AWS Tutorials

Object Lock

Object Lock 

Introduction to Object Lock

Amazon S3 Object Lock is a powerful AWS feature designed to store objects using a Write Once Read Many (WORM) model. This ensures data immutability by preventing object deletion or modification for a specified period or indefinitely. Organizations that handle sensitive, regulated, or mission-critical data depend on Object Lock to meet compliance requirements, regulatory standards, and cybersecurity protection against threats such as ransomware or accidental deletion.

This feature is widely used in enterprise-level security, backup solutions, data retention strategies, and environments requiring tamper-proof data storage. With increasing cybersecurity incidents and strict data protection laws, learning Object Lock has become critical for cloud architects, AWS learners, security engineers, and DevOps professionals.

Purpose of Object Lock

Object Lock enables long-term data integrity by ensuring stored objects cannot be deleted, overwritten, or altered once locked. It helps meet regulatory requirements like SEC 17a-4(f), FINRA, HIPAA, and GDPR (when configured properly with compliance modes). This feature is especially beneficial when storing financial records, audit logs, compliance documents, database backups, legal archives, and immutable evidence.

Object Lock integrates with S3 Versioning to enhance protection because each version of an object can have its own retention period and lock configuration.

Benefits of S3 Object Lock

  • Immutability – Data cannot be deleted or overwritten during the lock period.
  • Compliance Support – Meets strict regulations for storing tamper-proof records.
  • Ransomware Protection – Prevents compromised users or systems from deleting backups.
  • Accidental Deletion Prevention – Ensures mission-critical objects remain safe.
  • Version-Level Protection – Each version of an object can have independent retention rules.

Prerequisites for Using Object Lock

Before using Object Lock, the S3 bucket must be created with Object Lock enabled. You cannot enable Object Lock on an existing bucket β€” it must be configured at creation time.

Steps to Create an Object Lock-Enabled Bucket

Here is an example of creating the bucket using the AWS CLI:


aws s3api create-bucket \
  --bucket example-object-lock-bucket \
  --object-lock-enabled-for-bucket \
  --region ap-south-1

After creating the bucket with Object Lock support, versioning is automatically enabled, and you can apply retention policies either at the bucket level or for individual objects.

Modes of S3 Object Lock

S3 Object Lock operates in two primary modes β€” Governance Mode and Compliance Mode. These modes decide how strictly immutability is enforced.

1. Governance Mode

Governance mode prevents users without special IAM permissions from editing or deleting objects during the retention period. However, users with elevated permissions (like s3:BypassGovernanceRetention) can override settings.

2. Compliance Mode

Compliance mode is the strictest setting where no oneβ€”including the root userβ€”can delete, overwrite, or alter the object until the retention period expires. This is used for meeting strict regulatory compliance.

Examples of Enabling Compliance Mode


aws s3api put-object-retention \
  --bucket example-object-lock-bucket \
  --key financial-report.pdf \
  --retention "Mode=COMPLIANCE,RetainUntilDate=2030-01-01T00:00:00"

Retention Periods in Object Lock

Retention periods define how long an object remains protected. During this time, the object cannot be deleted or overwritten.

How Retention Works

  • Retention is applied per version.
  • Retention can be applied while uploading the object or after uploading.
  • Compliance retention cannot be reduced or removed.
  • Governance retention can be altered by privileged users.

Set Retention on Upload (CLI Example)


aws s3api put-object \
  --bucket example-object-lock-bucket \
  --key backup-2025.zip \
  --object-lock-mode GOVERNANCE \
  --object-lock-retain-until-date "2028-12-30T12:00:00Z" \
  --body backup-2025.zip

Legal Holds in Object Lock

A legal hold prevents deletion or alteration indefinitely, regardless of retention settings. It must be removed manually when no longer required.

Features of Legal Holds

  • Acts like a manual lock.
  • Does not require a retention date.
  • Cannot be overridden by expiration or lifecycle rules.

Apply a Legal Hold


aws s3api put-object-legal-hold \
  --bucket example-object-lock-bucket \
  --key audit-log-2024.json \
  --legal-hold Status=ON

Remove a Legal Hold


aws s3api put-object-legal-hold \
  --bucket example-object-lock-bucket \
  --key audit-log-2024.json \
  --legal-hold Status=OFF

Bucket-Level Default Retention

Administrators can configure a default retention mode and duration for all objects uploaded to the bucket, which is especially useful in backup environments or compliance-heavy workloads.

Set Default Retention


aws s3api put-object-lock-configuration \
  --bucket example-object-lock-bucket \
  --object-lock-configuration \
  "ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=GOVERNANCE,Days=365}}"

Compliance Use Cases for S3 Object Lock

Object Lock is used across industries where data immutability and integrity are crucial.

1. Financial Institution Compliance

Banks and investment companies use Object Lock to store trade records, transaction logs, and regulatory documents such as SEC 17a-4(f) compliant records.

2. Healthcare Data Protection

Hospitals and healthcare providers use Object Lock to store electronic health records (EHR), audit logs, and sensitive patient data to meet HIPAA regulations.

3. Ransomware Protection

Object Lock ensures backup files remain unchanged even if ransomware attempts deletion or corruption. This serves as a critical disaster recovery mechanism.

4. Legal Document Archiving

Organizations involved in litigation store evidence, legal documents, and submitted filings securely for future reference.

5. Government and Public Sector Data Preservation

Government agencies use it to maintain logs, reports, datasets, and sensitive archival files in an immutable format.

Lifecycle Rules vs. Object Lock

AWS S3 lifecycle rules allow automatic archival or deletion of objects, whereas Object Lock ensures objects cannot be deleted during their retention period. Lifecycle policies are ignored while Object Lock is active.

Differences

  • Lifecycle policies automate transitions and cleanup.
  • Object Lock prevents deletion or editing.
  • Retention overrides lifecycle expiration settings.

Object Lock and Versioning

Versioning is mandatory when using Object Lock. Each version can have unique retention properties. Even if a new version is uploaded, locked versions remain protected.

Example: Viewing Object Version Retention


aws s3api get-object-retention \
  --bucket example-object-lock-bucket \
  --key logs/app-log.txt \
  --version-id "123abc456def"

Monitoring Object Lock

Monitoring is essential to ensure compliance and audit readiness. AWS provides multiple tools for tracking object lock configurations.

Monitoring Tools

  • AWS CloudTrail – Tracks API calls for retention changes.
  • AWS Config – Monitors compliance with retention policies.
  • AWS S3 Inventory – Generates reports of objects with lock settings.

1: Forgetting to Enable Object Lock at Bucket Creation

You cannot enable Object Lock after the bucket is created. Always plan ahead.

 2: Confusing Legal Holds with Retention

Legal holds do not expire automatically; retention does. Use the correct feature based on your requirement.

 3: Lack of Monitoring

Enable AWS Config and CloudTrail to track changes to retention settings.

  • Use compliance mode for regulated data.
  • Set default bucket-level retention for backup use cases.
  • Regularly audit retention settings using S3 Inventory.
  • Use IAM custom policies to restrict governance bypass permissions.

IAM Permissions for Object Lock

Only IAM users or roles with certain permissions can override or configure Object Lock settings.

Example IAM Policy for Retention Management


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectRetention",
        "s3:PutObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectLegalHold"
      ],
      "Resource": "arn:aws:s3:::example-object-lock-bucket/*"
    }
  ]
}

Object Lock in Backup and Disaster Recovery

Modern backup solutions integrate Object Lock for ransomware-resistant storage. Tools like AWS Backup, Veeam, Commvault, Druva, and others support creating immutable S3 backups.

Workflow

  1. Backup application uploads data to S3.
  2. Retention policies automatically apply.
  3. Object versions remain protected even if new backups are uploaded.
  4. Ransomware-affected systems cannot delete locked versions.

Implementing Object Lock

Step 1: Create S3 Bucket


aws s3api create-bucket \
  --bucket enterprise-immutable-data \
  --object-lock-enabled-for-bucket

Step 2: Upload Object with Governance Retention


aws s3api put-object \
  --bucket enterprise-immutable-data \
  --key reports/annual-report-2025.pdf \
  --object-lock-mode GOVERNANCE \
  --object-lock-retain-until-date "2030-01-01T00:00:00Z" \
  --body annual-report-2025.pdf

Step 3: Verify Retention Settings


aws s3api get-object-retention \
  --bucket enterprise-immutable-data \
  --key reports/annual-report-2025.pdf

Example 1: Accounting Firms

Accounting firms secure tax records, audits, payroll data, and financial statements using Object Lock to satisfy compliance.

Example 2: Security Logs Preservation

Log analytics companies store server logs, incident logs, and SIEM logs immutably to support forensic investigation.

Example 3: Video Surveillance Companies

Video footage stored for legal, compliance, and audit use cases cannot be deleted during retention periods.

Limitations of  Object Lock

  • Cannot enable Object Lock on an existing bucket.
  • Retention periods in compliance mode cannot be shortened.
  • Complexity increases with versioning.
  • Storage cost may increase due to retained versions.


Amazon S3 Object Lock is essential for organizations that need to store tamper-proof, immutable data for compliance, security, and data protection. By understanding the different modes, retention periods, legal holds, IAM permissions, and real-world use cases, users can effectively implement Object Lock for enterprise-grade data integrity. As ransomware attacks and regulatory requirements increase, Object Lock serves as a critical solution in modern cloud storage architectures.

Whether you're preparing for AWS Certification, designing enterprise architectures, or strengthening data protection strategies, Object Lock is one of the most important topics to master within Amazon S3 and overall cloud security.

logo

AWS

Beginner 5 Hours

Object Lock 

Introduction to Object Lock

Amazon S3 Object Lock is a powerful AWS feature designed to store objects using a Write Once Read Many (WORM) model. This ensures data immutability by preventing object deletion or modification for a specified period or indefinitely. Organizations that handle sensitive, regulated, or mission-critical data depend on Object Lock to meet compliance requirements, regulatory standards, and cybersecurity protection against threats such as ransomware or accidental deletion.

This feature is widely used in enterprise-level security, backup solutions, data retention strategies, and environments requiring tamper-proof data storage. With increasing cybersecurity incidents and strict data protection laws, learning Object Lock has become critical for cloud architects, AWS learners, security engineers, and DevOps professionals.

Purpose of Object Lock

Object Lock enables long-term data integrity by ensuring stored objects cannot be deleted, overwritten, or altered once locked. It helps meet regulatory requirements like SEC 17a-4(f), FINRA, HIPAA, and GDPR (when configured properly with compliance modes). This feature is especially beneficial when storing financial records, audit logs, compliance documents, database backups, legal archives, and immutable evidence.

Object Lock integrates with S3 Versioning to enhance protection because each version of an object can have its own retention period and lock configuration.

Benefits of S3 Object Lock

  • Immutability – Data cannot be deleted or overwritten during the lock period.
  • Compliance Support – Meets strict regulations for storing tamper-proof records.
  • Ransomware Protection – Prevents compromised users or systems from deleting backups.
  • Accidental Deletion Prevention – Ensures mission-critical objects remain safe.
  • Version-Level Protection – Each version of an object can have independent retention rules.

Prerequisites for Using Object Lock

Before using Object Lock, the S3 bucket must be created with Object Lock enabled. You cannot enable Object Lock on an existing bucket — it must be configured at creation time.

Steps to Create an Object Lock-Enabled Bucket

Here is an example of creating the bucket using the AWS CLI:


aws s3api create-bucket \
  --bucket example-object-lock-bucket \
  --object-lock-enabled-for-bucket \
  --region ap-south-1

After creating the bucket with Object Lock support, versioning is automatically enabled, and you can apply retention policies either at the bucket level or for individual objects.

Modes of S3 Object Lock

S3 Object Lock operates in two primary modes — Governance Mode and Compliance Mode. These modes decide how strictly immutability is enforced.

1. Governance Mode

Governance mode prevents users without special IAM permissions from editing or deleting objects during the retention period. However, users with elevated permissions (like s3:BypassGovernanceRetention) can override settings.

2. Compliance Mode

Compliance mode is the strictest setting where no one—including the root user—can delete, overwrite, or alter the object until the retention period expires. This is used for meeting strict regulatory compliance.

Examples of Enabling Compliance Mode


aws s3api put-object-retention \
  --bucket example-object-lock-bucket \
  --key financial-report.pdf \
  --retention "Mode=COMPLIANCE,RetainUntilDate=2030-01-01T00:00:00"

Retention Periods in Object Lock

Retention periods define how long an object remains protected. During this time, the object cannot be deleted or overwritten.

How Retention Works

  • Retention is applied per version.
  • Retention can be applied while uploading the object or after uploading.
  • Compliance retention cannot be reduced or removed.
  • Governance retention can be altered by privileged users.

Set Retention on Upload (CLI Example)


aws s3api put-object \
  --bucket example-object-lock-bucket \
  --key backup-2025.zip \
  --object-lock-mode GOVERNANCE \
  --object-lock-retain-until-date "2028-12-30T12:00:00Z" \
  --body backup-2025.zip

Legal Holds in Object Lock

A legal hold prevents deletion or alteration indefinitely, regardless of retention settings. It must be removed manually when no longer required.

Features of Legal Holds

  • Acts like a manual lock.
  • Does not require a retention date.
  • Cannot be overridden by expiration or lifecycle rules.

Apply a Legal Hold


aws s3api put-object-legal-hold \
  --bucket example-object-lock-bucket \
  --key audit-log-2024.json \
  --legal-hold Status=ON

Remove a Legal Hold


aws s3api put-object-legal-hold \
  --bucket example-object-lock-bucket \
  --key audit-log-2024.json \
  --legal-hold Status=OFF

Bucket-Level Default Retention

Administrators can configure a default retention mode and duration for all objects uploaded to the bucket, which is especially useful in backup environments or compliance-heavy workloads.

Set Default Retention


aws s3api put-object-lock-configuration \
  --bucket example-object-lock-bucket \
  --object-lock-configuration \
  "ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=GOVERNANCE,Days=365}}"

Compliance Use Cases for S3 Object Lock

Object Lock is used across industries where data immutability and integrity are crucial.

1. Financial Institution Compliance

Banks and investment companies use Object Lock to store trade records, transaction logs, and regulatory documents such as SEC 17a-4(f) compliant records.

2. Healthcare Data Protection

Hospitals and healthcare providers use Object Lock to store electronic health records (EHR), audit logs, and sensitive patient data to meet HIPAA regulations.

3. Ransomware Protection

Object Lock ensures backup files remain unchanged even if ransomware attempts deletion or corruption. This serves as a critical disaster recovery mechanism.

4. Legal Document Archiving

Organizations involved in litigation store evidence, legal documents, and submitted filings securely for future reference.

5. Government and Public Sector Data Preservation

Government agencies use it to maintain logs, reports, datasets, and sensitive archival files in an immutable format.

Lifecycle Rules vs. Object Lock

AWS S3 lifecycle rules allow automatic archival or deletion of objects, whereas Object Lock ensures objects cannot be deleted during their retention period. Lifecycle policies are ignored while Object Lock is active.

Differences

  • Lifecycle policies automate transitions and cleanup.
  • Object Lock prevents deletion or editing.
  • Retention overrides lifecycle expiration settings.

Object Lock and Versioning

Versioning is mandatory when using Object Lock. Each version can have unique retention properties. Even if a new version is uploaded, locked versions remain protected.

Example: Viewing Object Version Retention


aws s3api get-object-retention \
  --bucket example-object-lock-bucket \
  --key logs/app-log.txt \
  --version-id "123abc456def"

Monitoring Object Lock

Monitoring is essential to ensure compliance and audit readiness. AWS provides multiple tools for tracking object lock configurations.

Monitoring Tools

  • AWS CloudTrail – Tracks API calls for retention changes.
  • AWS Config – Monitors compliance with retention policies.
  • AWS S3 Inventory – Generates reports of objects with lock settings.

1: Forgetting to Enable Object Lock at Bucket Creation

You cannot enable Object Lock after the bucket is created. Always plan ahead.

 2: Confusing Legal Holds with Retention

Legal holds do not expire automatically; retention does. Use the correct feature based on your requirement.

 3: Lack of Monitoring

Enable AWS Config and CloudTrail to track changes to retention settings.

  • Use compliance mode for regulated data.
  • Set default bucket-level retention for backup use cases.
  • Regularly audit retention settings using S3 Inventory.
  • Use IAM custom policies to restrict governance bypass permissions.

IAM Permissions for Object Lock

Only IAM users or roles with certain permissions can override or configure Object Lock settings.

Example IAM Policy for Retention Management


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectRetention",
        "s3:PutObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectLegalHold"
      ],
      "Resource": "arn:aws:s3:::example-object-lock-bucket/*"
    }
  ]
}

Object Lock in Backup and Disaster Recovery

Modern backup solutions integrate Object Lock for ransomware-resistant storage. Tools like AWS Backup, Veeam, Commvault, Druva, and others support creating immutable S3 backups.

Workflow

  1. Backup application uploads data to S3.
  2. Retention policies automatically apply.
  3. Object versions remain protected even if new backups are uploaded.
  4. Ransomware-affected systems cannot delete locked versions.

Implementing Object Lock

Step 1: Create S3 Bucket


aws s3api create-bucket \
  --bucket enterprise-immutable-data \
  --object-lock-enabled-for-bucket

Step 2: Upload Object with Governance Retention


aws s3api put-object \
  --bucket enterprise-immutable-data \
  --key reports/annual-report-2025.pdf \
  --object-lock-mode GOVERNANCE \
  --object-lock-retain-until-date "2030-01-01T00:00:00Z" \
  --body annual-report-2025.pdf

Step 3: Verify Retention Settings


aws s3api get-object-retention \
  --bucket enterprise-immutable-data \
  --key reports/annual-report-2025.pdf

Example 1: Accounting Firms

Accounting firms secure tax records, audits, payroll data, and financial statements using Object Lock to satisfy compliance.

Example 2: Security Logs Preservation

Log analytics companies store server logs, incident logs, and SIEM logs immutably to support forensic investigation.

Example 3: Video Surveillance Companies

Video footage stored for legal, compliance, and audit use cases cannot be deleted during retention periods.

Limitations of  Object Lock

  • Cannot enable Object Lock on an existing bucket.
  • Retention periods in compliance mode cannot be shortened.
  • Complexity increases with versioning.
  • Storage cost may increase due to retained versions.


Amazon S3 Object Lock is essential for organizations that need to store tamper-proof, immutable data for compliance, security, and data protection. By understanding the different modes, retention periods, legal holds, IAM permissions, and real-world use cases, users can effectively implement Object Lock for enterprise-grade data integrity. As ransomware attacks and regulatory requirements increase, Object Lock serves as a critical solution in modern cloud storage architectures.

Whether you're preparing for AWS Certification, designing enterprise architectures, or strengthening data protection strategies, Object Lock is one of the most important topics to master within Amazon S3 and overall cloud security.

Related Tutorials

Frequently Asked Questions for AWS

An AWS Region is a geographical area with multiple isolated availability zones. Regions ensure high availability, fault tolerance, and data redundancy.

AWS EBS (Elastic Block Store) provides block-level storage for use with EC2 instances. It's ideal for databases and other performance-intensive applications.



  • S3: Object storage for unstructured data.
  • EBS: Block storage for structured data like databases.

  • Regions are geographic areas.
  • Availability Zones are isolated data centers within a region, providing high availability for your applications.

AWS pricing follows a pay-as-you-go model. You pay only for the resources you use, with options like on-demand instances, reserved instances, and spot instances to optimize costs.



AWS S3 (Simple Storage Service) is an object storage service used to store and retrieve any amount of data from anywhere. It's ideal for backup, data archiving, and big data analytics.



Amazon RDS (Relational Database Service) is a managed database service supporting engines like MySQL, PostgreSQL, Oracle, and SQL Server. It automates tasks like backups and updates.



  • Scalability: Resources scale based on demand.
  • Cost-efficiency: Pay-as-you-go pricing.
  • Global Reach: Availability in multiple regions.
  • Security: Advanced encryption and compliance.
  • Flexibility: Supports various workloads and integrations.

AWS Auto Scaling automatically adjusts the number of compute resources based on demand, ensuring optimal performance and cost-efficiency.

The key AWS services include:


  • EC2 (Elastic Compute Cloud) for scalable computing.
  • S3 (Simple Storage Service) for storage.
  • RDS (Relational Database Service) for databases.
  • Lambda for serverless computing.
  • CloudFront for content delivery.

AWS CLI (Command Line Interface) is a tool for managing AWS services via commands. It provides scripting capabilities for automation.

Amazon EC2 is a web service that provides resizable compute capacity in the cloud. It enables you to launch virtual servers and manage your computing resources efficiently.

AWS Snowball is a physical device used for data migration. It allows organizations to transfer large amounts of data into AWS quickly and securely.

AWS CloudWatch is a monitoring service that collects and tracks metrics, logs, and events, helping you gain insights into your AWS infrastructure and applications.



AWS (Amazon Web Services) is a comprehensive cloud computing platform provided by Amazon. It offers on-demand cloud services such as compute power, storage, databases, networking, and more.



Elastic Load Balancer (ELB) automatically distributes incoming traffic across multiple targets (e.g., EC2 instances) to ensure high availability and fault tolerance.

Amazon VPC (Virtual Private Cloud) allows you to create a secure, isolated network within the AWS cloud, enabling you to control IP ranges, subnets, and route tables.



Route 53 is a scalable DNS (Domain Name System) web service by AWS. It connects user requests to your applications hosted on AWS resources.

AWS CloudFormation is a service that enables you to manage and provision AWS resources using infrastructure as code. It automates resource deployment through JSON or YAML templates.



AWS IAM (Identity and Access Management) allows you to control access to AWS resources securely. You can define user roles, permissions, and policies to ensure security and compliance.



  • EC2: Provides virtual servers for full control of your applications.
  • Lambda: Offers serverless computing, automatically running your code in response to events without managing servers.

Elastic Beanstalk is a PaaS (Platform as a Service) offering by AWS. It simplifies deploying and managing applications by automatically handling infrastructure provisioning and scaling.



Amazon SQS (Simple Queue Service) is a fully managed message queuing service that decouples and scales distributed systems.

AWS ensures data security through encryption (both at rest and in transit), compliance with standards (e.g., ISO, SOC, GDPR), and access controls using IAM.

AWS Lambda is a serverless computing service that lets you run code in response to events without provisioning or managing servers. You pay only for the compute time consumed.



AWS Identity and Access Management controls user access and permissions securely.

A serverless compute service running code automatically in response to events.

A Virtual Private Cloud for isolated AWS network configuration and control.

Automates resource provisioning using infrastructure as code in AWS.

A monitoring tool for AWS resources and applications, providing logs and metrics.

A virtual server for running applications on AWS with scalable compute capacity.

Distributes incoming traffic across multiple targets to ensure fault tolerance.

A scalable object storage service for backups, data archiving, and big data.

EC2, S3, RDS, Lambda, VPC, IAM, CloudWatch, DynamoDB, CloudFront, and ECS.

Tracks user activity and API usage across AWS infrastructure for auditing.

A managed relational database service supporting multiple engines like MySQL, PostgreSQL, and Oracle.

An isolated data center within a region, offering high availability and fault tolerance.

A scalable Domain Name System (DNS) web service for domain management.

Simple Notification Service sends messages or notifications to subscribers or other applications.

Brings native AWS services to on-premises locations for hybrid cloud deployments.

Automatically adjusts compute capacity to maintain performance and reduce costs.

Amazon Machine Image contains configuration information to launch EC2 instances.

Elastic Block Store provides block-level storage for use with EC2 instances.

Simple Queue Service enables decoupling and message queuing between microservices.

A serverless compute engine for containers running on ECS or EKS.

Manages and groups multiple AWS accounts centrally for billing and access control.

Distributes incoming traffic across multiple EC2 instances for better performance.

A tool for visualizing, understanding, and managing AWS costs and usage over time.

line

Mail us :

Address :

India
  • Facebook_logo
  • Instagram_logo
  • Linkedin_logo
  • X-twitter_logo
  • Youtube_logo
  • Pinterest_logo

Sub Categories

Copyrights © 2024 letsupdateskills All rights reserved