S3 Object lock in compliance mode, file uploaded thru cli, file properties shows compliance mode, I can still delete it.


I have a bucket with Object lock and compliance mode of 7 days. I upload a file thru the CLI. I show the file in the bucket with compliance mode of 7 days. I can immediately delete the file thru the CLI or the console. I am using an assumed role account from the Org parent that does have full permissions. But compliance mode should still not let me remove the file even with full permissions on the account? It says even the root account shouldn't be able to delete. Is this a bug?

3 Answers
Accepted Answer


The behavior you're seeing here is due to versioning. Versioning is mandatory when you enable object lock, so when you delete an object it places a delete marker on the object, but the original version of the object is retained. If you want to see the delete marker and original version of the object, in the management console toggle the "show versions" switch.

For reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-managing-lifecycle

answered a year ago
reviewed a year ago

I had read about the versioning, but assumed in compliance mode you could not even add the delete marker. That we would get an error trying to remove, not add the marker and hide it? That seems counter intuitive.

answered a year ago

Is the file definitely being deleted? In S3 when you delete a versioned file a delete marker is added but the previous version still remains - this can be seen by toggling the 'Show Versions' switch in the console.

This file was set with default object lock of 7 days with compliance mode and could be 'deleted' via the CLI, but the previous version is still available.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions