S3 Object Lock Flashcards
What is Amazon S3 Object Lock?
Amazon S3 Object Lock is a feature that allows you to prevent the deletion of an S3 object for a specified amount of time or indefinitely, ensuring data immutability for regulatory compliance and data protection.
How does S3 Object Lock work?
S3 Object Lock works by allowing you to apply a retention policy on objects to protect them from being deleted. It supports two modes: Governance Mode for flexible protection and Compliance Mode for stricter protection where not even the root user can alter the lock.
What are the key modes of S3 Object Lock?
The key modes are Governance Mode, which allows users with specific permissions to override the lock settings, and Compliance Mode, in which no one can alter the lock settings during the retention period.
Can existing objects in an S3 bucket be protected with S3 Object Lock?
S3 Object Lock can be applied to new objects. For existing objects, they need to be copied into a bucket with Object Lock enabled with the desired lock settings applied during the copy.
How do you enable S3 Object Lock on a bucket?
To enable S3 Object Lock on a bucket, it must be enabled at the time of bucket creation. Object Lock cannot be added to an existing bucket without Object Lock.
What is the difference between a retention period and a legal hold in S3 Object Lock?
A retention period is a defined time during which an object is protected from deletes. A legal hold provides the same protection but does not have a predefined end date and can be placed or removed as needed.
Is it possible to edit or delete an object under S3 Object Lock?
Objects under S3 Object Lock in Compliance Mode cannot be edited or deleted by anyone, including the root user. In Governance Mode, users with the s3:BypassGovernanceRetention permission can edit or delete objects before the retention period expires.
How does S3 Object Lock help with regulatory compliance?
S3 Object Lock helps with regulatory compliance requirements (such as SEC Rule 17a-4(f)) by ensuring that objects cannot be deleted after they are locked, providing data immutability.
Can S3 Object Lock be used with versioned objects?
Yes, S3 Object Lock can be used with versioned objects. Each version of an object can have its own lock settings, allowing for fine-grained control over object immutability.
What happens when the retention period of an S3 Object Lock expires?
When the retention period of an S3 Object Lock expires, the protection on the object is lifted, and it can then be edited or deleted as per the bucket and IAM policies.
