The course is part of these learning paths
This course will look at some of the management and bucket property features that Amazon S3 has to offer, and how you can use them to maintain and control your data. There are a number of different features available and you may be familiar with some of them, and others perhaps not so much, so this course has been designed to give you a full overview of what is available to you.
If you have any feedback, queries, or comments relating to this course, feel free to reach out to us at email@example.com.
The main objective of this course is to introduce and explain the available properties that are configurable at the bucket level that Amazon S3 has to offer to help you manage and administer your data effectively.
This course has been designed for:
- Storage and operations engineers responsible for maintaining and storing data within the enterprise
- AWS Architects who are designing new solutions requiring data storage capabilities
- Those who are looking to begin their certification journey with either the AWS Cloud Practitioner or one of the three Associate-level certifications
This is an intermediate level course to AWS storage services and, therefore, to get the most out of this course, you should have some basic knowledge of Amazon S3. For more information related to this service, please see our existing course entitled Introduction to Amazon S3.
Hello and welcome to this lecture looking at the Object lock property which is considered an ‘advanced’ property of an S3 bucket.
This feature is often used to meet a level of compliance known as WORM, meaning Write Once Read Many. It allows you to offer a level of protection against your objects in your bucket and prevents them from being deleted, either for a set period of time that is defined by you or alternatively prevents it from being deleted until the end of time! The ability to add retention periods using Object Lock help S3 to comply with regulations such as FINRA, the Financial Industry Regulatory Authority.
Setting Object Lock on a bucket can only be achieved at the time of the creation of the bucket. If you attempted to enable it on an existing bucket by clicking on the Object Lock tile in the bucket properties, you would receive the following error.
To enable and configure object lock during the creation of the bucket, you first need to ensure that you have Versioning enabled. Without first enabling versioning, it is NOT possible to enable object lock, which can be found under the ‘Advanced’ setting of Step 2 ‘Configure Options’ during creating your bucket.
Once you have created your bucket with object lock enabled it will be permanently enabled and can’t be disabled.
Although your bucket is now configured for ‘object lock’, any object your place into it at this stage is NOT automatically protected, to ensure they are you need to enable some default options on the bucket first.
When you select the Object-lock tile, which will now say ‘Permanently enabled.’
You will be presented with two retention modes, and the settings selected here will define the default retention of an object when it is added to the bucket and therefore applying the required protection that object lock provides.
These retention modes are Governance Mode and Compliance Mode.
By enabling Governance Mode it prevents your users from performing a delete or an overwrite of any of the versions of your objects in the bucket throughout the duration set by the retention period. However, if you have very specific permissions, including
s3:GetObjectRetention, then a user will still be able to delete an object version within the retention period or change any retention settings set on the bucket.
When setting Governance Mode you will be asked to add a retention period in days and therefore defines how long the object is protected by object lock preventing it from being deleted. When an object is added to the bucket, a timestamp is added to the metadata reflecting the retention period. When the retention period is over, the object can then be deleted again.
Compliance Mode. The key difference between Compliance Mode and Governance Mode is that there are NO users that can override the retention periods set or delete an object, and that also includes your AWS root account which has the highest privileges. Essentially, any object added to a bucket configured for Compliance Mode means that the object will remain for the duration of the retention period.
Again, much like with Governance Mode, you will be asked to enter a retention period based upon a number of days.
You can also set object-lock on a per-object by object basis if you didn’t want to set a default retention mode of Governance or Compliance. To do so, you need to select the object-lock option of the object’s properties itself. When doing so, you will see the following screen.
Again, you can set either the governance or compliance retention mode for that specific object. The ‘Retain until date’ shows that this object is already bound by a retention mode with a retention period, and as a result, it shows the date in which this object is to be protected until. When this date has passed, the object is no longer protected and can be deleted.
The legal hold element only appears for object versions and not at the bucket level and acts much like a retention period and prevents the object from being deleted, however, legal holds do not have an expiration date. Therefore, the object will remain protected until a user with permissions of s3:PutObjectLegalHold disables the legal hold on the object. If an object is already protected by a retention period, a legal hold can also be placed on the object. When the retention period expires, the object will still be protected by the legal hold regardless of the fact that the retention period has expired.
About the Author
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data centre and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 60++ courses relating to Cloud, most within the AWS category with a heavy focus on security and compliance
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.