8 S3 object lock is an API-level capability that enforces write-once-read-many (WORM) protection on object data. When configured on a versioned bucket, it prevents object versions from being deleted or overwritten for a defined period of time or until a legal hold is removed. Originally introduced within the Amazon S3 ecosystem and now widely supported across S3-compatible platforms, S3 object lock has become a reference model for implementing immutable storage in modern data architectures. This article explains how S3 object lock works, the difference between governance and compliance modes, how retention and legal holds behave, and how the capability is implemented across cloud and on-premises environments. What S3 object lock does At its core, S3 object lock attaches protection rules to individual object versions. When a retention period or legal hold is applied: The protected object version cannot be deleted. The protected object version cannot be overwritten. In compliance mode, the retention period cannot be shortened. Enforcement happens at the S3 API layer. If a delete or overwrite request targets a protected object version, the request is rejected until protection conditions are satisfied. Object lock must be enabled when the bucket is created, and versioning must be turned on. Protection applies to object versions, not simply to object names. Why versioning is required Versioning ensures that updates do not destroy previous data. In a versioned bucket: Each write creates a new object version. Previous versions remain stored unless explicitly removed. Retention metadata is attached per version. Object lock builds on this model. When a retention rule is applied, it protects a specific version of an object. If a new version is uploaded later, that new version can have its own independent retention configuration. This design enables granular control and point-in-time preservation without relying on manual processes. Retention periods: time-based immutability A retention period defines how long an object version remains immutable. When a retention period is set: A retention-until timestamp is recorded in the object version’s metadata. Delete and overwrite operations are rejected until that timestamp passes. In compliance mode, the retention date cannot be reduced. Retention periods are time-bound. Once the retention-until date passes, the object version is no longer protected by object lock. It then becomes eligible for deletion or modification according to normal permissions and lifecycle policies. Expiration does not trigger automatic deletion. It simply removes the immutability restriction. Retention policies can be applied: As a default at the bucket level. Individually per object. Through API calls integrated into applications or backup software. Legal holds: indefinite protection A legal hold provides similar protection but without a predefined expiration. When a legal hold is active: The object version cannot be deleted. The protection remains in place until explicitly removed. Retention timestamps are ignored while the hold is active. Legal holds are commonly used in situations where preservation requirements are not tied to a fixed timeframe, such as investigations or audits. Retention periods and legal holds can exist simultaneously. If either mechanism is active, deletion is blocked. Governance mode vs. compliance mode When configuring a retention period, administrators must select a retention mode. The distinction between governance and compliance determines how strictly immutability is enforced. Governance mode In governance mode: Protected object versions cannot be deleted by standard users. Authorized users with specific permissions can bypass retention controls. Bypass actions require explicit intent and proper credentials. Governance mode provides immutability with administrative flexibility. It is typically used where protection against accidental deletion is required but controlled override remains permissible. Compliance mode In compliance mode: Protected object versions cannot be deleted before the retention date. The retention period cannot be shortened. Overrides are not allowed, even by administrators. Compliance mode enforces non-rewritable, non-erasable behavior during the defined retention window. Retention periods can be extended but not reduced. The choice between governance and compliance depends on policy requirements and regulatory context. S3 object lock and ransomware resilience S3 object lock is frequently referenced in discussions about ransomware resilience because it prevents deletion of protected object versions during their retention window. When backup applications write data to an S3-compatible target that supports object lock: Retention metadata can be applied at ingestion. Protected recovery points cannot be deleted prematurely. Destructive API calls against locked objects are rejected. Object lock does not prevent unauthorized access or detect malicious activity. Its function is specific: it ensures that once data is written and protected, it cannot be altered or removed before the retention conditions are satisfied. This capability supports modern backup strategies that include at least one immutable copy of data. Regulatory retention and WORM requirements In many industries, data must be stored in a non-rewritable, non-erasable format for defined periods. S3 object lock compliance mode is designed to support such requirements by: Preventing deletion during the retention window. Preventing retention reduction. Enforcing immutability consistently through the API. Regulatory frameworks in financial services, healthcare, and other sectors often require demonstrable controls over record integrity and retention. Independent assessments have evaluated S3 object lock implementations against certain regulatory standards, validating that when configured appropriately, they can support compliance objectives. Organizations typically confirm that their S3-compatible storage platform implements object lock in alignment with applicable regulatory guidance. Public cloud and S3-compatible platforms Although introduced within AWS, S3 object lock is implemented across many S3-compatible object storage systems. This allows organizations to apply consistent immutability controls in: Public cloud environments. Hybrid deployments. On-premises object storage. Scality RING and Scality ARTESCA both support S3 object lock in governance and compliance modes, providing API-compatible immutability within enterprise data centers. Because these platforms adhere to the S3 specification, applications that support AWS S3 object lock integrate without modification. Architectural considerations API-level immutability is a critical control, but storage architecture influences how immutability behaves in practice. When evaluating object storage systems that support S3 object lock, organizations often examine: How object versions are stored internally. Whether data is overwritten in place. How replication preserves retention metadata. Audit logging of retention and legal hold changes. In Scality’s architecture, data updates create new versions rather than overwriting existing blocks. This aligns naturally with the version-based protection model used by S3 object lock. Immutability is therefore enforced both at the API layer and supported by version-centric storage design. How S3 object lock fits into modern data protection S3 object lock operates independently of backup orchestration software. Backup platforms manage scheduling, indexing, and restore operations. Object storage enforces retention and immutability once data is written. This separation ensures that: Applications determine what to write and when. Storage systems determine what cannot be deleted. When properly integrated, retention settings are applied automatically during backup ingestion, reducing reliance on manual configuration. Conclusion S3 object lock provides API-level WORM protection for object storage environments. By combining versioning, time-based retention, legal holds, and clearly defined enforcement modes, it ensures that protected object versions cannot be deleted or overwritten during defined windows. In ransomware resilience strategies, it preserves recovery data during critical periods. In regulated industries, it supports non-rewritable, non-erasable retention requirements. Available across public cloud and S3-compatible platforms such as Scality RING and ARTESCA, S3 object lock offers a consistent immutability model aligned with modern object storage architectures.
