Ref: https://learn.cantrill.io/courses/1820301/lectures/42834820

• Summary
• Contents:

S3 Object Lock - Key Concepts

• 🔧 Protect S3 object versions from overwrites and deletions, temporarily or permanently
  • Implement Write-Once-Read-Many (WORM) architecture
  • Can be defined for individual objects or as bucket default (like S3 encryption)
• 2 types (can be combined):
  • Legal Hold
  • Retention Period (Governance & Compliance modes)
• Considerations
  • ‼️ Versioning must be enabled in the bucket! → locks object VERSIONS
  • Easily enabled when creating a NEW S3 bucket
    • To enable in an existing bucket, must submit support request to AWS
  • ‼️ Once enabled in a bucket, object lock can NOT be disabled, and versioning can NOT be suspended!!

S3 Object Lock - Legal Hold

• 🔧 Every object version in the bucket has a boolean, indicating if it's locked or not
  • No retention period, just a simple per-version boolean that can be set ON/OFF
• Operation: s3:PutObjectLegalHold (enable/disable legal hold)
• Use cases:
  • Prevent accidental version deletion or overwrite (e.g. legal situations)
    • Deleting a version requires disabling legal hold first, added layer of security/validation
  • Flag a specific version as critical

S3 Object Lock - Retention Period

• 🔧 Object version locked for a retention period (specified in days & years)
  • After retention period, version is no longer locked, can be then modified or deleted
• Operation: put-object-lock-configuration (configure object lock with retention period)
  • Must specify one of two modes: Mode=Governance/Compliance
• Two Modes:
  1. GOVERNANCE
     • 🔧 Object lock can be bypassed by granting special permissions
       • Special permissions allow version overwrites and deletions
       • Special permissions allow changing object lock configuration
     • Special permission: s3:BypassGovernanceRetention
       • A Principal requires this special permission, but must also include a specific HTTP Header in its requests: x-amz-bypass-governance-retention:true
         • ❗ Note that x-amz headers are used by default in ClickOps via AWS Management Console as well as console terminals in AWS UI → by default, governance mode will ALWAYS be bypassed in the AWS Console UI!
     • Use cases:
       • Prevent accidental overwrites or deletions in AWS CLI/SDK for a given time
         • e.g. governance reasons to keep versions
       • Test compliance mode
         • If something goes wrong, lock can be bypassed. If lock works well, can then enable compliance mode.
  2. COMPLIANCE
     • 🔧 Permanent lock → can't be adjusted, deleted, overwritten, or bypassed before retention period expires!
       • ❗ Even account root user can't bypass this lock!
     • Serious business → Neither versions nor configurations can change until period expires
     • Example use case: mandatory data retention for 3 years due to compliance reasons
       • Medical data, financial data…