S3 Locks

Posted on by wpadmin

Vault Lock vs. S3 Object Lock

FeatureVault Lock (Glacier)S3 Object Lock
Applies toEntire VaultIndividual Objects
Compliance EnforcementVault-wide PolicyPer-object WORM settings
Retention ControlTime-based PolicyRetention periods per object
Modification After LockingNo changes allowedObject retention settings can be extended

2. Retention Modes

S3 Object Lock supports two modes:

ModeDescriptionCan Extend Retention?Can Reduce Retention?Can Delete Object?
Governance ModeProtects objects, but AWS accounts with special permissions (s3:BypassGovernanceRetention) can override restrictions.✅ Yes✅ Yes (if permitted)✅ Yes (if permitted)
Compliance ModeFully enforces WORM – no one (even the root user) can delete or modify the object until retention expires.✅ Yes❌ No❌ No

3. Key Differences: Retention Period vs. Legal Hold

FeatureRetention PeriodLegal Hold
PurposeAutomatically enforces protection for a fixed periodManual, temporary hold on deletion
DurationSet for days, months, or yearsIndefinite (removed manually)
Can Be Modified?✅ Yes (only extended in Compliance Mode)✅ Yes (can be removed anytime)
Applies toIndividual objectsIndividual objects

S3 Object Lock vs. Glacier Vault Lock

FeatureS3 Object LockGlacier Vault Lock
ScopeIndividual objectsEntire vault
ComplianceSEC, FINRA, HIPAA, GDPRSEC, FINRA, HIPAA
Retention TypeRetention Period & Legal HoldTime-Based Policy
Can Modify After Lock?Governance Mode: Yes (with permission)
Compliance Mode: No		No (Once locked, it’s permanent)
Deletion ProtectionObject-levelVault-level
Best forRegular S3 objects needing WORMLong-term archives in Glacier

.

Key Differences: S3 Object Lock vs. Legal Hold

FeatureS3 Object LockLegal Hold
Retention TypeTime-based (Fixed period)Manual (On/Off toggle)
ModesGovernance & ComplianceNo modes, just ON/OFF
ExpirationExpires automatically after the set periodDoes not expire unless manually removed
Prevents Deletion?YesYes
Can be Overridden?Governance Mode: Yes (if allowed), Compliance Mode: NoNo (must be manually disabled)
Use CaseRegulatory retention, data immutabilityLegal cases, temporary retention