Object storage – Object Lock

Functionality overview

The Object Lock functionality allows to store objects using a WORM model (write once read many).

It prevents objects from being modified or deleted for some time. Duration is either limited (retention period) or unlimited (legal hold).


Typical use cases: regulatory requirement or better protect your data (for instance, immutable backup).


Some notes :

  • the retention period feature implements 2 modes that change its behavior
  • the 2 features can be used together or separately
  • the functionality (Object Lock) must be activated when the bucket is created
  • it also requires to activate the bucket versioning (automatic)


Caveat :

  • because versioning is enabled, you can always delete an object
    • it creates a delete marker as the current version
    • the initial object stays unchanged (and protected)

Retention Period feature

The retention period can be configured:

  • as default for a bucket (in days or years, applying to new objects)
  • explicitly for an object (using a timestamp limit RetainUntilDate)
  • independently from the legal hold feature


The retention mode must be configured at the same time:

  • governance mode can be overridden with specific permissions (reduce,increase or delete retention)
  • compliance mode can’t be overridden (including by the account owner)

Legal Hold feature

The legal hold can be configured:

  • explicitly for an object
  • independently from the retention period feature

Use cases with AWS CLI

AWS CLI (Command Line Interface) is an open source tool that enables you to configure and use object storage with commands in a text interface (Linux shell or Windows command line).

A user guide is available at https://docs.aws.amazon.com/cli/latest/userguide/.

Prerequisite : Object Lock activation

It’s only possible when you create the bucket with --object-lock-enabled-for-bucket.

Bucket’s default retention

The setup requires both a mode (GOVERNANCE or COMPLIANCE) and a period (Days or Years).

Warning : COMPLIANCE mode can not be bypassed (even using an account’s root Access Key).

Mode GOVERNANCE et période de 1 jour:

After setup, any new object (PUT) gets automatically a retain until date metadata (ObjectLockRetainUntilDate) :

You can’t delete the object until the date is passed :

However in GOVERNANCE mode, you can bypass retention period with --bypass-governance-retention :

Extending an object’s retention period

You can extend an object’s retention period (by changing the RetainUntilDate timestamp). You can’t reduce it.

The new timestamp must be later than the current one.


Extending in GOVERNANCE mode (with --bypass-governance-retention) :

Extending in COMPLIANCE mode :

Enable an object’s legal hold

Legal hold ON :

After setup, the object gets a legal hold status metadata (ObjectLockLegalHoldStatus) :

Legal hold OFF :

Getting object lock information

The most simple is to get object’s metadata. They contain both retention period and legal hold information (if configured).

It’s also possible to request specifically retention period or legal hold.


Object’s metadata :


Retention period only :


Legal hold only :

Mixing retention period and legal hold

An object can have a retention period and a legal hold.

Each feature prevents object’s removal independently.

To remove this object, you must:

  • disable legal hold (if permitted)
    • (and) wait until 2023
    • (or) bypass retention period (if permitted)

About security

Never use a root Access Key

With a root AK, you can bypass retention GOVERNANCE mode and disable legal hold.

Only COMPLIANCE mode can’t be bypassed.

Restrict permissions

For everyday use (PUT objects in a bucket), you should apply a policy removing the following permissions :

  • s3:BypassGovernanceRetention
  • s3:PutObjectLegalHold
  • s3:PutObjectRetention