How to Use S3 Object Lock for WORM Compliance on Individual Files

·May 28, 2025·

5 min read

Imagine Arjun, a security engineer working at a fintech startup, receives a compliance mandate: “All customer invoices must be retained for 7 years and must not be modified or deleted during that time.” This isn’t just a suggestion — it’s a legal requirement.

That’s when Arjun discovers Amazon S3 Object Lock — a feature that allows him to store objects using a WORM (Write Once, Read Many) model. It’s exactly what he needs. But how does it work? And how is it different from S3 Glacier Vault Lock?

Let’s dive in.

🧱 What is S3 Object Lock?

S3 Object Lock lets you store individual objects in S3 with immutability — ensuring they can't be overwritten or deleted for a fixed time (or indefinitely). Unlike Glacier Vault Lock, which applies at the vault level, Object Lock is granular — it works at the object level.

✅ Use Case: Ideal for compliance requirements like SEC Rule 17a-4(f), HIPAA, or internal company policies.

🔄 Enforcing the WORM Model

Before Arjun could use Object Lock, he had to do one thing: enable versioning on the S3 bucket. This is mandatory because Object Lock applies to specific object versions.

Once enabled, Arjun could:

Apply a retention mode to each object (Compliance or Governance)
Optionally define a retention period
Or apply a legal hold (more on that below)

🔒 Retention Modes: Compliance vs Governance

Arjun needed to understand two modes of retention:

1. Compliance Mode

Most strict
No one, not even the root user or an admin, can delete or alter the object during the retention period
Ideal for legal and regulatory needs

Example: Arjun locks invoices for 7 years using Compliance Mode — not even he can delete them early.

2. Governance Mode

Less strict
Only users with special IAM permissions can override or delete an object
Good for internal policies or testing WORM before going full compliance

Example: Arjun uses Governance Mode for logs that his team might still want to manage with admin privileges.

🛑 What is Legal Hold?

A few weeks later, Arjun is asked to preserve a specific file for an ongoing investigation. Instead of setting a time-bound retention, he uses a Legal Hold.

✅ Legal Hold:

Indefinitely prevents deletion
Doesn’t require a retention period
Can be removed only by users with s3:PutObjectLegalHold permission

This feature is ideal for use cases like litigation or investigation where the retention period is unknown.

✅ Best Practices

Always enable versioning before using Object Lock
Use Compliance Mode only when you're 100% sure — it's irreversible until the period ends
Prefer Governance Mode if flexibility is needed
Apply Legal Holds for temporary, indefinite protection
Set up alerts or tags to track object retention expiration dates

⚠️ Common Mistakes to Avoid

❌ Forgetting to enable versioning before applying Object Lock
❌ Accidentally setting a long retention period in Compliance Mode — and getting stuck with it
❌ Not using IAM correctly — leading to governance mode objects being easily deleted
❌ Assuming Legal Hold = Compliance Mode — Legal Hold is not time-bound and can be removed!

📘 Frequently Asked Questions (FAQs)

🔸 Can I delete an object after the retention period ends?

Yes. Once the period expires, the object can be deleted — even in Compliance Mode.

🔸 What's the difference between Object Lock and Glacier Vault Lock?

Object Lock is applied per object in S3 and is more flexible.
Vault Lock is applied to an entire Glacier Vault and is more rigid, ideal for long-term archives.

🔸 Do I pay more for using Object Lock?

No, Object Lock doesn’t incur extra charges — but you'll continue paying normal S3 storage costs for each retained version of the object.

🧩 Wrapping Up

Arjun successfully implemented S3 Object Lock for his compliance needs. By carefully choosing between Compliance and Governance modes and understanding Legal Holds, he built a secure, regulation-friendly storage solution.

And most importantly, he didn’t lock himself (or his budget) into a corner.