S3 WORM (Write Once, Read Many) immutable storage, also known as S3 Object Lock, is designed to prevent the modification or deletion of objects for a fixed amount of time or indefinitely.
Let’s see S3 Object Lock in action. Imagine you have a bucket named my-compliance-bucket where you want to store legal documents that must be preserved for 7 years.
aws s3api put-object \
--bucket my-compliance-bucket \
--key legal-docs/contract-2023-10-27.pdf \
--body ./contract-2023-10-27.pdf \
--object-lock-mode COMPLIANCE \
--object-lock-retain-until-date 2030-10-27T00:00:00Z
This command uploads a file and immediately applies a compliance mode lock, retaining it until October 27, 2030. If you try to delete this object before that date, even as the bucket owner, you’ll get an error.
aws s3api delete-object \
--bucket my-compliance-bucket \
--key legal-docs/contract-2023-10-27.pdf
The error message would look something like this:
An error occurred (AccessDenied) when calling the DeleteObject operation: Object is locked and cannot be deleted.
S3 Object Lock addresses the critical need for data immutability in regulated industries, legal holds, and long-term archival where data integrity and non-repudiation are paramount. It ensures that once data is written, it cannot be altered or removed, providing a robust audit trail.
Internally, S3 Object Lock works by associating retention settings with individual objects or with the bucket itself. There are two modes:
- Governance Mode: This mode prevents deletion and overwriting of objects by most users, but authorized users with specific IAM permissions (e.g.,
s3:BypassGovernanceRetention) can override the lock. This is useful for protecting against accidental deletions or modifications. - Compliance Mode: This mode is stricter. No user, including the root account, can override or delete an object that is under a compliance mode lock until the retention period expires. This mode is typically used to meet regulatory requirements.
When you enable Object Lock on a bucket, you can specify a default retention mode and period that will apply to all objects uploaded to that bucket unless overridden at the object level. You can also enable legal holds, which are separate from retention periods and can be applied to objects to prevent deletion indefinitely, even after a retention period has expired. A legal hold is lifted when explicitly removed.
The configuration for a bucket can be viewed using:
aws s3api get-object-lock-configuration --bucket my-compliance-bucket
The output might show:
{
"ObjectLockConfiguration": {
"ObjectLockEnabled": "Enabled",
"Rule": {
"DefaultRetention": {
"Mode": "COMPLIANCE",
"Days": 2555
}
}
}
}
This indicates Object Lock is enabled, and the default retention is set to Compliance Mode for 2555 days (approximately 7 years).
The most surprising true thing about S3 Object Lock is that enabling it on a bucket is a one-way operation. Once you enable Object Lock for a bucket, you cannot disable it. You can only modify the retention settings or remove legal holds. This irreversible nature is fundamental to its compliance guarantees.
When you create an S3 bucket, you must explicitly enable Object Lock during bucket creation if you intend to use it. If you create a bucket without enabling Object Lock, you cannot enable it later for that specific bucket. You would need to create a new bucket and migrate your data.
The next concept you’ll likely encounter is managing S3 Lifecycle policies in conjunction with Object Lock, which allows for automated object transitions to different storage classes or deletion based on Object Lock settings.