By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Are objects under compliance mode with retention period deletable?

0

I know all the doc says objects with compliance mode turned on DEFY deletion while it's in retention period. Is there really no way around this? For instance can AWS engineers delete them on their end or are they locked up just forever?

An extreme case would be somehow the bucket's default policy is compliance mode + retention period of 100 years(maximum), is the data uploaded into this bucket permanently staying in this case?

Thanks!

Topics
Security, Identity, & ComplianceStorageAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceStorageSecurityS3 Object Lock
Language
English
rePost-User-4184191
asked a year ago259 views
1 Answer
0
  • In compliance mode, a protected object version can't be overwritten or deleted by any user including the root user in your AWS account.
  • In governance mode, users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. If you try to delete objects protected by governance mode and have s3:BypassGovernanceRetention or s3:GetBucketObjectLockConfiguration permissions, the operation will succeed.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-retention-modes

AWS engineers do not have access to Customer's data due to strict AWS Privacy and Security policies https://aws.amazon.com/compliance/data-privacy-faq/ and hence cannot be altered from AWS end.

Once the objects are locked under compliance mode compliance mode the minimum retention period must be met before any changes are to be made.

AWS
SUPPORT ENGINEER
Harsh_P
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content