Aws Legal Hold

A retention period protects an object version for a specified period of time. When you set a retention period for an object version, Amazon S3 stores a timestamp in the object version metadata to indicate the expiration of the retention period. After the retention period expires, the object version can be replaced or deleted, unless you have also performed a legal lock on the object version. For example, suppose you legally specify an object version when the object version is also protected by a retention period. When the retention period expires, the object does not lose its WORM protection. On the contrary, the legal lock protects the object until an authorized user explicitly deletes it. If you delete a legal retention period while an object version is subject to a retention period, the object version remains protected until the retention period expires. You can use S3 Batch Operations with Object Lock to add legal retention to many Amazon S3 objects at the same time. To do this, you can list the target objects in the manifest and send that list to batch operations. Your S3 Batch Operations task with the legal lock for the object lock runs to completion, until it is canceled, or until an error state is reached. You can also use the object lock to legally block an object version. As with a retention period, legal retention prevents an object version from being overwritten or deleted.

However, a legal block does not have an associated retention period and remains in effect until it is deleted. Legal locks can be freely placed and removed by any user with the s3:PutObjectLegalHold permission. For a complete list of Amazon S3 permissions, see Actions, Resources, and Condition Keys for Amazon S3. If you create the S3 Batch Operations task to remove the legal hold, simply specify Off as the legal hold. For more information, see Managing Object Locking. With Amazon S3 Object Lock, you can prevent an object from being deleted or overwritten for a specified period of time, or until the legal lock is lifted. An object version can have a combination or both a retention period and a legal block. For example, you can have an object with a retention date of 1 year plus a legal lock.

We chose the name Legal Hold, but it`s really for any situation where you`re not sure how long you want your items to remain immutable. This may be because you have an active litigation or external audit coming up of your data or for some other reason and you want to keep the objects in a WORM state until the audit is complete. You can have a running project that uses a dataset that you want to leave in a WORM state until the project is complete. The statutory retention periods are independent of the retention periods. As long as object locking is enabled for the bucket that contains the object, you can set and remove legal retention options, whether or not a retention period is set for the specified object version. Setting a legal lock on an object version does not affect the retention mode or retention period of that object version. You can use the valid Object Block operation to legally deny an object version. As with the definition of a retention period, legal retention prevents an object version from being overwritten or deleted. However, a legal block does not have an associated retention period and remains in effect until it is deleted. The name of the bucket that contains the object on which you want to set a legal lock. Legal withholding works as an infinite retention period.

Once applied, it is not possible to delete an object until the hold has been released manually. The lock can only be removed by users with special permissions. Use the following example if you want to disable the legal lock. s3:PutObjectLegalHold permission is required in your IAM role to add or remove legal object retention. The following example builds on the previous examples of creating a trust policy and setting configuration permissions for S3 batch operations and S3 object locking. Demonstrates how to disable legal object locking on objects using batch operations. Specifies whether there is a legal hold for the specified object. The example first updates the role to grant s3:PutObjectLegalHold permissions, creates a Batch Operations job that disables (removes) legal retention of objects identified in the manifest, and then generates reports about it.

You can do the same thing programmatically. In addition, you can change retention periods and add/remove legal retention options for objects that are already in your bucket. For an example of how to use this operation for the AWS CLI, see Using S3 Batch Operations with S3 Object Locking. The version ID of the object whose legal hold you want to retrieve. Amazon S3 Object Lock provides two ways to manage object retention. The first is retention periods and the second is legal retention. When you enable object locking on a bucket, the bucket can store protected objects. However, the setting does not automatically protect objects that you insert into the bucket. If you want to automatically protect object versions placed in the bucket, you can configure a default retention period. The default settings apply to all new objects placed in the bucket unless you explicitly specify a different retention mode and time period for an object when you create them.

A standard retention period is not described as a timestamp, but as a period in days or years. When you place an object version in a bucket with a default retention period, the object lock calculates a retention until the date. To do this, the default retention period is added to the object version creation timestamp. Amazon S3 stores the resulting timestamp as a hold until the date of the object version, as if you had manually calculated the timestamp and inserted it yourself into the object version. If you use this action with an access point, you must forward requests to the host name of the access point. The host name of the access point is in the format AccessPointName -AccountId .s3-accesspoint.*Region* .amazonaws.com. If you are using this action with an access point through the Amazon Web Services SDKs, specify the ARN of the access point instead of the bucket name. For more information about access point RNAs, see Working with Access Points in the Amazon S3 User Guide. Example Updates the role to grant permissions s3:PutObjectLegalHold Object lock operations require certain permissions. Depending on the exact operation you`re trying, you may need one of the following permissions: Amazon S3 Object Lock is the only cloud object storage WORM feature on the market today that gives you the ability to apply retention settings to individual objects in addition to the default retention settings for all objects in an S3 bucket.

Our financial services clients, who store immutable trading records, often need to adjust the retention period of their trading records to match the duration of the transaction. For example, if a client in the financial services industry needs to store one set of trading records for 7 years and another set of records for 5 years, they can specify retention data of 7 years and 5 years for both records. These customers find this flexibility particularly useful for adjusting the retention period of different objects in the same bucket in S3 based on the length of those transactions. Other customers who want to store a large number of objects in the same storage resource and apply locks to a subset of them also benefit from this flexibility. Amazon S3 Object Lock has been evaluated by Cohasset Associates for use in environments subject to SEC 17a-4, CTCC, and FINRA regulations. For more information about the relationship between Amazon S3 Object Lock and these regulations, see the Cohasset Associates Compliance Assessment. We now have a bucket with S3 object lock enabled. What we`ve done so far doesn`t automatically lock the objects you put in the bucket. To do this, we configured a default retention mode and a period for the bucket. To do this, go to the S3 Object Lock Settings under Advanced Settings on the Bucket Properties tab. Ruhi Dang is a senior technical product manager on the Amazon S3 team at AWS. Ruhi enjoys working with AWS customers to solve difficult problems and help them rely on AWS.

Outside of work, she enjoys exploring nature and is passionate about coffee. If you are using the bucket`s default settings, do not specify retention until the date. Instead, you specify a duration, in days or years, for which to protect each version of an object placed in the bucket. When you place an object in the bucket, Amazon S3 calculates a retention date for the object version by adding the specified duration to the object version creation timestamp. It stores retention up to date in the metadata of the object version. The object version is then protected exactly as if you had explicitly placed a lock with this retention period for the object version. S3 Batch Operations does not make any changes to the bucket. You should use compatibility mode if you need to store compatible data. You should only use compliance mode if you never want a user, including the root user of your AWS account, to be able to delete objects for a predefined retention period. In April 2019, S3 Object Lock added support for cross-region replication (CRR). This means that in addition to locking objects, you can now configure your S3 buckets to enable automatic, asynchronous copying of locked objects and associated metadata to an S3 bucket in another AWS Region.

If your data is important enough to use a retention date, it is often important enough to be replicated to another AWS Region. To override or remove retention settings in control mode, a user must have the s3:BypassGovernanceRetention permission and explicitly include x-amz-bypass-governance-retention:true as a request header with all requests that require a governance mode override. Note: The default settings you just created apply to all new objects placed in the bucket, unless you explicitly specify a different retention mode and time period for an object during upload.