Applying Amazon S3 Object Lock at scale for petabytes of existing data
Storage Blog
This article explains how to apply Amazon S3 Object Lock protection to existing petabytes of data using S3 Batch Operations for compliance and cyber resilience.
- S3 Object Lock provides WORM protection by making object versions immutable and preventing deletion
- Requires S3 Versioning, automatically enabled when Object Lock is activated on bucket
- Two protection types: retention configuration (compliance/governance modes) and legal hold
- Compliance mode provides strict immutability; governance mode allows bypass with specific IAM permission
- Legal hold provides indefinite protection ideal for litigation scenarios
- Default retention settings apply only to new objects, not existing data
- Use S3 Batch Operations to apply protection to billions of existing objects at scale
- Create object inventory using on-demand manifest generation or S3 Inventory with Athena
- Set up IAM role with permissions for PutObjectRetention, PutObjectLegalHold, and KMS operations
- Test with short retention periods before production deployment
- Cleanup varies: compliance mode requires waiting; governance mode allows bypass; legal holds must be removed first
S3 Object Lock at scale enables organizations to retrofit immutability protections to existing cloud data efficiently, supporting regulatory compliance and ransomware defense strategies.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.