AWS S3 Object Lock
- S3 Object Lock helps to store objects using a write-once-read-many (WORM) model.
- can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
- can help meet regulatory requirements that require WORM storage or add an extra layer of protection against object changes and deletion.
- can be enabled only for new buckets. For an existing bucket, you need to contact AWS Support.
- works only in versioned buckets.
- Once Object Lock is enabled
- Object Lock can’t be disabled
- automatically enables versioning for the bucket
- versioning can’t be suspended for the bucket.
- provides two ways to manage object retention.
- Retention period
- protects an object version for a fixed amount of time, during which an object remains locked.
- During this period, the object is WORM-protected and can’t be overwritten or deleted.
- can be applied on an object version either explicitly or through a bucket default setting.
- S3 stores a timestamp in the object version’s metadata to indicate when the retention period expires. After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version.
- Legal hold
- protects an object version, as a retention period, but it has no expiration date.
- remains in place until you explicitly remove it.
- can be freely placed and removed by any user who has the
s3:PutObjectLegalHold
permission. - are independent of retention periods.
- Retention periods and legal holds apply to individual object versions.
- Placing a retention period or legal hold on an object protects only the version specified in the request. It doesn’t prevent new versions of the object from being created.
- An object version can have both a retention period and a legal hold, one but not the other, or neither.
- Retention period
- provides two retention modes that apply different levels of protection to the objects
- Governance mode
- Compliance mode
- S3 buckets with S3 Object Lock can’t be used as destination buckets for server access logs.
- has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
S3 Object Lock – Retention Modes
Governance mode
- Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.
- Objects can be protected from being deleted by most users, but some users can be granted permission to alter the retention settings or delete the object if necessary.
- Can be used to test retention-period settings before creating a compliance-mode retention period.
- To override or remove governance-mode retention settings, a user must have the
s3:BypassGovernanceRetention
permission and must explicitly includex-amz-bypass-governance-retention:true
as a request header.
Compliance mode
- A protected object version can’t be overwritten or deleted by any user, including the root user in the AWS account.
- Object retention mode can’t be changed, and its retention period can’t be shortened.
- Object versions can’t be overwritten or deleted for the duration of the retention period.
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- A company needs to store its accounting records in Amazon S3. No one at the company; including administrative users and root users, should be able to delete the records for an entire 10-year period. The records must be stored with maximum resiliency. Which solution will meet these requirements?
- Use an access control policy to deny deletion of the records for a period of 10 years.
- Use an IAM policy to deny deletion of the records. After 10 years, change the IAM policy to allow deletion.
- Use S3 Object Lock in compliance mode for a period of 10 years.
- Use S3 Object Lock in governance mode for a period of 10 years.