Using object lock
Overview
After you create a bucket with object lock enabled, you can manage retention and legal hold settings at the bucket and object level. The retention mode (Compliance or Governance) is set during bucket creation and cannot be changed in the Storage Console afterward. You can extend retention periods, but not shorten them. All operations below require the appropriate IAM permissions.
Retention modes
When you set a retention policy on a bucket or object, you choose one of two modes:
Compliance
No one. Not even the root user. The object version is immutable until the retention period expires.
Regulatory requirements (SEC, FINRA, HIPAA) that mandate true WORM storage.
Governance
The root user, or any IAM user with the s3:BypassGovernanceRetention permission, can delete the object or shorten the retention period.
Testing retention settings before applying Compliance mode, or protecting data while keeping an administrative override.
You can set a default retention mode and period (in days or years) for a bucket only during bucket creation. After creation, the Retention section in bucket settings shows the current configuration but the mode selector will be disabled.
What you can do in the Storage Console
Enable retention at creation time. When creating a bucket with object lock, select either Compliance or Governance mode and enter the validity period in days or years. This default applies to all objects uploaded to the bucket.
Extend the retention period. If the bucket already has retention enabled, you can increase the validity (for example, from 30 days to 90 days). The console accepts the new value.
You cannot decrease the retention period. The console will show the error "You cannot decrease object lock time" if you enter a shorter value. This restriction also applies via the API.
You cannot switch from Compliance to Governance. The console shows "Switching back from Compliance mode is not allowed." This restriction also applies via the API.
Change object or version retention
You can view and modify retention settings for individual objects or specific versions. In the bucket view, click the Settings (gear) icon next to an object to open Object settings. Expand the object row to see all versions with their Version IDs and access settings per version.
The Object settings dialog shows two sections:
Retention Policy with the current mode (Compliance or Governance) and the Date field showing when retention expires. You can switch from Governance mode to Compliance, but not vice versa. You can as well prolong the existing retention here.
Legal Hold with a toggle to turn it on or off.
Delete markers and locked objects
Object lock does not prevent adding a delete marker. A delete marker hides the object from the default listing but does not remove any version. You can view a hidden object by enabling Show deleted files in the bucket view.
You cannot permanently delete a version that has an active retention period or legal hold. The console shows an error if you try. This applies regardless of whether you use the console or the CLI.
To permanently delete a Governance-locked version before its retention expires, use the AWS CLI with the --bypass-governance-retention flag. Compliance-locked versions cannot be permanently deleted until the retention period expires.
The scheduled bucket emptying feature in bucket settings also cannot remove objects protected by Compliance mode. Those objects remain in the bucket.
Legal hold
A legal hold prevents an object version from being overwritten or deleted, regardless of its retention settings. Unlike retention modes, a legal hold has no expiration date. It stays active until you explicitly remove it.
You can apply a legal hold to any object version, even if that version already has a retention period. Both protections operate independently: removing the legal hold does not affect the retention period, and the retention period expiring does not remove the legal hold.
Key differences from retention modes:
No expiration. A legal hold persists until a user with the
s3:PutObjectLegalHoldpermission removes it.Per-version. You apply a legal hold to a specific object version, not to the entire bucket.
Independent of retention. An object can have both a retention period and a legal hold at the same time. The object remains protected as long as either one is active.
To apply or remove a legal hold in the Storage Console, open the properties of the object version and toggle the Legal Hold setting.
AWS CLI examples
The following examples use the eu-central-2 region. Replace bucket names, keys, and version IDs with your own values.
Set Governance retention on an object
Set Compliance retention on an object
Bypass Governance retention to delete an object version
The calling credentials must have the s3:BypassGovernanceRetention permission.
Apply a legal hold
Remove a legal hold
Check retention and legal hold status of an object
Quick reference: Compliance vs Governance vs Legal Hold
Prevents deletion
Yes
Yes
Yes
Prevents overwrite
Yes
Yes
Yes
Can shorten retention
No
Yes (with s3:BypassGovernanceRetention)
N/A
Can remove before expiry
No
Yes (with s3:BypassGovernanceRetention)
Yes (with s3:PutObjectLegalHold)
Has expiration date
Yes
Yes
No
Applied per
Bucket or object version
Bucket or object version
Object version only
Last updated
Was this helpful?