AWSGlossary

S3 Object Lock: What It Is and When to Use It

Definition

Amazon S3 Object Lock is a feature that provides a Write-Once-Read-Many (WORM) model for data stored in Amazon S3. It prevents objects from being deleted or overwritten for a fixed amount of time or indefinitely, helping organizations meet regulatory requirements for data retention and providing robust protection against accidental or malicious data modification, including ransomware.

How It Works

S3 Object Lock must be enabled at the time of bucket creation and requires S3 Versioning to be active, which is enabled automatically. Once enabled, you cannot disable Object Lock or suspend versioning for that bucket. The lock settings are applied to individual object versions, meaning different versions of the same object can have different retention settings.

Object Lock provides two independent ways to manage object retention: Retention Periods and Legal Holds. An object version can have one, both, or neither applied.

1. Retention Periods A retention period specifies a fixed length of time during which an object version is protected. When you set a retention period, S3 stores a Retain Until Date timestamp in the object's metadata. Until this date passes, the object version cannot be deleted or overwritten. There are two retention modes:

  • Compliance Mode: This is the highest level of protection. In this mode, a protected object version cannot be overwritten or deleted by any user, including the root user in the AWS account. The retention mode cannot be changed, and the retention period cannot be shortened. This mode is designed for strict regulatory compliance where data immutability is a legal requirement (e.g., SEC Rule 17a-4, FINRA).
  • Governance Mode: This mode protects objects from being deleted by most users but allows certain privileged users to alter the retention settings or delete the object. To bypass the lock, a user must have the s3:BypassGovernanceRetention Identity and Access Management (IAM) permission and must explicitly include the x-amz-bypass-governance-retention:true header in their API request. This mode is useful for protecting against accidental deletions while retaining the flexibility for trusted administrators to manage the data.

2. Legal Holds A legal hold provides the same immutability protection as a retention period but has no expiration date. It remains in effect until an authorized user with the s3:PutObjectLegalHold permission explicitly removes it. Legal holds are independent of retention periods and are typically used to preserve data for legal discovery, e-discovery, or internal investigations, where the retention timeline is unknown.

For example, an object version can be protected by a 7-year retention period. If a legal hold is placed on it in year 3 and the retention period expires in year 7, the object remains protected by the legal hold. It only becomes deletable after the legal hold is explicitly removed.

Key Features and Limits

  • WORM Model: Provides a true Write-Once-Read-Many model to ensure data immutability.
  • Bucket Creation Setting: Object Lock can only be enabled when a new bucket is created. It cannot be enabled on existing buckets.
  • Versioning Prerequisite: S3 Versioning is a mandatory prerequisite and is automatically enabled on any bucket with Object Lock.
  • Flexible Retention Controls: Offers two distinct modes (Governance and Compliance) to balance protection with administrative flexibility.
  • Indefinite Protection: The Legal Hold feature allows for indefinite protection of objects, independent of time-based retention.
  • Default Bucket Settings: You can configure default retention settings on a bucket, which will be applied to all new objects unless explicitly overridden during upload.
  • Lifecycle Policy Integration: Locked objects can still be transitioned between S3 storage classes (e.g., from S3 Standard to S3 Glacier Deep Archive) using S3 Lifecycle policies. However, lifecycle policies cannot delete locked object versions until their lock expires.
  • S3 Batch Operations: You can use S3 Batch Operations to add, change, or remove Object Lock settings for billions of objects at once.

Common Use Cases

  • Regulatory and Compliance Archiving: Meeting stringent data retention requirements from regulations like SEC Rule 17a-4, FINRA Rule 4511, and CFTC Regulation 1.31, which mandate immutable storage for financial and legal records.
  • Ransomware Protection: By making critical backups immutable, S3 Object Lock prevents ransomware from encrypting or deleting your recovery data. If production systems are compromised, you can restore from a known-good, unalterable copy in S3.
  • Data Integrity and Audit Trails: Protecting critical data like logs, scientific research data, or digital evidence from any modification, ensuring a verifiable chain of custody.
  • Long-Term Data Preservation: Securing valuable intellectual property, digital media archives, and other critical business records from accidental deletion or internal threats over long periods.

Pricing Model

There are no additional charges for using S3 Object Lock itself. You pay standard Amazon S3 prices based on:

  • Storage: The amount of data stored per GB per month, which varies by S3 storage class.
  • Requests and Data Retrievals: Charges for API requests like PUT, GET, COPY, and requests to read object lock metadata.
  • Data Transfer: Data transferred out of an S3 bucket to the internet or other AWS Regions incurs charges.

It is crucial to factor in that locked objects cannot be deleted, so you will incur storage costs for the entire duration of the retention period. Careful planning of retention policies is essential to manage costs effectively. You can use the AWS Pricing Calculator to estimate costs.

Pros and Cons

Pros:

  • Strong Immutability: Provides robust, unchangeable data protection, especially in Compliance mode, which even the root user cannot bypass.
  • Compliance Adherence: Designed to meet strict regulatory requirements for data retention and integrity.
  • Effective Ransomware Defense: A key tool in a defense-in-depth strategy to ensure data recoverability after a ransomware attack.
  • Flexible Controls: Governance mode and Legal Holds offer flexibility for different use cases beyond strict compliance.

Cons:

  • Irreversibility: In Compliance mode, an object cannot be deleted by anyone before its retention period expires. Misconfigurations can lead to significant, unavoidable storage costs.
  • Configuration at Creation Only: Cannot be enabled on existing buckets, requiring a potentially complex and costly data migration to a new, enabled bucket.
  • Management Overhead: Requires careful planning of IAM policies and retention periods to prevent locking data for too long or granting bypass permissions too broadly.
  • Potential for Higher Storage Costs: The inability to delete data means you are committed to paying for its storage for the full retention period, even if it's no longer needed for business operations.

Comparison with Alternatives

S3 Object Lock vs. S3 Glacier Vault Lock:

  • Scope: S3 Object Lock operates at the individual object version level within a standard S3 bucket. S3 Glacier Vault Lock applies a WORM policy to an entire S3 Glacier vault.
  • Flexibility: S3 Object Lock is more flexible, offering two retention modes and legal holds that can be applied on a per-object basis. Glacier Vault Lock involves a rigid, vault-wide policy that is locked after a 24-hour validation period.
  • Use Case: S3 Object Lock is the modern, recommended approach for protecting actively used or frequently accessed data that requires immutability. S3 Glacier Vault Lock is an older feature designed specifically for long-term archival compliance within S3 Glacier.

S3 Object Lock vs. IAM Deny Policies:

An IAM policy can be configured to deny s3:DeleteObject actions, which prevents users from deleting objects. However, an administrator with sufficient permissions can simply change or remove the IAM policy. S3 Object Lock in Compliance mode is fundamentally different because it creates a lock that is enforced by the S3 service itself, which cannot be overridden by any user, including the account's root user. This provides a much stronger, verifiable guarantee of immutability.

Exam Relevance

S3 Object Lock is a key topic in several AWS certification exams, particularly those focused on storage, security, and architecture.

  • Certifications: AWS Certified Solutions Architect - Associate (SAA) & Professional (SAP), AWS Certified Security - Specialty (SCS), AWS Certified Storage - Specialty (SCS).
  • Key Topics to Know:
    • The fundamental difference between Governance Mode (requires special permissions to bypass) and Compliance Mode (cannot be bypassed by anyone).
    • The purpose of a Legal Hold (indefinite retention until explicitly removed) versus a time-based Retention Period.
    • The critical constraint that Object Lock must be enabled at the time of bucket creation.
    • The relationship with S3 Versioning (it's a mandatory prerequisite).
    • How Object Lock serves as a primary defense against ransomware and helps meet regulatory compliance.
    • The distinction between S3 Object Lock and the older S3 Glacier Vault Lock.

Frequently Asked Questions

Q: Can I enable S3 Object Lock on an existing bucket?

A: No, S3 Object Lock can only be enabled during the bucket creation process. To protect data that is already in an S3 bucket, you must create a new bucket with Object Lock enabled and then migrate the data to the new bucket.

Q: What is the main difference between Governance mode and Compliance mode?

A: The primary difference is the ability to override the lock. In Governance mode, users with the specific s3:BypassGovernanceRetention IAM permission can alter retention settings or delete a protected object version. In Compliance mode, no user, including the AWS account root user, can overwrite or delete a protected object version until its retention period expires.

Q: How does S3 Object Lock help protect against ransomware?

A: Ransomware works by encrypting or deleting data and then demanding a payment for its recovery. By using S3 Object Lock on your backups, you make them immutable. This means a ransomware attack cannot encrypt, modify, or delete your locked backup files in S3, ensuring you always have a clean, unalterable copy of your data to restore from.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 4/27/2026 / Updated: 4/27/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Storage

S3 Requester Pays: How It Works & When to Use It

S3 Requester Pays shifts data transfer & API costs to the requester, not the bucket owner. Ideal for public datasets. Learn when to choose it.

S3 Transfer Acceleration: Fast, Easy, Secure Long-Distance Transfers

Amazon S3 Transfer Acceleration speeds up file transfers over long distances. Learn how it works and when to use this bucket-level feature for faster uploads and downloads.

S3 Pre-Signed URL: Temporary Access Explained

An S3 Pre-Signed URL grants temporary access to S3 objects without AWS credentials. Learn how it works and when to use it for secure uploads/downloads.

S3 Cross-Region Replication: How It Works & When to Use It

Amazon S3 Cross-Region Replication (CRR) automatically copies objects to another AWS Region. Enhance durability, minimize latency, and meet compliance. Learn when to use it.

S3 Bucket Policy: How It Works & When to Use It

An S3 Bucket Policy is a resource-based IAM policy attached to an S3 bucket for granular access control. Learn how it works and when to use it.

View all Storageterms →