S3 Object Locking Overview

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

S3 object locking is a feature that helps prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.

S3 object locking can be enabled on an S3 bucket provided that the bucket's view is not simultaneously enabled for access via other client protocols. Once S3 object locking is enabled on a view, it cannot be disabled. S3 object versioning is automatically enabled with S3 object locking.

There are two levels of protection with S3 object locking, called retention modes:

  • Governance mode, in which users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period.

    To override or remove governance-mode retention settings, a user must have the s3:BypassGovernanceRetention permission and must explicitly include x-amz-bypass-governance-retention:true as a request header with any request that requires overriding governance mode.

  • Compliance mode, in which a protected object version can't be overwritten or deleted by any user. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period.

There are two ways to manage object retention with object locking:

  • Retention period, which specifies a fixed period of time during which an object remains locked. During this period, your object is WORM-protected. This means that when an object is deleted or replaced, the version that was deleted or replaced is protected from being removed from the bucket, although it does cease to be the latest version and can only be accessed by its version ID.

  • Legal hold, which provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods.

When object locking is enabled on a bucket, each object in the bucket can have no lock, a retention lock or a legal hold. If you configure a default retention period, object versions that are placed in the bucket are automatically protected with a retention lock.

For detailed information about how object locking works, see the AWS S3 documentation page, How S3 Object Lock works.

For information about supported ways to manage object locking on buckets and objects, see the following sections:

Related articles
  • S3 Object Locking Overview
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Tenant Administrator’s Guide > Managing Access Protocols > S3 Object Storage Protocol > S3 Client Features > S3 Object Locking
  • S3 Object Locking Overview
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > S3 Client Features > S3 Object Locking
  • S3 Object Locking Overview
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Tenant Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > S3 Client Features > S3 Object Locking