Hello and welcome to this lecture looking at the Object lock property which is considered an ‘advanced’ property of an S3 bucket.

This feature is often used to meet a level of compliance known as WORM, meaning Write Once Read Many. It allows you to offer a level of protection against your objects in your bucket and prevents them from being deleted, either for a set period of time that is defined by you or alternatively prevents it from being deleted until the end of time! The ability to add retention periods using Object Lock help S3 to comply with regulations such as FINRA, the Financial Industry Regulatory Authority.

Setting Object Lock on a bucket can only be achieved at the time of the creation of the bucket. If you attempted to enable it on an existing bucket by clicking on the Object Lock tile in the bucket properties, you would receive the following error.

To enable and configure object lock during the creation of the bucket, you first need to ensure that you have Versioning enabled. Without first enabling versioning, it is NOT possible to enable object lock, which can be found under the ‘Advanced’ setting of Step 2 ‘Configure Options’ during creating your bucket.

Once you have created your bucket with object lock enabled it will be permanently enabled and can’t be disabled.

Although your bucket is now configured for ‘object lock’, any object your place into it at this stage is NOT automatically protected, to ensure they are you need to enable some default options on the bucket first. 

When you select the Object-lock tile, which will now say ‘Permanently enabled.’

You will be presented with two retention modes, and the settings selected here will define the default retention of an object when it is added to the bucket and therefore applying the required protection that object lock provides.

These retention modes are Governance Mode and Compliance Mode.

By enabling Governance Mode it prevents your users from performing a delete or an overwrite of any of the versions of your objects in the bucket throughout the duration set by the retention period. However, if you have very specific permissions, including s3:BypassGovernanceMode, s3:GetObjectLockConfiguration, s3:GetObjectRetention, then a user will still be able to delete an object version within the retention period or change any retention settings set on the bucket.

When setting Governance Mode you will be asked to add a retention period in days and therefore defines how long the object is protected by object lock preventing it from being deleted. When an object is added to the bucket, a timestamp is added to the metadata reflecting the retention period. When the retention period is over, the object can then be deleted again.

Compliance Mode. The key difference between Compliance Mode and Governance Mode is that there are NO users that can override the retention periods set or delete an object, and that also includes your AWS root account which has the highest privileges. Essentially, any object added to a bucket configured for Compliance Mode means that the object will remain for the duration of the retention period.

Again, much like with Governance Mode, you will be asked to enter a retention period based upon a number of days.

You can also set object-lock on a per-object by object basis if you didn’t want to set a default retention mode of Governance or Compliance. To do so, you need to select the object-lock option of the object’s properties itself. When doing so, you will see the following screen.

Again, you can set either the governance or compliance retention mode for that specific object. The ‘Retain until date’ shows that this object is already bound by a retention mode with a retention period, and as a result, it shows the date in which this object is to be protected until. When this date has passed, the object is no longer protected and can be deleted.

The legal hold element only appears for object versions and not at the bucket level and acts much like a retention period and prevents the object from being deleted, however, legal holds do not have an expiration date. Therefore, the object will remain protected until a user with permissions of s3:PutObjectLegalHold disables the legal hold on the object. If an object is already protected by a retention period, a legal hold can also be placed on the object. When the retention period expires, the object will still be protected by the legal hold regardless of the fact that the retention period has expired.

Lectures

Introduction - Versioning - Server-Access Logging - Static Website Hosting - Object-Level Logging - Default Encryption - Tags - Transfer Acceleration - Events - Requester Pays - Summary