In this article, we'll discuss what Object Lock is and the different locking methods you can use to protect your data in different scenarios.

Overview

Object Lock is a solution provided within S3, that enables you to protect your data from being overwritten or deleted for a fixed period of time or indefinitely.

There are two methods of protecting objects, the first is through Retention Periods and the other is a Legal Hold.

Each of these approaches can be applied at both the object and bucket level when the requisite bucket has versioning enabled.

What is a Retention Period and how does it work?

First let's explore retention periods, these allow you define a period of time during which the object will become immutable. This period can be defined either at the object level by providing a Retain Until Date, or at the bucket level by specifying a duration in days or years which S3 will use to calculate the Retain Until Date when a new object is placed within the bucket.

Within the Retention Period approach you're able to also choose from one of two Retention Modes, either Compliance Mode or Governance Mode. While both of these modes provide immutability over an object, they differ in the ability to override the lock.

Starting with the Compliance Mode, the protected object cannot be overwritten or deleted by anyone, including the root user, for the duration of the retention period. Further to this, the retention period cannot be shortened, nor can the retention mode be changed.

Governance mode on the other hand is slightly more flexible, whereby users who have a special permission can overwrite or delete an object version or alter its lock setting. Users who need this capability should be provided the s3:BypassGovernanceRetention permission and their requests must explicitly include the x-amz-bypass-governance-retention header with a value of true (This header is supplied by default when using the AWS console).

What is a Legal Hold and how does it work?

Now we'll consider the Legal Hold, this approach will provide the same level of protection as the above-mentioned Retention Period with both overwrite and deletion protection. However the Legal Hold will apply these protections for an indefinite period, or until a user with the s3:PutObjectLegalHold permission opts to remove the Legal Hold from the object.

Further to this Legal Holds and Retention Periods operate separately and can be applied to an object at the same time, so the application or removal of a Legal Hold will not impact the protections provided by the applied Retention Period and on the other hand the expiry of a Retention Period will not impact the protections provided by a Legal Hold.

Conclusion

After examining the approaches to make an object immutable we can see the value for audit and compliance purposes especially when using the Compliance Retention Mode or using the Legal Hold when you are unsure of how long the object will need to be immutable, however there are a plethora of other use cases where we can make use of the Governance Retention Mode either as a method of testing the Retention Period or while building out functionality within our internal systems and applications.