I turned on Object Lock for my Amazon Simple Storage Service (Amazon S3) bucket. I need to know why I can still delete some objects from this bucket.
The object-level Object Lock configuration settings determine whether you can delete an object from an Amazon S3 bucket with Object Lock.
To determine why you can still delete a particular object in a bucket with Object Lock, check the Object Lock setting that's applied on the object. Also, check the mode of deletion.
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent version of the AWS CLI.
Check the Object Lock legal hold and Object Lock retention settings on the object
To check these settings, open the Amazon S3 console, and navigate to the Properties page of the object. You can also run the head-object AWS CLI command:
aws s3api head-object --bucket sample-bucket --key test.png
The output looks similar to the following one:
If you applied a legal hold on the object, then you see the ObjectLockLegalHoldStatus fields in the output. If you applied the Object Lock retention on the object, then you also see the ObjectLockMode and ObjectLockRetainUntilDate fields.
You didn't turn on Object Lock legal hold or Object Lock retention on the object
You can permanently delete the object.
You turned on Object Lock legal hold on the object
You can permanently delete the object only after a user with the s3:PutObjectLegalHold permissions explicitly turns off the legal hold on the object.
You turned on Object Lock retention on the object
If the object is protected by GOVERNANCE mode, then you can permanently delete the object under the following conditions, even before the retention period is over:
- You have s3:BypassGovernanceRetention permissions.
- You explicitly included x-amz-bypass-governance-retention:true as a request header in the DELETE request.
By default, the Amazon S3 console includes the x-amz-bypass-governance-retention:true header in a DELETE request. Therefore, if you have s3:BypassGovernanceRetention permissions, then you can use the S3 console to delete an object version that's protected by GOVERNANCE mode.
With s3:BypassGovernanceRetention permissions, you can also use the AWS CLI to delete an object version. Pass the --bypass-governance-retention option in the delete-object command:
aws s3api delete-object --bucket sample-bucket --key test.txt --version-id "9_gKg5vG56F.TTEUdwkxGpJ3tNDlWlGq" --bypass-governance-retention
If the object is protected by COMPLIANCE mode, then no user, including the root account, can permanently delete the object until the retention period is over.
Check the mode of deletion
In a simple DELETE operation, you delete an object without specifying the object version ID in the delete request.
You can perform a simple DELETE operation on any object that's in a bucket with Object Lock regardless of the Object Lock configurations. Simple DELETE doesn't remove any data from the bucket. It only adds a delete marker to the bucket and retains the current version as noncurrent.
In a permanent DELETE operation, you delete an object by specifying the object version ID in the delete request.
You can perform a permanent DELETE operation on an object that's protected by GOVERNANCE retention mode even before the retention period is over. However, you must have the permissions to bypass the GOVERNANCE mode.
You can't perform a permanent DELETE on an object under either of the following conditions:
- The object is protected by COMPLIANCE retention mode, and the retention period isn’t over.
- Legal hold is applied on the object.
Delete through S3 Lifecycle rules
S3 Lifecycle rules continue to perform expirations of current versions through simple DELETE operations regardless of the object-level Object Lock configurations. However, these rules don't permanently delete the noncurrent versions if they're protected by Object Lock.