S3 Object Lock
Write-once-read-many (WORM) feature for Amazon S3 buckets — once configured, an object version cannot be deleted or overwritten for either a **fixed retention period** or **indefinitely via legal hold**. Two retention modes available: **Compliance Mode** (no override, even root can't shorten retention or delete protected versions) and **Governance Mode** (specific IAM permissions can override). Independently of retention modes, **Legal Hold** is a separate WORM flag that has no fixed time — it remains until explicitly removed. Object Lock requires [S3 Versioning](/node/s3-versioning) enabled on the bucket.
Definition
Write-once-read-many (WORM) feature for Amazon S3 buckets — once configured, an object version cannot be deleted or overwritten for either a **fixed retention period** or **indefinitely via legal hold**. Two retention modes available: **Compliance Mode** (no override, even root can't shorten retention or delete protected versions) and **Governance Mode** (specific IAM permissions can override). Independently of retention modes, **Legal Hold** is a separate WORM flag that has no fixed time — it remains until explicitly removed. Object Lock requires [S3 Versioning](/node/s3-versioning) enabled on the bucket.
Two distinct production-driven requirements converged on the same architecture. **Regulatory:** SEC 17a-4, CFTC, and FINRA all require certain financial records to be stored on WORM-class media with no possibility of alteration; S3 Object Lock in Compliance Mode satisfies the requirement (assessed by Cohasset Associates). **Operational:** ransomware now routinely targets backup infrastructure first to destroy the recovery path — Object Lock prevents an attacker with full IAM credentials from deleting protected backups, because Compliance Mode forbids deletion even at the root credential level.
Regulatory-compliance archives subject to SEC/CFTC/FINRA WORM requirements, ransomware-resilient backup retention (the canonical 2026 pattern), legal-hold preservation for litigation discovery, immutable audit logs for compliance frameworks (HIPAA, PCI DSS), and the foundation for `Ransomware Pattern Detection from Object Events` and `Defending S3 Against SSE-C Encryption Hijacking` workflows.
Recent developments
- Compliance Mode forbids deletion even at root credential level. When an object version is locked in compliance mode, retention mode cannot be changed and retention period cannot be shortened — by any user including the AWS root account. Per AWS docs — Locking objects with Object Lock.
- Cohasset Associates assessment for SEC 17a-4, CFTC, FINRA compliance. Object Lock has been independently assessed for use in environments subject to these financial-records-retention regulations. Per AWS — S3 Object Lock features.
- Object Lock at scale guidance: petabyte-scale retrofit pattern. AWS published an updated guide for applying Object Lock at scale to petabytes of existing data — covering the batch-mode workflow, IAM gotchas, and lifecycle-rule interactions. Per AWS Storage Blog — Object Lock at scale.
- Compliance Mode is now the canonical ransomware-defense pattern. The 2026 ransomware-defense literature explicitly recommends Object Lock + Compliance Mode + Versioning + MFA Delete as the four-layer defense against ransomware that targets backup destruction. Per Cloudian blog — Object Lock & Ransomware.
- March 2026 compliance-mode immutable-backup walkthrough. A March 2026 step-by-step guide covers the WORM regulatory + immutable-backup pattern with Compliance Mode. Per AWS in Plain English — Compliance Mode for Immutable Backups.
Connections 4
Outbound 3
Inbound 1
enables1