S3 Bucket Object Lock - Deleting an object version with no retention settings requires 'BypassGovernanceRetention' permissions


An S3 Bucket has 'Object Lock' Enabled. Default retention is, and always has been - 'Disabled'
An S3 Object in the bucket has multiple versions. Object Lock (Legal Hold & Retention) are both 'Disabled' for all versions of the object.
Object Lock (Legal Hold & Retention) settings have never been enabled for the object or any of its previous versions

An IAM User with 'DeleteObjectVersion' permission receives 'access denied' when attempting to perform 'version delete' on a version of the object.
The delete succeeds with the additional 'BypassGovernanceRetention' allowed for the same user

Is this the expected behavior? It seems like a bug to me!
I understood the purpose of the 'BypassGovernanceRetention' is to allow changes to objects where 'governance mode' retention is enabled for the object.
But it appears 'BypassGovernanceRetention' is required to delete a version in the bucket, even if the version does not have 'governance mode' enabled.

I can find no reference in documentation for this behavior

I have confirmed this behavior occurs only for objects in buckets where object lock is enabled. For objects in buckets with versioning only (object lock disabled) - the behavior is as expected. Only the 'DeleteObjectVersion' permission is required to delete object versions.

Please advise


1 Answer

Please refer "Enabling S3 Object Lock" under https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config

  1. When you create a bucket with Object Lock enabled, Amazon S3 automatically enables versioning for the bucket.
  2. If you create a bucket with Object Lock enabled, you can't disable Object Lock or suspend versioning for the bucket.

When you turn on Object Lock for a bucket, the bucket can store protected objects. However, the setting doesn't automatically protect objects that you put into the bucket. If you want to automatically protect object versions that are placed in the bucket, you can configure a default retention period. Default settings apply to all new objects that are placed in the bucket, unless you explicitly specify a different retention mode and period for an object when you create it. Bucket default settings require both a mode and a period. A bucket default mode is either governance or compliance.

Reference : https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html

profile picture
answered 16 days ago
  • Hi. Thanks for your response but I already read and understood the documentation. My question is specific. Let me ask in a more simplified way:

    For a bucket with object lock configured
    'BypassGovernanceRetention' is required to delete object versions, where object versions do not have 'governance retention' enabled

    Why should this permission be required when objects do not have governance retention?


    This is the reason I asked the question

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions