This chapter covers S3 Object Lock, a feature that allows you to enforce Write-Once-Read-Many (WORM) compliance on S3 objects. For the SAA-C03 exam, understanding S3 Object Lock is critical for architecting secure, compliant storage solutions. Approximately 5-10% of exam questions touch on S3 security and compliance, including Object Lock. You will learn how to configure retention modes (Governance and Compliance), legal holds, and retention periods, and how they interact with versioning and lifecycle policies. This chapter also covers common exam traps and real-world deployment scenarios.
Jump to a section
Imagine a bank safe deposit box system where customers can store documents. The bank has two special services: a 'retention period' and a 'legal hold.' When you deposit a document with a retention period, you specify a date before which the document cannot be removed or altered—like a time lock on the box. The bank's security system enforces this: even if you have the key, the vault's internal timer prevents the door from opening until the date passes. However, you can still view the document through a glass panel (read access). If you want to extend the retention, you can reset the timer to a later date, but you can never shorten it—the timer only moves forward. Separately, a legal hold is like a court order that freezes a specific box indefinitely. Even if the retention period expires, the legal hold overrides it; the box remains locked until the hold is explicitly removed by an authorized party. The bank's security system logs every access attempt and any changes to the hold or retention settings. This ensures that documents cannot be destroyed or modified, meeting regulatory requirements for records retention. In AWS, S3 Object Lock works similarly: once an object is locked with a retention mode (Governance or Compliance) and a retention period, it is immutable until the period expires, unless you have special permissions (for Governance mode). Legal hold works independently to block any deletion or overwrite until removed. The 'bank' is the S3 bucket, and the 'security system' is the Object Lock configuration enforced at the object level.
What is S3 Object Lock and Why Does It Exist?
S3 Object Lock is a feature that prevents objects from being deleted or overwritten for a fixed period or indefinitely. It is designed to help organizations meet regulatory requirements that mandate WORM storage, such as SEC Rule 17a-4, FINRA, or HIPAA. Without Object Lock, objects in S3 can be accidentally or maliciously deleted or modified by users with appropriate permissions. Object Lock provides an additional layer of protection that even an account root user cannot bypass when using Compliance mode.
How It Works Internally
Object Lock operates at the object level and requires versioning to be enabled on the bucket. Each version of an object can have its own retention settings. When you apply a retention period, the object version becomes immutable for the duration of that period. The retention period is calculated from the time the object is created (or the time the retention is applied, depending on configuration). During the retention period, the object version cannot be deleted or overwritten. Attempts to do so result in an AccessDenied error.
Object Lock supports two retention modes: - Governance mode: Users with special permissions (s3:BypassGovernanceRetention) can delete or overwrite the object version before the retention period expires. This allows flexibility for administrative actions while still providing a safeguard. - Compliance mode: No one, including the AWS account root user, can delete or overwrite the object version until the retention period expires. This mode is used for strict regulatory compliance.
Additionally, a legal hold can be applied to an object version independently of any retention period. Legal hold prevents deletion or overwrite until the hold is explicitly removed. Legal holds are typically used for litigation or investigation purposes.
Key Components, Values, Defaults, and Timers
Retention period: A duration in days or years. You specify the number of days (or years) from the object creation date or the date the retention is applied. The retention period cannot be shortened once applied (except in Governance mode with bypass permission). The minimum retention period is 1 day.
Retention mode: Either GOVERNANCE or COMPLIANCE. The mode is set per object version.
Legal hold: A boolean status (ON or OFF) applied per object version. It does not have a time limit.
Versioning: Must be enabled on the bucket. If versioning is suspended, Object Lock still works on existing versions, but new objects cannot be created with Object Lock unless versioning is re-enabled.
Default settings: You can configure a default retention mode and period at the bucket level, which applies to all new objects unless overridden at upload time.
Object Lock token: When you create an object with Object Lock, you can optionally provide a lock token. This is used to ensure that the retention settings are applied atomically.
Configuration and Verification Commands
To enable Object Lock on a bucket, you must specify it at bucket creation time. You cannot enable Object Lock on an existing bucket. Use the AWS CLI or SDK.
Creating a bucket with Object Lock enabled:
aws s3api create-bucket --bucket my-worm-bucket --region us-east-1 --object-lock-enabled-for-bucketSetting default retention settings on a bucket:
aws s3api put-object-lock-configuration --bucket my-worm-bucket --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "GOVERNANCE", "Days": 365 } } }'Putting an object with a retention period:
aws s3api put-object --bucket my-worm-bucket --key document.pdf --body document.pdf --object-lock-mode GOVERNANCE --object-lock-retain-until-date 2025-12-31T00:00:00ZApplying a legal hold:
aws s3api put-object-legal-hold --bucket my-worm-bucket --key document.pdf --legal-hold Status=ONVerifying retention settings:
aws s3api head-object --bucket my-worm-bucket --key document.pdfThe response includes fields like ObjectLockMode, ObjectLockRetainUntilDate, and LegalHoldStatus.
Interaction with Related Technologies
Versioning: Object Lock requires versioning. Each version is independently locked. Deleting an object version is blocked if its retention period has not expired (or if a legal hold is active). However, you can still add a delete marker. The delete marker itself is a version and can be locked if you configure it, but typically it is not. The original object versions remain locked.
Lifecycle policies: Lifecycle policies can expire objects (delete versions) but are blocked by Object Lock. If a lifecycle rule tries to delete an object version that is under a retention period, the action fails. The lifecycle policy will retry until the retention period expires or the legal hold is removed.
MFA Delete: MFA Delete adds another layer of protection for deleting versions, but it is separate from Object Lock. They can be used together.
Bucket policies: Bucket policies can restrict who can apply or bypass Object Lock settings. For example, you can deny s3:PutObjectLockConfiguration unless a specific condition is met.
Important Exam Details
Retention periods are based on UTC time. The RetainUntilDate is an ISO 8601 timestamp.
You cannot delete a bucket that has objects under retention. You must wait until all retention periods expire and legal holds are removed.
Legal hold does not have a time limit; it must be explicitly removed.
Governance mode allows bypass with the s3:BypassGovernanceRetention permission. The x-amz-bypass-governance-retention header must be set to true in the request.
Compliance mode is irreversible; even AWS support cannot override it.
Object Lock can be applied at upload time or later (if the bucket is configured with Object Lock enabled). However, you cannot apply a retention period that expires in the past.
If you set a default retention on the bucket, new objects automatically inherit those settings unless you specify different ones at upload time.
You can extend a retention period (increase the RetainUntilDate) but never shorten it. This applies to both Governance and Compliance modes.
For exam questions, remember that legal hold overrides any retention period — it prevents deletion even if the retention period has expired.
Enable Object Lock on Bucket Creation
When you create a new S3 bucket, you must specify the `--object-lock-enabled-for-bucket` flag (or enable it in the console). This cannot be changed later. The bucket must also have versioning enabled. If you attempt to enable Object Lock on an existing bucket, the API will reject it. This is a one-time decision, so plan accordingly.
Configure Default Retention Settings
Optionally, you can set a default retention mode and period at the bucket level. This applies to all new objects unless overridden. Use the `put-object-lock-configuration` API. The default mode can be GOVERNANCE or COMPLIANCE, and the period can be specified in days or years. For example, setting a default of 365 days in Governance mode means every new object will be locked for 1 year unless a different retention is specified at upload.
Upload Object with Retention Settings
When uploading an object, you can specify the retention mode and retain-until-date. If the bucket has a default retention, you can override it. The retain-until-date must be in the future. The object version is then locked. The system records the retention settings in the object metadata. Any attempt to delete or overwrite this version before the retain-until-date will fail with an AccessDenied error.
Apply Legal Hold if Needed
You can apply a legal hold to an object version independently. This is done via the `put-object-legal-hold` API. Legal hold is a simple ON/OFF toggle. When ON, the object version cannot be deleted or overwritten, regardless of its retention period. Legal hold is often used for litigation holds or investigations. It can be applied after the object is uploaded.
Attempt Deletion or Overwrite During Retention
If a user tries to delete an object version that is under a retention period or legal hold, the request fails. The error message indicates that the object is locked. For Governance mode, users with the `s3:BypassGovernanceRetention` permission can bypass the lock by including the `x-amz-bypass-governance-retention: true` header. For Compliance mode, no bypass is possible. The object version remains accessible for read operations.
Enterprise Scenario 1: Financial Services Compliance
A large investment bank must comply with SEC Rule 17a-4, which requires electronic records to be stored in a WORM format for a minimum of 6 years. The bank uses S3 Object Lock with Compliance mode and a retention period of 6 years. They enable default retention at the bucket level to ensure all new records are automatically locked. Versioning is enabled to capture changes. Lifecycle policies are configured to transition objects to S3 Glacier Deep Archive after 90 days to reduce costs, but the retention period remains in effect. The bank also uses legal holds for any records involved in audits or investigations. Misconfiguration: If an administrator accidentally sets the retention mode to Governance instead of Compliance, the bank would not meet regulatory requirements because Governance mode can be bypassed. The bank must ensure that only authorized personnel with MFA can change the Object Lock configuration.
Enterprise Scenario 2: Healthcare Records Retention
A healthcare provider uses S3 to store patient records subject to HIPAA. They use Object Lock with Governance mode to protect records from accidental deletion for a retention period of 7 years. The provider also enables MFA Delete on the bucket for additional security. They configure a bucket policy that denies s3:DeleteObject unless the request includes the x-amz-bypass-governance-retention header and the user has MFA. This ensures that only authorized administrators with MFA can delete records before the retention period expires. Common pitfall: If the retention period is set too short, records may be deleted before the required retention period. The provider should set the retention period to the maximum required by law.
Enterprise Scenario 3: Media and Entertainment Legal Holds
A media company uses S3 to store copyrighted content. During a legal dispute, they need to preserve all versions of a specific video file. They apply a legal hold to that object version. The legal hold has no expiration, so the object remains protected indefinitely until the hold is removed. The company uses AWS CloudTrail to log all actions, including the application and removal of legal holds. Performance consideration: Legal holds do not impact read performance. Scale: Object Lock works at any scale; millions of objects can be locked with no performance degradation. The main consideration is the lifecycle of legal holds—they must be manually removed, which can be error-prone if not tracked.
What SAA-C03 Tests on S3 Object Lock
The SAA-C03 exam focuses on understanding when to use Object Lock, the differences between Governance and Compliance modes, and how legal holds work. Specific objectives include:
Secure Architectures (Objective 1.5): Designing secure access to S3, including data protection mechanisms.
Storage (Objective 3.1): Determining appropriate storage solutions, including compliance requirements.
Most Common Wrong Answers and Why Candidates Choose Them
"Object Lock can be enabled on an existing bucket." Many candidates think you can enable Object Lock at any time, but it must be done at bucket creation. This is a frequent trap.
"Governance mode prevents deletion by anyone, including the root user." Candidates confuse Governance with Compliance. Governance allows bypass with proper permissions. Compliance is the strict mode.
"Legal hold has a default duration of 30 days." Legal hold is indefinite until removed. There is no default duration.
"You can shorten a retention period." Retention periods can only be extended, never shortened. This is true for both modes.
Specific Numbers, Values, and Terms That Appear on the Exam
Retention mode values: GOVERNANCE and COMPLIANCE (case-sensitive).
Legal hold status: ON or OFF.
Default retention can be specified in Days or Years.
The x-amz-bypass-governance-retention header must be set to true to bypass Governance mode.
Object Lock requires versioning to be enabled.
Edge Cases and Exceptions the Exam Loves to Test
What happens if you try to delete a bucket with objects under retention? The delete fails until all retention periods expire and legal holds are removed.
Can you apply Object Lock to a delete marker? Yes, but it's unusual. A delete marker can have a retention period, preventing its deletion.
What if a lifecycle policy targets an object under retention? The lifecycle action fails and retries.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question asks about preventing deletion for regulatory compliance, look for keywords like "no one can delete" — that points to Compliance mode. If the question mentions "administrative override" or "bypass," it's Governance mode. If the question involves indefinite hold for litigation, it's legal hold. Remember that Object Lock is a bucket-level feature that must be enabled at creation. If the scenario describes an existing bucket, Object Lock cannot be applied — you must create a new bucket and migrate data.
Object Lock must be enabled at bucket creation; cannot be added later.
Versioning must be enabled on the bucket for Object Lock to work.
Governance mode allows bypass with proper permissions; Compliance mode does not.
Legal hold is indefinite and independent of retention periods.
Retention periods can only be extended, never shortened.
Lifecycle policies are blocked by Object Lock until retention expires.
You cannot delete a bucket that contains objects under retention or legal hold.
These come up on the exam all the time. Here's how to tell them apart.
Governance Mode
Allows bypass with s3:BypassGovernanceRetention permission
Used for administrative flexibility while preventing accidental deletion
Can be overridden by authorized users
Retention period can be extended but not shortened (can be bypassed to delete)
Suitable for internal controls
Compliance Mode
No bypass possible; even root user cannot delete
Used for strict regulatory compliance (e.g., SEC 17a-4)
Cannot be overridden by anyone
Retention period can be extended but not shortened (cannot delete at all)
Suitable for external audit requirements
Mistake
Object Lock can be enabled on any bucket at any time.
Correct
Object Lock must be enabled at bucket creation. It cannot be added to an existing bucket. The `--object-lock-enabled-for-bucket` flag is required during `create-bucket`.
Mistake
Governance mode prevents all deletions, including by the root user.
Correct
Governance mode can be bypassed by users with the `s3:BypassGovernanceRetention` permission and the `x-amz-bypass-governance-retention: true` header. Only Compliance mode prevents all deletions.
Mistake
Legal hold has a default duration of 90 days.
Correct
Legal hold has no duration; it remains in effect until explicitly removed. It is a simple ON/OFF toggle.
Mistake
You can reduce the retention period of a locked object.
Correct
Retention periods can only be extended (increased), never shortened. This applies to both Governance and Compliance modes.
Mistake
Object Lock works without versioning.
Correct
Object Lock requires versioning to be enabled on the bucket. Without versioning, you cannot apply Object Lock.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Object Lock must be enabled at the time of bucket creation. You cannot enable it on an existing bucket. If you need Object Lock, you must create a new bucket with Object Lock enabled and migrate your data.
Governance mode allows users with the `s3:BypassGovernanceRetention` permission to delete or overwrite locked objects. Compliance mode does not allow any bypass — even the root user cannot delete or overwrite an object until the retention period expires. Compliance mode is for strict regulatory compliance.
Yes, legal hold is independent of retention periods. You can apply a legal hold to any object version, regardless of whether it has a retention period. Legal hold prevents deletion or overwrite until the hold is removed.
You can extend the retention period by using the `put-object-retention` API with a new `RetainUntilDate` that is later than the current one. You cannot shorten the retention period. For Governance mode, you need bypass permission to extend (though extension is allowed without bypass? Actually, extension is allowed without bypass for both modes, but you cannot shorten. The exam tests that you can extend but not shorten.)
The delete operation fails. You must first ensure that all objects have no active retention periods and no legal holds. Once all objects are unlocked, you can delete the bucket.
Lifecycle policies can be configured, but they cannot delete or transition objects that are under retention. If a lifecycle rule attempts to expire an object version that is locked, the action fails and is retried until the retention period expires or the legal hold is removed.
Yes, you can use both together. MFA Delete adds an additional layer of security for deleting versions, but it does not replace Object Lock. They complement each other.
You've just covered S3 Object Lock and WORM Compliance — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?