S3 Object Lock

AWS S3 Security

~ Last updated on : ~ jayendrapatil

AWS S3 Security

📌 Last Updated: June 2026. This post reflects the latest S3 security features including default SSE-S3 encryption, SSE-C disabled by default (April 2026), S3 Access Grants, ABAC for S3 buckets, Resource Control Policies (RCPs), and DSSE-KMS dual-layer encryption.

  • AWS S3 Security is a shared responsibility between AWS and the Customer
  • S3 is a fully managed service that is protected by the AWS global network security procedures
  • AWS handles basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
  • Security and compliance of S3 are assessed by third-party auditors as part of multiple AWS compliance programs including SOC, PCI DSS, HIPAA, etc.
  • S3 provides several other features to handle security, which are the customers’ responsibility.
  • S3 Encryption supports both data at rest and data in transit encryption.
    • Data in transit encryption can be provided by enabling communication via SSL/TLS or using client-side encryption
    • Data at rest encryption can be provided using Server Side or Client Side encryption
    • All new objects are automatically encrypted with SSE-S3 by default (since January 2023)
    • SSE-C is disabled by default on all new general purpose buckets (since April 2026)
  • S3 permissions can be handled using
    • IAM User Policies
    • Resource-based policies which include Bucket policies (ACLs are now disabled by default)
    • S3 Access Points
    • S3 Access Grants – scalable access control mapping corporate identities to S3 data
    • Attribute-Based Access Control (ABAC) – tag-based authorization for S3 buckets (Nov 2025)
  • S3 Object Lock helps to store objects using a WORM model and can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
  • S3 Access Points simplify data access for any AWS service or customer application that stores data in S3.
  • S3 Versioning with MFA Delete can be enabled on a bucket to ensure that data in the bucket cannot be accidentally overwritten or deleted.
  • S3 Block Public Access provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects never have public access, now and in the future.
  • S3 Access Analyzer monitors the access policies, ensuring that the policies provide only the intended access to your S3 resources.
  • S3 Object Ownership – by default set to Bucket owner enforced, disabling ACLs on all new buckets.
  • Resource Control Policies (RCPs) – centrally restrict external access to S3 resources across an organization (Nov 2024).

S3 Encryption

  • S3 allows the protection of data in transit by enabling communication via SSL/TLS or using client-side encryption
  • All new objects uploaded to S3 are automatically encrypted at rest with SSE-S3 by default (since January 5, 2023). This applies to all buckets at no additional cost.
  • SSE-C (Server-Side Encryption with Customer-Provided Keys) is disabled by default on all new general purpose buckets since April 2026. Applications that need SSE-C must explicitly enable it using the PutBucketEncryption API after bucket creation.
  • S3 provides data-at-rest encryption using
    • Server-Side Encryption: S3 handles the encryption
      • SSE-S3
        • S3 handles the encryption and decryption using S3 managed keys
        • This is now the base level of encryption for every bucket in S3 (default)
      • SSE-KMS
        • S3 handles the encryption and decryption using keys managed through AWS KMS.
        • Provides additional audit trail via AWS CloudTrail for key usage
      • DSSE-KMS (Dual-Layer Server-Side Encryption)
        • Applies two layers of encryption using AWS KMS keys
        • Even if one encryption layer were compromised, data remains protected by the second layer
        • Designed for highly regulated workloads requiring CNSSP 15 compliance
        • Higher cost due to increased processing overhead and additional KMS API calls
      • SSE-C
        • S3 handles the encryption and decryption using keys managed and provided by the Customer.
        • Disabled by default on new buckets since April 2026 — must be explicitly enabled via PutBucketEncryption API
        • Most modern use cases prefer SSE-S3 or SSE-KMS for greater flexibility
    • Client Side Encryption: Customer handles the encryption
      • CSE-KMS
        • Customer handles the encryption and decryption using keys managed through AWS KMS.
      • Client-side Master Key
        • Customer handles the encryption and decryption using keys managed by them.

S3 Permissions

Refer blog post @ S3 Permissions

S3 Object Ownership

  • S3 Object Ownership is a bucket-level setting to control ownership of objects uploaded to a bucket and to disable or enable ACLs.
  • By default, Object Ownership is set to Bucket owner enforced, and all ACLs are disabled.
  • When ACLs are disabled, the bucket owner owns all the objects in the bucket and manages access exclusively using access-management policies.
  • A majority of modern use cases in S3 no longer require the use of ACLs.
  • Object Ownership has three settings:
    • Bucket owner enforced (default) – ACLs are disabled. The bucket owner automatically owns and has full control over every object. Policies define access control.
    • Bucket owner preferred – The bucket owner owns new objects written by other accounts if uploaded with the bucket-owner-full-control canned ACL.
    • Object writer – The uploading account owns the object. ACLs are enabled.
  • With ACLs disabled, you can use policies to control access to all objects in your bucket, regardless of who uploaded them.

S3 Object Lock

  • S3 Object Lock helps to store objects using a write-once-read-many (WORM) model.
  • can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
  • can help meet regulatory requirements that require WORM storage or add an extra layer of protection against object changes and deletion.
  • can be enabled only for new buckets and works only in versioned buckets.
  • provides two retention modes that apply different levels of protection to the objects
    • Governance mode
      • Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.
      • Objects can be protected from being deleted by most users, but some users can be granted permission to alter the retention settings or delete the object if necessary.
      • Can be used to test retention-period settings before creating a compliance-mode retention period.
    • Compliance mode
      • A protected object version can’t be overwritten or deleted by any user, including the root user in the AWS account.
      • Object retention mode can’t be changed, and its retention period can’t be shortened.
      • Object versions can’t be overwritten or deleted for the duration of the retention period.
  • Legal Hold
    • Provides the same protection as a retention period, but has no expiration date.
    • Remains in place until explicitly removed.
    • Can be applied to any object in an Object Lock-enabled bucket, whether or not that object has a retention period.
    • Requires the s3:PutObjectLegalHold permission to add or remove.

S3 Access Points

  • S3 access points simplify data access for any AWS service or customer application that stores data in S3.
  • Access points are named network endpoints that are attached to buckets and can be used to perform S3 object operations, such as GetObject and PutObject.
  • Each access point has distinct permissions and network controls that S3 applies for any request that is made through that access point.
  • Each access point enforces a customized access point policy that works in conjunction with the bucket policy, attached to the underlying bucket.
  • An access point can be configured to accept requests only from a VPC to restrict S3 data access to a private network.
  • Custom block public access settings can be configured for each access point.
  • S3 Access Points now support tags for ABAC (Aug 2025), enabling tag-based permissions for access points.
  • S3 Multi-Region Access Points provide a global endpoint for applications to fulfill requests from S3 buckets in multiple AWS Regions.
    • Uses AWS Global Accelerator for intelligent routing to the nearest bucket
    • Supports failover controls for active-passive or active-active configurations
    • Does not support anonymous requests

S3 Access Grants

  • S3 Access Grants is a scalable access control solution that maps identities to S3 data permissions.
  • Acts as a credential vendor — users request credentials from S3 Access Grants, which evaluates grants and vends temporary, least-privilege access credentials.
  • Supports mapping identities from corporate directories such as Microsoft Entra ID (formerly Azure AD), Okta, and other IdPs via AWS IAM Identity Center.
  • Supports up to 100,000 grants per Region per account.
  • Ideal for complex access control requirements:
    • Bucket policy size limit (20 KB) exceeded
    • Human identities from external IdPs need S3 access for analytics and big data
    • Cross-account access without frequent IAM policy updates
    • Object-level access control for unstructured data
  • Integrates with AWS machine learning and analytics services including Amazon SageMaker, Amazon Redshift, and AWS Glue.
  • Simplifies authentication when using both IAM and Identity Provider permissions (March 2025).

S3 Attribute-Based Access Control (ABAC)

  • Launched November 2025 – Tag-based authorization for S3 general purpose buckets.
  • Enables automatically managing permissions for users and roles by controlling data access through tags on S3 buckets.
  • Instead of managing permissions individually, use tag-based IAM or bucket policies to grant or deny access based on matching tags between principals and buckets.
  • Makes it easy to grant S3 access based on project, team, cost center, data classification, or other bucket attributes instead of bucket names.
  • ABAC must be explicitly enabled on each S3 bucket using the PutBucketAbac API.
  • Tag-based condition keys work in AWS Organizations policies, IAM policies, and S3 bucket policies.
  • Can enforce tagging requirements at bucket creation using SCPs or IAM policies with aws:TagKeys and aws:RequestTag condition keys.
  • Same tags can serve dual purpose: access control (ABAC) and cost allocation.
  • Available through Console, API, SDKs, CLI, and CloudFormation at no additional cost.
  • Also supported on S3 directory buckets, S3 access points, and S3 tables buckets.

S3 VPC Gateway Endpoint

  • A VPC endpoint enables connections between a VPC and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
  • VPC is not exposed to the public internet.
  • A Gateway Endpoint is a gateway that is a target for a route in your route table used for traffic destined to either S3.

S3 Block Public Access

  • S3 Block Public Access provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects never have public access, now and in the future.
  • S3 Block Public Access provides settings for access points, buckets, and accounts to help manage public access to S3 resources.
  • By default, new buckets, access points, and objects don’t allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access.
  • S3 Block Public Access settings override these policies and permissions so that public access to these resources can be limited.
  • S3 Block Public Access allows account administrators and bucket owners to easily set up centralized controls to limit public access to their S3 resources that are enforced regardless of how the resources are created.
  • S3 doesn’t support block public access settings on a per-object basis.
  • S3 Block Public Access settings when applied to an account apply to all AWS Regions globally.

Resource Control Policies (RCPs)

  • Launched November 2024 – A new type of authorization policy in AWS Organizations for centrally restricting access to AWS resources.
  • RCPs work alongside Service Control Policies (SCPs) to establish permissions guardrails across multiple accounts in an organization.
  • Can enforce that S3 buckets in your accounts are only accessible by principals belonging to your organization.
  • Resource-based — they restrict what actions can be taken on resources regardless of the identity-based permissions granted.
  • Do not grant access — they only set the maximum available permissions on resources.
  • Key S3 use case: Restrict access to S3 buckets so no principal outside the organization can access them, regardless of individual S3 bucket policies.
  • Available in AWS GovCloud (US) Regions since May 2025.
  • Supported by AWS Control Tower with configurable managed controls.

S3 Access Analyzer

  • S3 Access Analyzer (part of IAM Access Analyzer) monitors the access policies, ensuring that the policies provide only the intended access to your S3 resources.
  • Evaluates bucket access policies and enables you to discover and swiftly remediate buckets with potentially unintended access.
  • External Access Findings — identifies resources accessible by principals outside your account or organization.
  • Internal Access Findings (June 2025) — identifies who within your AWS organization has access to critical resources including S3 buckets.
    • Monitors selected resources daily and surfaces findings in a unified dashboard
    • Combines internal and external access findings for a 360-degree view
  • Unused Access Analysis — identifies unused roles, access keys, and permissions to help achieve least privilege.
  • Custom Policy Checks — validate policies before deployment, including:
    • Check No Public Access (Jul 2024)
    • Check Access Not Granted
    • Guided revocation for unused access (Jun 2024)
  • Can be integrated into CI/CD pipelines for automated policy reviews.

S3 Security Best Practices

S3 Preventative Security Best Practices

  • Ensure S3 buckets use the correct policies and are not publicly accessible
    • Use S3 block public access
    • Keep ACLs disabled (Bucket owner enforced) unless specifically needed
    • Use AWS Trusted Advisor to inspect the S3 implementation.
    • Use Resource Control Policies (RCPs) to restrict access to organization principals only
  • Implement least privilege access
    • Use S3 Access Grants for complex identity-based access at scale
    • Use ABAC for tag-based authorization to simplify policy management
    • Use IAM Access Analyzer to identify and remediate overly permissive policies
  • Use IAM roles for applications and AWS services that require S3 access
  • Enable Multi-factor authentication (MFA) Delete to help prevent accidental bucket deletions
  • Consider Data at Rest Encryption
    • SSE-S3 is now applied by default to all new objects
    • Use SSE-KMS for additional audit trails and key management
    • Use DSSE-KMS for compliance requiring two independent layers of encryption
  • Enforce Data in Transit Encryption
  • Consider S3 Object Lock to store objects using a “Write Once Read Many” (WORM) model.
  • Enable versioning to easily recover from both unintended user actions and application failures.
  • Consider S3 Cross-Region replication
  • Consider VPC endpoints for S3 access to provide private S3 connectivity and help prevent traffic from potentially traversing the open internet.
  • Secure presigned URLs with short expiration times, IP restrictions, and scoped IAM permissions.

S3 Monitoring and Auditing Best Practices

  • Identify and Audit all S3 buckets to have visibility of all the S3 resources to assess their security posture and take action on potential areas of weakness.
  • Implement monitoring using AWS monitoring tools
  • Enable S3 server access logging, which provides detailed records of the requests that are made to a bucket useful for security and access audits
  • Use AWS CloudTrail, which provides a record of actions taken by a user, a role, or an AWS service in S3.
  • Enable AWS Config, which enables you to assess, audit, and evaluate the configurations of the AWS resources
  • Use Amazon Macie with S3 to automatically discover, classify, and protect sensitive data in AWS.
    • Automated sensitive data discovery continuously samples and analyzes objects
    • Provides sensitivity scores for each bucket
    • Builds interactive data maps showing sensitive data distribution across accounts
  • Use IAM Access Analyzer to monitor both external and internal access to S3 resources
  • Monitor AWS security advisories to regularly check security advisories posted in Trusted Advisor for the AWS account.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company needs to ensure all objects stored in their S3 buckets are encrypted with a dual-layer encryption mechanism for CNSSP 15 compliance. Which encryption option should they use?
    1. SSE-S3
    2. SSE-KMS
    3. DSSE-KMS
    4. SSE-C

    Answer: c. DSSE-KMS — Dual-Layer Server-Side Encryption with AWS KMS keys provides two independent layers of encryption for compliance requirements like CNSSP 15.

  2. An organization wants to grant access to S3 buckets based on team membership from their Microsoft Entra ID directory, supporting up to 50,000 data scientists. Which S3 feature is most appropriate?
    1. S3 Bucket Policies
    2. S3 Access Points
    3. S3 Access Grants
    4. S3 ACLs

    Answer: c. S3 Access Grants — Maps corporate directory identities to S3 data permissions at scale (up to 100,000 grants per Region), ideal for large organizations with external IdPs.

  3. A security engineer needs to ensure that no S3 buckets in any account of the organization can be accessed by principals outside the organization, regardless of individual bucket policies. Which feature should they implement?
    1. S3 Block Public Access
    2. Service Control Policies (SCPs)
    3. Resource Control Policies (RCPs)
    4. S3 Bucket Policies with Deny statements

    Answer: c. Resource Control Policies (RCPs) — RCPs centrally restrict external access to AWS resources across an organization, enforcing that S3 buckets are accessible only by principals belonging to the organization.

  4. An administrator wants to simplify S3 bucket access management by automatically granting access based on environment tags (dev, staging, prod) rather than maintaining individual bucket ARNs in policies. What feature should they use?
    1. S3 Access Grants
    2. S3 ABAC (Attribute-Based Access Control)
    3. S3 Access Points
    4. AWS Organizations SCPs

    Answer: b. S3 ABAC — Enables tag-based authorization for S3 buckets, allowing access decisions based on matching tags between principals and buckets rather than individual bucket names.

  5. A company creates a new S3 bucket and attempts to upload objects using SSE-C encryption but receives an AccessDenied error. What is the most likely cause? (Choose the best answer)
    1. The IAM user lacks encryption permissions
    2. SSE-C is disabled by default on new buckets since April 2026
    3. The bucket policy blocks encryption operations
    4. KMS key permissions are missing

    Answer: b. — Since April 2026, SSE-C is disabled by default on all new general purpose buckets. Applications must explicitly enable SSE-C via the PutBucketEncryption API.

  6. Which IAM Access Analyzer feature, launched in June 2025, helps security teams identify who within their AWS organization has access to critical resources like S3 buckets?
    1. External Access Findings
    2. Internal Access Findings
    3. Unused Access Analysis
    4. Custom Policy Checks

    Answer: b. Internal Access Findings — Monitors resources daily and provides a unified dashboard combining internal and external access findings for a 360-degree view.

References

AWS S3 Object Lock

~ Last updated on : ~ jayendrapatil ~ 1 Comment

AWS S3 Object Lock

  • S3 Object Lock helps to store objects using a write-once-read-many (WORM) model.
  • can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
  • can help meet regulatory requirements that require WORM storage or add an extra layer of protection against object changes and deletion.
  • can be enabled for both new and existing buckets.
    • Since Nov 2023, Object Lock can be enabled on existing buckets directly through the console, CLI, API, or SDKs without contacting AWS Support.
  • works only in versioned buckets (general purpose buckets only; not supported on directory buckets).
  • Once Object Lock is enabled
    • Object Lock can’t be disabled
    • automatically enables versioning for the bucket
    • versioning can’t be suspended for the bucket.
  • provides two ways to manage object retention.
    • Retention period
      • protects an object version for a fixed amount of time, during which an object remains locked.
      • During this period, the object is WORM-protected and can’t be overwritten or deleted.
      • can be applied on an object version either explicitly or through a bucket default setting.
      • S3 stores a timestamp in the object version’s metadata to indicate when the retention period expires. After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version.
      • Retention period can be extended but never shortened (in both compliance and governance modes).
      • Minimum and maximum allowable retention periods can be enforced using the s3:object-lock-remaining-retention-days condition key in a bucket policy.
    • Legal hold
      • protects an object version, as a retention period, but it has no expiration date.
      • remains in place until you explicitly remove it.
      • can be freely placed and removed by any user who has the s3:PutObjectLegalHold permission.
      • are independent of retention periods.
      • ideal when the duration of protection is unknown (e.g., litigation, investigations, audits).
    • Retention periods and legal holds apply to individual object versions.
    • Placing a retention period or legal hold on an object protects only the version specified in the request. It doesn’t prevent new versions of the object from being created.
    • An object version can have both a retention period and a legal hold, one but not the other, or neither.
  • provides two retention modes that apply different levels of protection to the objects
    • Governance mode
    • Compliance mode
  • S3 buckets with S3 Object Lock can’t be used as destination buckets for server access logs.
  • has been assessed by Cohasset Associates for use in environments that are subject to SEC 17a-4, CFTC, and FINRA regulations.
  • Objects protected by Object Lock (both GOVERNANCE and COMPLIANCE modes) do not allow annotation modifications (create, update, or delete). To add annotations to a locked object, create a new object version.
  • provides critical defense against ransomware attacks by preventing backup and archive data from being deleted or altered.

S3 Object Lock – Retention Modes

Governance mode

  • Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.
  • Objects can be protected from being deleted by most users, but some users can be granted permission to alter the retention settings or delete the object if necessary.
  • Can be used to test retention-period settings before creating a compliance-mode retention period.
  • To override or remove governance-mode retention settings, a user must have the s3:BypassGovernanceRetention permission and must explicitly include x-amz-bypass-governance-retention:true as a request header.
  • The S3 console automatically applies the bypass header if the user has the s3:BypassGovernanceRetention permission.
  • Bypassing governance mode doesn’t affect an object version’s legal hold status.

Compliance mode

  • A protected object version can’t be overwritten or deleted by any user, including the root user in the AWS account.
  • Object retention mode can’t be changed, and its retention period can’t be shortened (but can be extended).
  • Object versions can’t be overwritten or deleted for the duration of the retention period.
  • The only way to delete an object under compliance mode before its retention date expires is to delete the associated AWS account.
  • Compliance mode provides the strict immutability required by regulations such as SEC 17a-4(f).

S3 Object Lock – How Deletes Work

  • If a bucket has Object Lock enabled and the object is protected by a retention period or legal hold:
    • Permanent DELETE request (specifies a version ID) – S3 returns an Access Denied (403 Forbidden) error.
    • Simple DELETE request (no version ID) – S3 returns 200 OK and inserts a delete marker. The protected object version is NOT deleted.
  • Delete markers are NOT WORM-protected, regardless of any retention period or legal hold on the underlying object.

S3 Object Lock – Default Bucket Configuration

  • A default retention period can be set on a bucket that applies automatically to all new objects placed in the bucket.
  • Default retention settings specify a mode (Governance or Compliance) and a duration (in days or years).
  • When an object is uploaded to a bucket with a default retention setting, S3 calculates a Retain Until Date by adding the duration to the object’s creation timestamp.
  • If an object is uploaded with an explicit individual retention mode and period, the object’s individual settings override the bucket defaults.
  • Default retention settings apply only to new objects; they do NOT retroactively apply to existing objects already in the bucket.
  • S3 Batch Operations can be used to apply Object Lock retention or legal holds to existing objects at scale.

S3 Object Lock with Replication

  • Object Lock can be used with S3 Replication (CRR and SRR) to replicate locked objects and their retention metadata across buckets.
  • If the source bucket has Object Lock enabled, the destination buckets must also have Object Lock enabled.
  • Retention settings replicate automatically with the objects.
  • The replication IAM role requires additional permissions: s3:GetObjectRetention and s3:GetObjectLegalHold.
  • Replication for Object Lock-enabled buckets can now be configured directly through the console without contacting AWS Support (since Nov 2023).

S3 Object Lock – Additional Considerations

  • Lifecycle management: S3 Lifecycle rules continue to function on protected objects (including placing delete markers and transitioning storage classes), but a locked version cannot be permanently deleted by a Lifecycle expiration policy until retention expires.
  • Encryption: Object Lock works with encrypted objects. However, it does not protect against losing access to encryption keys or keys being deleted.
  • S3 Inventory: S3 Inventory can include Object Lock metadata (retain until date, retention mode, legal hold status) in inventory reports.
  • S3 Storage Lens: Provides metrics for Object Lock-enabled storage bytes and object count.
  • Upload integrity: The Content-MD5 or x-amz-sdk-checksum-algorithm header is required when uploading an object with a retention period configured.
  • Events and notifications: S3 Event Notifications and CloudTrail can track access and changes to Object Lock configurations.
  • Retention period limits: Can set minimum and maximum allowable retention periods using bucket policies with the s3:object-lock-remaining-retention-days condition key. Maximum retention period is 100 years.

S3 Object Lock – Required Permissions

  • s3:PutObjectRetention – required to set a retention period on an object
  • s3:GetObjectRetention – required to view an object’s retention settings
  • s3:PutObjectLegalHold – required to place or remove a legal hold
  • s3:GetObjectLegalHold – required to view an object’s legal hold status
  • s3:PutBucketObjectLockConfiguration – required to configure Object Lock on a bucket
  • s3:GetBucketObjectLockConfiguration – required to view a bucket’s Object Lock configuration
  • s3:BypassGovernanceRetention – required to bypass governance mode protections

S3 Object Lock with Batch Operations

  • S3 Batch Operations can apply Object Lock retention or legal holds at scale to millions of existing objects.
  • Supports both PutObjectRetention and PutObjectLegalHold operations.
  • Manifests can be generated using S3 Inventory reports with Amazon Athena or on-demand manifest generation.
  • Useful for retroactively protecting existing data that was stored before Object Lock was enabled.
  • Enables tiered retention policies by organizing objects into separate manifests with different retention periods.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company needs to store its accounting records in Amazon S3. No one at the company; including administrative users and root users, should be able to delete the records for an entire 10-year period. The records must be stored with maximum resiliency. Which solution will meet these requirements?
    1. Use an access control policy to deny deletion of the records for a period of 10 years.
    2. Use an IAM policy to deny deletion of the records. After 10 years, change the IAM policy to allow deletion.
    3. Use S3 Object Lock in compliance mode for a period of 10 years.
    4. Use S3 Object Lock in governance mode for a period of 10 years.
  2. A company wants to protect S3 objects from accidental deletion by users who have full S3 permissions. Users should still be able to delete objects if business needs arise, but only with explicit authorization from a security team. Which approach meets these requirements?
    1. Enable S3 Object Lock in compliance mode with a 1-year retention period.
    2. Enable S3 Object Lock in governance mode and restrict the s3:BypassGovernanceRetention permission to the security team’s IAM role.
    3. Enable MFA Delete on the S3 bucket.
    4. Use an S3 bucket policy to deny all delete operations.
  3. An organization has an existing S3 bucket with millions of objects. They need to apply WORM protection to all existing objects to meet a new compliance requirement. What is the MOST efficient approach?
    1. Copy all objects to a new bucket with Object Lock enabled.
    2. Contact AWS Support to enable Object Lock on the existing bucket.
    3. Enable Object Lock on the existing bucket and use S3 Batch Operations with a manifest from S3 Inventory to apply retention settings to existing objects.
    4. Write a Lambda function to apply retention settings to each object individually.
  4. A company has S3 Object Lock in compliance mode applied to financial records with a 7-year retention period. A legal request requires immediate deletion of certain records. What can be done?
    1. Use s3:BypassGovernanceRetention permission to delete the objects.
    2. Change the retention mode from compliance to governance, then delete.
    3. Shorten the retention period to expire immediately.
    4. The objects cannot be deleted until the retention period expires. The only option is to delete the entire AWS account.
  5. A DevOps team wants to protect backup data from ransomware. They want immutability but need the flexibility to delete backups early if storage costs become a concern. Which S3 Object Lock configuration should they use?
    1. Compliance mode with a long retention period.
    2. Governance mode with an appropriate retention period, restricting s3:BypassGovernanceRetention to administrators.
    3. Legal hold on all backup objects.
    4. S3 Versioning without Object Lock.

References

AWS S3 Data Consistency Model

~ Last updated on : ~ jayendrapatil ~ 7 Comments

AWS S3 Data Consistency Model

  • S3 Data Consistency provides strong read-after-write consistency for PUT and DELETE requests of objects in the S3 bucket in all AWS Regions
  • This behavior applies to both writes to new objects as well as PUT requests that overwrite existing objects and DELETE requests.
  • Read operations on S3 Select, S3 ACLs, S3 Object Tags, and object metadata (for example, the HEAD object) are strongly consistent.
  • Updates to a single key are atomic. for e.g., if you PUT to an existing key, a subsequent read might return the old data or the updated data, but it will never write corrupted or partial data.
  • S3 achieves high availability by replicating data across multiple servers within Amazon’s data centers. If a PUT request is successful, the data is safely stored. Any read (GET or LIST request) that is initiated following the receipt of a successful PUT response will return the data written by the PUT request.
  • S3 Data Consistency behavior examples
    • A process writes a new object to S3 and immediately lists keys within its bucket. The new object appears in the list.
    • A process replaces an existing object and immediately tries to read it. S3 returns the new data.
    • A process deletes an existing object and immediately tries to read it. S3 does not return any data because the object has been deleted.
    • A process deletes an existing object and immediately lists keys within its bucket. The object does not appear in the listing.
  • S3 does not currently support object locking for concurrent writes. S3 now supports Conditional Writes (launched Aug 2024) to handle concurrent write scenarios. for e.g. If two PUT requests are simultaneously made to the same key, the request with the latest timestamp wins. You can use conditional writes with If-None-Match or If-Match headers to prevent unintentional overwrites.
  • Updates are key-based; there is no way to make atomic updates across keys. for e.g, an update of one key cannot be dependent on the update of another key unless you design this functionality into the application.
  • S3 Object Lock is different as it allows to store objects using a write-once-read-many (WORM) model, which prevents an object from being deleted or overwritten for a fixed amount of time or indefinitely.

S3 Conditional Writes

  • S3 Conditional Writes, launched in August 2024, allow adding preconditions to write requests to coordinate concurrent writers and prevent unintentional overwrites.
  • If-None-Match header (Aug 2024)
    • Prevents overwrites of existing data by checking if an object with the same key name already exists in the bucket.
    • Expects the * (asterisk) value.
    • If an identical key name exists, the operation fails with a 412 Precondition Failed response.
    • Useful for ensuring exactly-once uploads and preventing duplicate data.
    • Supported on PutObject, CompleteMultipartUpload, and CopyObject APIs.
  • If-Match header (Nov 2024)
    • Compares the provided ETag value with the ETag of the object currently in S3.
    • If the ETag values don’t match (object was modified), the write operation fails with a 412 Precondition Failed response.
    • Enables optimistic concurrency control — check-and-set pattern without external locking.
    • Helps coordinate simultaneous writes and prevents multiple concurrent writers from unintentionally overwriting objects.
    • Supported on PutObject, CompleteMultipartUpload, and CopyObject APIs.
  • Conditional Write Enforcement via Bucket Policy (Nov 2024)
    • Bucket owners can use s3:if-none-match or s3:if-match condition keys in bucket policies to mandate the use of conditional headers.
    • Requests without the required conditional headers will be denied with a 403 Access Denied error.
  • Conditional Writes for Copy Operations (Oct 2025)
    • Extended conditional write support to CopyObject operations.
    • Allows verifying if an object exists or has been modified in the destination bucket before copying.
    • Uses s3:if-match and s3:if-none-match condition keys enforceable via bucket policies.
  • Error Responses
    • 412 Precondition Failed — Precondition not met (object exists or ETag mismatch).
    • 409 Conflict — A concurrent delete request succeeded before the conditional write completed.
    • 404 Not Found — Object no longer exists when using If-Match (concurrent delete).
  • There is no additional charge for conditional writes — standard request pricing applies.
  • Use cases include leader election, distributed locking, write-once data pipelines, and multi-writer applications without external coordination systems like DynamoDB.

S3 Default Data Integrity Protections

  • Starting December 2024, S3 provides default data integrity protections for new object uploads.
  • The latest AWS SDKs automatically calculate CRC-based checksums for uploads as data is transmitted over the network.
  • S3 independently verifies these checksums and accepts objects after confirming data integrity was maintained in transit.
  • If no checksum is provided on upload, S3 automatically calculates and applies a CRC64NVME checksum as default integrity protection.
  • Checksums can be requested during download to verify data consistency.
  • This ensures end-to-end data integrity without requiring application-level checksum implementation.

S3 Consistency with S3 Express One Zone

  • S3 Express One Zone (launched Nov 2023) provides strong read-after-write consistency with single-digit millisecond data access.
  • Objects are stored in directory buckets in a single Availability Zone, co-located with compute resources for lowest latency.
  • Delivers up to 10x faster performance and up to 50% lower request costs compared to S3 Standard.
  • Supports conditional deletes (Nov 2024) — can evaluate whether an object is unchanged before deleting it, improving data durability in high-concurrency scenarios.
  • Provides the same strong consistency model as S3 Standard for all operations.

S3 Legacy Consistency Model (Historical Reference)

  • S3 provides strong Read-after-Write consistency for PUTS of new objects
    • For a PUT request, S3 synchronously stores data across multiple facilities before returning SUCCESS
    • A process writes a new object to S3 and will be immediately able to read the Object i.e. PUT 200 -> GET 200
    • A process writes a new object to S3 and immediately lists keys within its bucket. Until the change is fully propagated, the object might not appear in the list.
    • However, if a HEAD or GET request to a key name is made before the object is created, then create the object shortly after that, a subsequent GET might not return the object due to eventual consistency. i.e. GET 404 -> PUT 200 -> GET 404
  • S3 provides Eventual Consistency for overwrite PUTS and DELETES in all regions.
    • For updates and deletes to Objects, the changes are eventually reflected and not available immediately i.e. PUT 200 -> PUT 200 -> GET 200 (might be older version) OR DELETE 200 -> GET 200
    • if a process replaces an existing object and immediately attempts to read it, S3 might return the prior data till the change is fully propagated
    • if a process deletes an existing object and immediately attempts to read it, S3 might return the deleted data until the deletion is fully propagated
    • if a process deletes an existing object and immediately lists keys within its bucket. Until the deletion is fully propagated, S3 might list the deleted object.
  • Note: Since December 2020, S3 provides strong read-after-write consistency for ALL operations (GET, PUT, LIST, DELETE, tags, ACLs, metadata). The eventual consistency model above is no longer applicable but retained for historical and exam reference.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which of the following are valid statements about Amazon S3? Choose 2 answers
    1. S3 provides read-after-write consistency for any type of PUT or DELETE. (S3 now provides strong read-after-write consistency)
    2. Consistency is not guaranteed for any type of PUT or DELETE.
    3. A successful response to a PUT request only occurs when a complete object is saved
    4. Partially saved objects are immediately readable with a GET after an overwrite PUT.
    5. S3 provides eventual consistency for overwrite PUTS and DELETES
  2. A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for web-based property. The customer is storing objects using the Standard Storage class. Where are the customers’ objects replicated?
    1. Single facility in eu-west-1 and a single facility in eu-central-1
    2. Single facility in eu-west-1 and a single facility in us-east-1
    3. Multiple facilities in eu-west-1
    4. A single facility in eu-west-1
  3. A user has an S3 object in the US Standard region with the content “color=red”. The user updates the object with the content as “color=”white”. If the user tries to read the value 1 minute after it was uploaded, what will S3 return?
    1. It will return “color=white” (strong read-after-write consistency — S3 provides strong consistency for all operations since December 2020)
    2. It will return “color=red”
    3. It will return an error saying that the object was not found
    4. It may return either “color=red” or “color=white” i.e. any of the value (Eventual Consistency — No longer applicable)
  4. A company has multiple applications writing to the same S3 object simultaneously. They want to ensure that an application only writes to the object if no other application has modified it since it was last read. What S3 feature should they use?
    1. S3 Object Lock with Governance mode
    2. S3 Versioning with MFA Delete
    3. S3 Conditional Writes with the If-Match header (If-Match compares ETag to ensure object hasn’t changed since last read — optimistic concurrency control)
    4. S3 Cross-Region Replication
  5. An application needs to ensure that an object is uploaded to S3 only if no object with the same key already exists. Which approach provides this guarantee at the storage layer without external coordination?
    1. Check with a GET request before uploading with PUT
    2. Use S3 Versioning to track duplicates
    3. Use DynamoDB as a distributed lock manager
    4. Use the If-None-Match header with PutObject (If-None-Match with * value ensures the PUT only succeeds if no object with that key exists — atomic check-and-put)
  6. Which of the following statements about S3 Conditional Writes are correct? (Choose 2)
    1. The If-Match header can be used to update an object only if its ETag matches the expected value
    2. Conditional writes require S3 Object Lock to be enabled on the bucket
    3. Bucket policies can enforce conditional writes using s3:if-none-match condition keys
    4. Conditional writes are only supported on S3 Express One Zone directory buckets
    5. Conditional writes incur additional per-request charges

References