Skip to main content
Learn how to enable and enforce Object Lock on Amazon S3 buckets, apply governance and compliance retention modes, and verify access restrictions using IAM policies.

Table of Contents

  1. What You’ll Learn
  2. 1. Create an S3 Bucket with Object Lock
  3. 2. Upload an Object
  4. 3. Configure Object Lock Retention
  5. 4. Test Deletion with a Restricted IAM User
  6. 5. Delete with an Admin User
  7. 6. Demonstrate Object Legal Hold
  8. 7. Deny Legal Hold Removal
  9. Summary
  10. References

What You’ll Learn

  • How to enable Object Lock on an S3 bucket
  • The difference between Governance and Compliance retention modes
  • Applying and testing IAM policies that enforce or bypass retention settings
  • Using Object Legal Hold for indefinite protection

1. Create an S3 Bucket with Object Lock

  1. In the AWS S3 console, click Create bucket.
  2. Under Advanced settings, check Enable Object Lock.
The image shows an AWS S3 bucket configuration page with options for default encryption and advanced settings, including Object Lock.
Object Lock requires versioning. When you enable Object Lock, S3 automatically enables versioning for the bucket (the Versioning option is grayed out).

2. Upload an Object

Upload a test file, for example file1.txt, to your new bucket:
  1. Click Upload.
  2. Select file1.txt.
  3. Confirm and upload.
The image shows an AWS S3 Management Console screen where a file named "file1.txt" is being prepared for upload to a bucket named "kk-objectclock-demo." The file is 7.0 bytes in size and is of type "text/plain."
After upload, open the object’s Properties to configure Object Lock.

3. Configure Object Lock Retention

In the object’s Object Lock section you can choose:
  • Legal Hold: Indefinite hold without a retention date.
  • Retention Mode: Specify Governance or Compliance mode and a retention date.
Retention ModeBypass Permission RequiredUse Case
Governance Modes3:BypassGovernanceRetentionTemporary holds with exception
Compliance ModeNot bypassableRegulatory or compliance mandates
The image shows an Amazon S3 interface for editing object lock retention settings, with options for retention mode and a warning about governance mode. A specified object, "file1.txt," is listed below with details.
  1. Select Governance mode.
  2. Set the retention date (e.g., tomorrow).
  3. Click Save.
In Compliance mode, objects cannot be deleted or overwritten until the retention period expires.

4. Test Deletion with a Restricted IAM User

Switch to User Two, who has a policy denying s3:BypassGovernanceRetention. They have full S3 access but cannot bypass governance locks: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyBypassGovernanceRetention",
      "Effect": "Deny",
      "Action": "s3:BypassGovernanceRetention",
      "Resource": "*"
    }
  ]
}
When User Two tries to delete the locked object version, the request fails:
The image shows an AWS S3 console screen with a "Failed to delete objects" error message, indicating an object could not be deleted due to access denial.
User Two also cannot modify retention settings.

5. Delete with an Admin User

Switch back to User One (Administrator) with full permissions, including s3:BypassGovernanceRetention: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
User One can now permanently delete the locked object version.
  1. Upload a second file, e.g., file2.txt.
  2. Open its Properties and scroll to Object Lock.
  3. Enable Legal Hold, then Save.
The image shows an Amazon S3 console interface displaying details of an object, including the owner, AWS region, last modified date, size, and object URL.
The object is now held indefinitely under Legal Hold.
Update User Two’s policy to also deny s3:PutObjectLegalHold, preventing removal of legal holds: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyLegalHoldAndBypass",
      "Effect": "Deny",
      "Action": [
        "s3:PutObjectLegalHold",
        "s3:BypassGovernanceRetention"
      ],
      "Resource": "*"
    }
  ]
}
Now, when User Two tries to disable the legal hold, they see a permission error:
The image shows an AWS S3 console screen where a user is attempting to edit an Object Lock legal hold but receives a permission error message.
Only users with the correct permissions (e.g., User One) can remove a legal hold.

Summary

In this lesson, you’ve learned to:
  • Enable Object Lock on an S3 bucket
  • Apply Governance and Compliance retention modes
  • Test deletion restrictions with IAM policies
  • Use Object Legal Hold for indefinite protection

References

Watch Video

Practice Lab