versioning, the operation will fail. Versioning is automatically enabled when you create a bucket with Object Lock.
Lifecycle policies cannot expire or transition objects that are under Object Lock retention (either governance or compliance). You must first remove the retention or wait for it to expire. Legal hold also prevents lifecycle actions. Once retention expires and legal hold is removed, lifecycle can act on the object.
MFA Delete adds an extra layer of security requiring multi-factor authentication for permanent deletion of object versions and suspension of versioning. It can only be enabled by the bucket owner (root user) using the CLI. Use it for critical buckets to prevent accidental or malicious changes to versioning configuration.
You've just covered S3 Versioning and Object Lock — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?