S3 buckets and objects have their own object lock configuration. This article explains how it works.
Possible object lock configuration on a bucket
- Permanently enabled – Governance mode
- Permanently enabled – Compliance mode
- Permanently enabled – None
- Disabled
To apply object lock on an object, the bucket itself must be one of the ‘permanently enabled’ configurations. Otherwise put_object_retention() and put_object_legal_hold() will raise exception.
Possible retention mode configuration on an object
- Enable governance mode
- Enable compliance mode
- Disable
On S3 object creation, bucket config will be used to setup the object’s retention mode and retention period. If the bucket is in “Permanently enabled – None” configuration, and we did not call put_object_retention() to specify retention mode and period, the object’s retention mode will be “Disable”.
Be careful that governance mode may be bypassed by a user. Consider setup IAM policy to deny on “s3:BypassGovernanceRetention” action.
Possible legal hold configuration on an object
- Enable
- Disable
Legal hold is OFF by default, regardless of the bucket configuration. You must call put_object_legal_hold() to set the legal hold ON to protect an object.
Be careful it’s possible to set legal hold ON, and then set it back to OFF. So we need to set up IAM policy to avoid a user from doing this. Consider deny “s3:PutObjectLegalHold” action if “s3:object-lock-legal-hold” is not “ON”.