Configuring S3 Object Lock
With Amazon S3 Object Lock, you can store objects in Amazon S3 by using a write-once-read-many (WORM) model. You can use S3 Object Lock to prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely. For general information about Object Lock capabilities, see Locking objects with Object Lock.
Before you lock any objects, you must enable S3 Versioning and Object Lock on a bucket. Afterward, you can set a retention period, a legal hold, or both.
To work with Object Lock, you must have certain permissions. For a list of the permissions related to various Object Lock operations, see Required permissions.
Important
-
After you enable Object Lock on a bucket, you can't disable Object Lock or suspend versioning for that bucket.
-
S3 buckets with Object Lock can't be used as destination buckets for server access logs. For more information, see Logging requests with server access logging.
Topics
Enable Object Lock when creating a new S3 bucket
You can enable Object Lock when creating a new S3 bucket by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), AWS SDKs, or Amazon S3 REST API.
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
In the left navigation pane, choose Buckets.
-
Choose Create bucket.
The Create bucket page opens.
-
For Bucket name, enter a name for your bucket.
Note
After you create a bucket, you can't change its name. For more information about naming buckets, see General purpose bucket naming rules.
-
For Region, choose the AWS Region where you want the bucket to reside.
-
Under Object Ownership, choose to disable or enable access control lists (ACLs) and control ownership of objects uploaded in your bucket.
-
Under Block Public Access settings for this bucket, choose the Block Public Access settings that you want to apply to the bucket.
-
Under Bucket Versioning, choose Enabled.
Object Lock works only with versioned buckets.
-
(Optional) Under Tags, you can choose to add tags to your bucket. Tags are key-value pairs that are used to categorize storage and allocate costs.
-
Under Advanced settings, find Object Lock and choose Enable.
You must acknowledge that enabling Object Lock will permanently allow objects in this bucket to be locked.
-
Choose Create bucket.
The following create-bucket
example creates a new S3 bucket named
with Object Lock enabled:amzn-s3-demo-bucket1
aws s3api create-bucket --bucket
--object-lock-enabled-for-bucket
amzn-s3-demo-bucket1
For more information and examples, see create-bucket
Note
You can run AWS CLI commands from the console by using AWS CloudShell. AWS CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. For more information, see What is CloudShell? in the AWS CloudShell User Guide.
You can use the REST API to create a new S3 bucket with Object Lock enabled. For more information, see CreateBucket in the Amazon Simple Storage Service API Reference.
For examples of how to enable Object Lock when creating a new S3 bucket with the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For examples of how to get the current Object Lock configuration with the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For an interactive scenario demonstrating different Object Lock features using the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For general information about using different AWS SDKs, see Developing with Amazon S3 using the AWS SDKs in the Amazon S3 API Reference.
Enable Object Lock on an existing S3 bucket
You can enable Object Lock for an existing S3 bucket by using the Amazon S3 console, the AWS CLI, AWS SDKs, or Amazon S3 REST API.
Note
Object Lock works only with versioned buckets.
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
In the left navigation pane, choose Buckets.
-
In the Buckets list, choose the name of the bucket that you want to enable Object Lock on.
-
Choose the Properties tab.
-
Under Properties, scroll down to the Object Lock section, and choose Edit.
-
Under Object Lock, choose Enable.
You must acknowledge that enabling Object Lock will permanently allow objects in this bucket to be locked.
-
Choose Save changes.
The following put-object-lock-configuration
example command sets a 50-day
Object Lock retention period on a bucket named
:amzn-s3-demo-bucket1
aws s3api put-object-lock-configuration --bucket
--object-lock-configuration=
amzn-s3-demo-bucket1
'{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 50 }}}'
For more information and examples, see put-object-lock-configuration
Note
You can run AWS CLI commands from the console by using AWS CloudShell. AWS CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. For more information, see What is CloudShell? in the AWS CloudShell User Guide.
You can use the Amazon S3 REST API to enable Object Lock on an existing S3 bucket. For more information, see PutObjectLockConfiguration in the Amazon Simple Storage Service API Reference.
For examples of how to enable Object Lock for an existing S3 bucket with the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For examples of how to get the current Object Lock configuration with the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For an interactive scenario demonstrating different Object Lock features using the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For general information about using different AWS SDKs, see Developing with Amazon S3 using the AWS SDKs in the Amazon S3 API Reference.
Set or modify a legal hold on an S3 object
You can set or remove a legal hold on an S3 object by using the Amazon S3 console, AWS CLI, AWS SDKs, or Amazon S3 REST API.
Important
-
If you want to set a legal hold on an object, the object's bucket must already have Object Lock enabled.
-
When you
PUT
an object version that has an explicit individual retention mode and period in a bucket, the object version's individual Object Lock settings override any bucket property retention settings.
For more information, see Legal holds.
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
In the left navigation pane, choose Buckets.
-
In the Buckets list, choose the name of the bucket that contains the object that you want to set or modify a legal hold on.
-
In the Objects list, select the object that you want to set or modify a legal hold on.
-
On the Object properties page, find the Object Lock legal hold section, and choose Edit.
-
Choose Enable to set a legal hold or Disable to remove a legal hold.
-
Choose Save changes.
The following put-object-legal-hold
example sets a legal hold on the
object
in the bucket
named my-image.fs
:amzn-s3-demo-bucket1
aws s3api put-object-legal-hold --bucket
--key
amzn-s3-demo-bucket1
my-image.fs
--legal-hold="Status=ON"
The following put-object-legal-hold
example removes a legal hold on the
object
in the bucket
named my-image.fs
:amzn-s3-demo-bucket1
aws s3api put-object-legal-hold --bucket
--key
amzn-s3-demo-bucket1
my-image.fs
--legal-hold="Status=OFF"
For more information and examples, see put-object-legal-hold
Note
You can run AWS CLI commands from the console by using AWS CloudShell. AWS CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. For more information, see What is CloudShell? in the AWS CloudShell User Guide.
You can use the REST API to set or modify a legal hold on an object. For more information, see PutObjectLegalHold in the Amazon Simple Storage Service API Reference.
For examples of how to set a legal hold on an object with the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For examples of how to get the current legal hold status with the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For an interactive scenario demonstrating different Object Lock features using the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For general information about using different AWS SDKs, see Developing with Amazon S3 using the AWS SDKs in the Amazon S3 API Reference.
Set or modify a retention period on an S3 object
You can set or modify a retention period on an S3 object by using the Amazon S3 console, AWS CLI, AWS SDKs, or Amazon S3 REST API.
Important
-
If you want to set a retention period on an object, the object's bucket must already have Object Lock enabled.
-
When you
PUT
an object version that has an explicit individual retention mode and period in a bucket, the object version's individual Object Lock settings override any bucket property retention settings. -
The only way to delete an object under the compliance mode before its retention date expires is to delete the associated AWS account.
For more information, see Retention periods.
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
In the left navigation pane, choose Buckets.
-
In the Buckets list, choose the name of the bucket that contains the object that you want to set or modify a retention period on.
-
In the Objects list, select the object that you want to set or modify a retention period on.
-
On the Object properties page, find the Object Lock retention section, and choose Edit.
-
Under Retention, choose Enable to set a retention period or Disable to remove a retention period.
-
If you chose Enable, under Retention mode, choose either Governance mode or Compliance mode. For more information, see Retention modes.
-
Under Retain until date, choose the date that you want to have the retention period end on. During this period, your object is WORM-protected and can't be overwritten or deleted. For more information, see Retention periods.
-
Choose Save changes.
The following put-object-retention
example sets a retention period on the
object
in the bucket
named my-image.fs
until January 1, 2025:amzn-s3-demo-bucket1
aws s3api put-object-retention --bucket
--key
amzn-s3-demo-bucket1
my-image.fs
--retention='{ "Mode": "GOVERNANCE", "RetainUntilDate": "2025-01-01T00:00:00" }'
For more information and examples, see put-object-retention
Note
You can run AWS CLI commands from the console by using AWS CloudShell. AWS CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. For more information, see What is CloudShell? in the AWS CloudShell User Guide.
You can use the REST API to set a retention period on an object. For more information, see PutObjectRetention in the Amazon Simple Storage Service API Reference.
For examples of how to set a retention period on an object with the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For examples of how to get the retention period on an object with the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For an interactive scenario demonstrating different Object Lock features using the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For general information about using different AWS SDKs, see Developing with Amazon S3 using the AWS SDKs in the Amazon S3 API Reference.
Set or modify a default retention period on an S3 bucket
You can set or modify a default retention period on an S3 bucket by using the Amazon S3 console, AWS CLI, AWS SDKs, or Amazon S3 REST API. You specify a duration, in either days or years, for how long to protect every object version placed in the bucket.
Important
-
If you want to set a default retention period on a bucket, the bucket must already have Object Lock enabled.
-
When you
PUT
an object version that has an explicit individual retention mode and period in a bucket, the object version's individual Object Lock settings override any bucket property retention settings. -
The only way to delete an object under the compliance mode before its retention date expires is to delete the associated AWS account.
For more information, see Retention periods.
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
In the left navigation pane, choose Buckets.
-
In the Buckets list, choose the name of the bucket that you want to set or modify a default retention period on.
-
Choose the Properties tab.
-
Under Properties, scroll down to the Object Lock section, and choose Edit.
-
Under Default retention, choose Enable to set a default retention or Disable to remove a default retention.
-
If you chose Enable, under Retention mode, choose either Governance mode or Compliance mode. For more information, see Retention modes.
-
Under Default retention period, choose the number of days or years that you want the retention period to last for. Objects placed in this bucket will be locked for this number of days or years. For more information, see Retention periods.
-
Choose Save changes.
The following put-object-lock-configuration
example command sets a 50-day
Object Lock retention period on the bucket named
by
using compliance mode:amzn-s3-demo-bucket1
aws s3api put-object-lock-configuration --bucket
--object-lock-configuration=
amzn-s3-demo-bucket1
'{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 50 }}}'
The following put-object-lock-configuration
example removes the default
retention configuration on a bucket:
aws s3api put-object-lock-configuration --bucket
--object-lock-configuration=
amzn-s3-demo-bucket1
'{ "ObjectLockEnabled": "Enabled"}'
For more information and examples, see put-object-lock-configuration
Note
You can run AWS CLI commands from the console by using AWS CloudShell. AWS CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. For more information, see What is CloudShell? in the AWS CloudShell User Guide.
You can use the REST API to set a default retention period on an existing S3 bucket. For more information, see PutObjectLockConfiguration in the Amazon Simple Storage Service API Reference.
For examples of how to set a default retention period on an existing S3 bucket with the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For an interactive scenario demonstrating different Object Lock features using the AWS SDKs, see Code examples in the Amazon S3 API Reference.
For general information about using different AWS SDKs, see Developing with Amazon S3 using the AWS SDKs in the Amazon S3 API Reference.