Amazon S3 Object Lock provides two ways to manage object retention. The first is retention periods and the second is legal holds.

A retention period specifies a fixed period of time during which an object remains locked. During this period, your object is WORM-protected and can’t be overwritten or deleted. You apply a retention period either in a number of days or number of years with the minimum being 1-day and no maximum limit.

A legal hold provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it.

Using Amazon S3 Object Lock, you can prevent an object from being deleted or overwritten for a fixed amount of time, or until the legal hold is removed. An object version can have either a combination or both a retention period and a legal hold. For example, you may have an object with a 1-year retention date plus a legal hold.

Governance mode or Compliance mode

When setting a retention period for your objects or buckets, you can choose the retention mode

You should use the Governance mode if you want to protect objects from being deleted by most users during a pre-defined retention period

You should use the Compliance mode if you have a requirement to store compliant data. You should only use the Compliance mode if you never want any user, including the root user in your AWS account

Before you can lock any objects, you must configure a bucket to use Amazon S3 Object Lock. Let’s create a bucket ‘s3objectlockexample’ and turn on versioning for the bucket. Amazon S3 Object Lock only works for buckets that have versioning enabled.