Why can I delete objects even after I turned on Object Lock for my Amazon S3 bucket?

4 minute read

I turned on Object Lock for my Amazon Simple Storage Service (Amazon S3) bucket. I need to know why I can still delete some objects from this bucket.

Resolution

The object-level Object Lock configuration settings determine whether you can delete an object from an Amazon S3 bucket with Object Lock.

To determine why you can still delete a particular object in a bucket with Object Lock, check the Object Lock setting that's applied on the object. Also, check the mode of deletion.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent version of the AWS CLI.

Check the Object Lock legal hold and Object Lock retention settings on the object

To check these settings, open the Amazon S3 console, and navigate to the Properties page of the object. You can also run the head-object AWS CLI command:

aws s3api head-object --bucket sample-bucket --key test.png

The output looks similar to the following one:

{  
 "AcceptRanges": "bytes",  
 "LastModified": "2023-03-09T04:39:46+00:00",  
 "ContentLength": 285074,  
 "ETag": "\"1e8cd7fb4e4ddeafdc6513200f47958f\"",  
 "VersionId": "Cm_wsGgkj8L3fySNPUu.J7xV1HEKMhGr",  
 "ContentType": "image/png",  
 "ServerSideEncryption": "aws:kms",  
 "Metadata": {},  
 "SSEKMSKeyId": "arn:aws:kms:us-east-1:111111111111:key/eod57e78-8c46-454a-8c22-897d8be9a5f4",  
 "ReplicationStatus": "PENDING",  
 "ObjectLockMode": "COMPLIANCE",  
 "ObjectLockRetainUntilDate": "2023-03-10T04:39:45.913000+00:00",  
 "ObjectLockLegalHoldStatus": "ON"  
}

If you applied a legal hold on the object, then you see the ObjectLockLegalHoldStatus fields in the output. If you applied the Object Lock retention on the object, then you also see the ObjectLockMode and ObjectLockRetainUntilDate fields.

You didn't turn on Object Lock legal hold or Object Lock retention on the object

You can permanently delete the object.

You turned on Object Lock legal hold on the object

You can permanently delete the object only after a user with the s3:PutObjectLegalHold permissions explicitly turns off the legal hold on the object.

You turned on Object Lock retention on the object

If the object is protected by GOVERNANCE mode, then you can permanently delete the object under the following conditions, even before the retention period is over:

You have s3:BypassGovernanceRetention permissions.
You explicitly included x-amz-bypass-governance-retention:true as a request header in the DELETE request.

By default, the Amazon S3 console includes the x-amz-bypass-governance-retention:true header in a DELETE request. Therefore, if you have s3:BypassGovernanceRetention permissions, then you can use the S3 console to delete an object version that's protected by GOVERNANCE mode.

With s3:BypassGovernanceRetention permissions, you can also use the AWS CLI to delete an object version. Pass the --bypass-governance-retention option in the delete-object command:

aws s3api delete-object --bucket sample-bucket --key test.txt --version-id "9_gKg5vG56F.TTEUdwkxGpJ3tNDlWlGq" --bypass-governance-retention

If the object is protected by COMPLIANCE mode, then no user, including the root account, can permanently delete the object until the retention period is over.

Check the mode of deletion

Simple DELETE

In a simple DELETE operation, you delete an object without specifying the object version ID in the delete request.

You can perform a simple DELETE operation on any object that's in a bucket with Object Lock regardless of the Object Lock configurations. Simple DELETE doesn't remove any data from the bucket. It only adds a delete marker to the bucket and retains the current version as noncurrent.

Permanent DELETE

In a permanent DELETE operation, you delete an object by specifying the object version ID in the delete request.

You can perform a permanent DELETE operation on an object that's protected by GOVERNANCE retention mode even before the retention period is over. However, you must have the permissions to bypass the GOVERNANCE mode.

You can't perform a permanent DELETE on an object under either of the following conditions:

The object is protected by COMPLIANCE retention mode, and the retention period isn’t over.
Legal hold is applied on the object.

Delete through S3 Lifecycle rules

S3 Lifecycle rules continue to perform expirations of current versions through simple DELETE operations regardless of the object-level Object Lock configurations. However, these rules don't permanently delete the noncurrent versions if they're protected by Object Lock.

Related information

Legal holds

Retention modes

Topics

Storage

Relevant content

bucket is missing object lock configuration
simoneva
asked 5 years ago
S3 object lock on existing S3 objects?
Accepted Answer
EXPERT
Vikesh_P
asked 4 years ago
Snowball edge Storage Optimized - S3 buckets with object lock enabled
Accepted Answer
Ommps
asked a year ago
how to delete bucket with object lock enabled
bs
asked 2 days ago
S3 Bucket Object Lock - Deleting an object version with no retention settings requires 'BypassGovernanceRetention' permissions
boxing_surfer
asked a year ago
How do I delete Amazon S3 objects and buckets?
AWS OFFICIALUpdated 5 months ago
How can I set up cross-account replication across my Amazon S3 buckets with Object Lock?
AWS OFFICIALUpdated a year ago
How can I retrieve an Amazon S3 object that I deleted?
AWS OFFICIALUpdated 9 days ago
How can I audit deleted or missing objects from my Amazon S3 bucket?
AWS OFFICIALUpdated 5 months ago
Optimizing Storage Costs by Transitioning Millions of S3 Objects from Standard to Glacier Tier
EXPERT
Ben Lee
published 5 months ago