Object Lock
Object Lock lets you enforce Write-Once-Read-Many (WORM) protection on stored objects. Once an object is locked, it cannot be deleted or overwritten until the retention period expires — not even by the account owner. This is designed for regulatory compliance, legal preservation, and ransomware protection use cases.
Key concepts
Retention period — A duration during which an object version cannot be deleted or overwritten.
Compliance mode — The strictest protection. No user, including the account owner, can shorten the retention period or delete a locked object before it expires. Use this for SEC 17a-4, FINRA, HIPAA, and other regulatory requirements.
Governance mode — A softer protection. Users with the appropriate permissions can bypass retention and delete objects before the period expires. Use this for internal data governance policies where some flexibility is needed.
Versioning — Object Lock requires versioning. You must enable both when creating the bucket. Once enabled, versioning cannot be suspended on a locked bucket.
Enabling Object Lock
Object Lock is opt-in and must be enabled at bucket creation time. It cannot be added to an existing bucket, and once enabled it cannot be disabled.
To create a bucket with Object Lock:
- From the dashboard, click Create Bucket.
- Enter a bucket name.
- Enable Versioning.
- Enable Object Lock.
- Select a retention mode: Compliance or Governance.
- Set a default retention duration.
- Click Create.
Object Lock must be enabled at bucket creation. It cannot be added to an existing bucket.
Retention modes
| Mode | Who can bypass | Typical use |
|---|---|---|
| Compliance | Nobody — including account owners and admins | SEC 17a-4, FINRA, HIPAA — legally mandated immutability |
| Governance | Users with bypass permission | Internal policy retention, development, audit-friendly workflows |
In Compliance mode, the retention period is absolute. No action can shorten or remove it once set. This is the mode required for most regulatory recordkeeping obligations.
In Governance mode, users with the appropriate permission can delete locked objects before the retention period expires. This is useful when you need immutability by default but want flexibility for authorized users to correct mistakes.
Choose your retention mode carefully at bucket creation. Compliance mode retention periods cannot be shortened or removed. Test with Governance mode before switching to Compliance mode in production.
Setting per-object retention
The default retention period set at bucket creation is applied automatically to every object uploaded to that bucket. You can also set or extend retention on individual object versions directly via the S3 API.
- AWS CLI
- Python (boto3)
aws s3api put-object-retention \
--bucket my-compliance-bucket \
--key important-record.pdf \
--retention '{"Mode": "COMPLIANCE", "RetainUntilDate": "2027-12-31T00:00:00Z"}' \
--endpoint-url https://eu-west-1.s3.fil.one
s3.put_object_retention(
Bucket="my-compliance-bucket",
Key="important-record.pdf",
Retention={
"Mode": "COMPLIANCE",
"RetainUntilDate": "2027-12-31T00:00:00Z",
},
)
Retention can be extended but never shortened. You can move RetainUntilDate further into the future, but you cannot bring it closer. Attempting to shorten a Compliance mode retention period returns 403 AccessDenied.
Checking retention status
aws s3api get-object-retention \
--bucket my-compliance-bucket \
--key important-record.pdf \
--endpoint-url https://eu-west-1.s3.fil.one
Returns:
{
"Retention": {
"Mode": "COMPLIANCE",
"RetainUntilDate": "2027-12-31T00:00:00Z"
}
}
Deleting locked objects
Attempting to delete an object with active retention returns 403 AccessDenied.
On a versioned bucket, a DELETE request without a version ID places a delete marker. The object appears deleted to applications, but the underlying version remains protected and intact until retention expires.
Deleting buckets with locked objects
If any object in a bucket has active Compliance retention, the bucket cannot be deleted. Once all retention periods have expired, the bucket can be deleted normally.
Object Lock and API keys
Every API key automatically includes GetBucketVersioning and GetBucketObjectLockConfiguration access. Beyond that, Object Lock behavior depends on the key's permissions and the bucket's retention mode:
- A key with Delete permission can delete objects in Governance mode buckets (subject to bypass permissions).
- Compliance mode cannot be bypassed by any key, regardless of permissions.
Object Lock during trial
Object Lock is fully available during the free trial. Trial accounts are limited to a maximum retention period of 30 days (matching the trial duration). This ensures account cleanup can proceed normally at trial expiration.
Paid accounts can set retention periods from 1 day to 10 years.
Object Lock and the Filecoin storage model
When you delete an object after its retention period expires, it is immediately removed from your Fil One account and inaccessible via the API and dashboard. The underlying Filecoin storage deals persist until their natural expiration — up to 180 days — but the data is no longer retrievable through Fil One. This does not affect your compliance posture.
Common use cases
| Use case | Typical retention | Why Object Lock |
|---|---|---|
| Financial records (SEC 17a-4) | 6–7 years | Regulatory requirement for immutable, non-rewritable storage |
| Healthcare records (HIPAA) | 6–10 years | Tamper-proof audit trail and record integrity |
| Ransomware-proof backup | 30–90 days | Prevents encrypted or deleted backups |
| Legal hold / litigation | Variable | Preserve evidence without risk of spoliation |
| GDPR audit trail | Varies | Demonstrate data handling compliance with immutable logs |