AWS S3 Object Lock

• S3 Object Lock helps to store objects using a write-once-read-many (WORM) model.
• can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
• can help meet regulatory requirements that require WORM storage or add an extra layer of protection against object changes and deletion.
• can be enabled for both new and existing buckets.
  • Since Nov 2023, Object Lock can be enabled on existing buckets directly through the console, CLI, API, or SDKs without contacting AWS Support.
• works only in versioned buckets (general purpose buckets only; not supported on directory buckets).
• Once Object Lock is enabled
  • Object Lock can’t be disabled
  • automatically enables versioning for the bucket
  • versioning can’t be suspended for the bucket.
• provides two ways to manage object retention.
  • Retention period
    • protects an object version for a fixed amount of time, during which an object remains locked.
    • During this period, the object is WORM-protected and can’t be overwritten or deleted.
    • can be applied on an object version either explicitly or through a bucket default setting.
    • S3 stores a timestamp in the object version’s metadata to indicate when the retention period expires. After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version.
    • Retention period can be extended but never shortened (in both compliance and governance modes).
    • Minimum and maximum allowable retention periods can be enforced using the s3:object-lock-remaining-retention-days condition key in a bucket policy.
  • Legal hold
    • protects an object version, as a retention period, but it has no expiration date.
    • remains in place until you explicitly remove it.
    • can be freely placed and removed by any user who has the s3:PutObjectLegalHold permission.
    • are independent of retention periods.
    • ideal when the duration of protection is unknown (e.g., litigation, investigations, audits).
  • Retention periods and legal holds apply to individual object versions.
  • Placing a retention period or legal hold on an object protects only the version specified in the request. It doesn’t prevent new versions of the object from being created.
  • An object version can have both a retention period and a legal hold, one but not the other, or neither.
• provides two retention modes that apply different levels of protection to the objects
  • Governance mode
  • Compliance mode
• S3 buckets with S3 Object Lock can’t be used as destination buckets for server access logs.
• has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
• Objects protected by Object Lock (both GOVERNANCE and COMPLIANCE modes) do not allow annotation modifications (create, update, or delete). To add annotations to a locked object, create a new object version.
• provides critical defense against ransomware attacks by preventing backup and archive data from being deleted or altered.

S3 Object Lock – Retention Modes

Governance mode

• Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.
• Objects can be protected from being deleted by most users, but some users can be granted permission to alter the retention settings or delete the object if necessary.
• Can be used to test retention-period settings before creating a compliance-mode retention period.
• To override or remove governance-mode retention settings, a user must have the s3:BypassGovernanceRetention permission and must explicitly include x-amz-bypass-governance-retention:true as a request header.
• The S3 console automatically applies the bypass header if the user has the s3:BypassGovernanceRetention permission.
• Bypassing governance mode doesn’t affect an object version’s legal hold status.

Compliance mode

• A protected object version can’t be overwritten or deleted by any user, including the root user in the AWS account.
• Object retention mode can’t be changed, and its retention period can’t be shortened (but can be extended).
• Object versions can’t be overwritten or deleted for the duration of the retention period.
• The only way to delete an object under compliance mode before its retention date expires is to delete the associated AWS account.
• Compliance mode provides the strict immutability required by regulations such as SEC 17a-4(f).

S3 Object Lock – How Deletes Work

• If a bucket has Object Lock enabled and the object is protected by a retention period or legal hold:
  • Permanent DELETE request (specifies a version ID) – S3 returns an Access Denied (403 Forbidden) error.
  • Simple DELETE request (no version ID) – S3 returns 200 OK and inserts a delete marker. The protected object version is NOT deleted.
• Delete markers are NOT WORM-protected, regardless of any retention period or legal hold on the underlying object.

S3 Object Lock – Default Bucket Configuration

• A default retention period can be set on a bucket that applies automatically to all new objects placed in the bucket.
• Default retention settings specify a mode (Governance or Compliance) and a duration (in days or years).
• When an object is uploaded to a bucket with a default retention setting, S3 calculates a Retain Until Date by adding the duration to the object’s creation timestamp.
• If an object is uploaded with an explicit individual retention mode and period, the object’s individual settings override the bucket defaults.
• Default retention settings apply only to new objects; they do NOT retroactively apply to existing objects already in the bucket.
• S3 Batch Operations can be used to apply Object Lock retention or legal holds to existing objects at scale.

S3 Object Lock with Replication

• Object Lock can be used with S3 Replication (CRR and SRR) to replicate locked objects and their retention metadata across buckets.
• If the source bucket has Object Lock enabled, the destination buckets must also have Object Lock enabled.
• Retention settings replicate automatically with the objects.
• The replication IAM role requires additional permissions: s3:GetObjectRetention and s3:GetObjectLegalHold.
• Replication for Object Lock-enabled buckets can now be configured directly through the console without contacting AWS Support (since Nov 2023).

S3 Object Lock – Additional Considerations

• Lifecycle management: S3 Lifecycle rules continue to function on protected objects (including placing delete markers and transitioning storage classes), but a locked version cannot be permanently deleted by a Lifecycle expiration policy until retention expires.
• Encryption: Object Lock works with encrypted objects. However, it does not protect against losing access to encryption keys or keys being deleted.
• S3 Inventory: S3 Inventory can include Object Lock metadata (retain until date, retention mode, legal hold status) in inventory reports.
• S3 Storage Lens: Provides metrics for Object Lock-enabled storage bytes and object count.
• Upload integrity: The Content-MD5 or x-amz-sdk-checksum-algorithm header is required when uploading an object with a retention period configured.
• Events and notifications: S3 Event Notifications and CloudTrail can track access and changes to Object Lock configurations.
• Retention period limits: Can set minimum and maximum allowable retention periods using bucket policies with the s3:object-lock-remaining-retention-days condition key. Maximum retention period is 100 years.

S3 Object Lock – Required Permissions

• s3:PutObjectRetention – required to set a retention period on an object
• s3:GetObjectRetention – required to view an object’s retention settings
• s3:PutObjectLegalHold – required to place or remove a legal hold
• s3:GetObjectLegalHold – required to view an object’s legal hold status
• s3:PutBucketObjectLockConfiguration – required to configure Object Lock on a bucket
• s3:GetBucketObjectLockConfiguration – required to view a bucket’s Object Lock configuration
• s3:BypassGovernanceRetention – required to bypass governance mode protections

S3 Object Lock with Batch Operations

• S3 Batch Operations can apply Object Lock retention or legal holds at scale to millions of existing objects.
• Supports both PutObjectRetention and PutObjectLegalHold operations.
• Manifests can be generated using S3 Inventory reports with Amazon Athena or on-demand manifest generation.
• Useful for retroactively protecting existing data that was stored before Object Lock was enabled.
• Enables tiered retention policies by organizing objects into separate manifests with different retention periods.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A company needs to store its accounting records in Amazon S3. No one at the company; including administrative users and root users, should be able to delete the records for an entire 10-year period. The records must be stored with maximum resiliency. Which solution will meet these requirements?
   1. Use an access control policy to deny deletion of the records for a period of 10 years.
   2. Use an IAM policy to deny deletion of the records. After 10 years, change the IAM policy to allow deletion.
   3. Use S3 Object Lock in compliance mode for a period of 10 years.
   4. Use S3 Object Lock in governance mode for a period of 10 years.
2. A company wants to protect S3 objects from accidental deletion by users who have full S3 permissions. Users should still be able to delete objects if business needs arise, but only with explicit authorization from a security team. Which approach meets these requirements?
   1. Enable S3 Object Lock in compliance mode with a 1-year retention period.
   2. Enable S3 Object Lock in governance mode and restrict the s3:BypassGovernanceRetention permission to the security team’s IAM role.
   3. Enable MFA Delete on the S3 bucket.
   4. Use an S3 bucket policy to deny all delete operations.
3. An organization has an existing S3 bucket with millions of objects. They need to apply WORM protection to all existing objects to meet a new compliance requirement. What is the MOST efficient approach?
   1. Copy all objects to a new bucket with Object Lock enabled.
   2. Contact AWS Support to enable Object Lock on the existing bucket.
   3. Enable Object Lock on the existing bucket and use S3 Batch Operations with a manifest from S3 Inventory to apply retention settings to existing objects.
   4. Write a Lambda function to apply retention settings to each object individually.
4. A company has S3 Object Lock in compliance mode applied to financial records with a 7-year retention period. A legal request requires immediate deletion of certain records. What can be done?
   1. Use s3:BypassGovernanceRetention permission to delete the objects.
   2. Change the retention mode from compliance to governance, then delete.
   3. Shorten the retention period to expire immediately.
   4. The objects cannot be deleted until the retention period expires. The only option is to delete the entire AWS account.
5. A DevOps team wants to protect backup data from ransomware. They want immutability but need the flexibility to delete backups early if storage costs become a concern. Which S3 Object Lock configuration should they use?
   1. Compliance mode with a long retention period.
   2. Governance mode with an appropriate retention period, restricting s3:BypassGovernanceRetention to administrators.
   3. Legal hold on all backup objects.
   4. S3 Versioning without Object Lock.

References

• S3 Object Lock Documentation
• S3 Object Lock Considerations
• S3 Object Lock Feature Page
• S3 Object Lock for Existing Buckets Announcement
• Applying S3 Object Lock at Scale