Standard

Object Lock / WORM Semantics

An S3 API extension that provides write-once-read-many (WORM) protection for objects, preventing deletion or modification for a specified retention period.

9 connections 3 resources

Summary

What it is

An S3 API extension that provides write-once-read-many (WORM) protection for objects, preventing deletion or modification for a specified retention period.

Where it fits

Object Lock is the compliance and data protection layer of S3. It enables tamper-proof storage for regulatory requirements (SEC 17a-4, GDPR), ransomware protection (immutable backups), and legal hold — all through the standard S3 API.

Misconceptions / Traps

Object Lock has two modes: Governance (allows override with special permissions) and Compliance (no one, including root, can delete until retention expires). Choosing the wrong mode can make data undeletable.
Not all S3-compatible implementations support Object Lock. MinIO, Dell ECS, and NetApp StorageGRID do; others may not. Verify before relying on it for compliance.

Key Connections

scoped_to S3 API — an extension to the S3 API
enables Immutable Backup Repository on Object Storage — the mechanism for tamper-proof backups
enables Ransomware-Resilient Object Backup Architecture — core protection mechanism
solves Retention Governance Friction — API-enforced retention replaces manual governance

Definition

What it is

An S3 API extension that enables write-once-read-many (WORM) protection on objects, preventing deletion or modification for a specified retention period. Supports both governance and compliance modes.

Why it exists

Regulatory requirements (SEC 17a-4, GDPR, HIPAA) mandate immutable data retention. Object Lock provides tamper-proof protection at the storage layer, making S3 suitable for compliance-driven archival and ransomware-resistant backup.

Primary use cases

Regulatory-compliant data retention, ransomware-proof backup vaults, legal hold enforcement, immutable audit logs.