S3 Object Lock Legal Holds vs. Retention Period



As I am currently learning about S3, Object Lock I am trying to understand the different values which Legal Holds and Retention Periods have. I know the features of both of them, but I am struggling to find real-life scenarios where one or the other would be beneficial to apply. It would be greatly appreciated if somebody could share some insights on how they know or use one or the other.

Thanks in advance for any answers.

profile picture
asked 2 months ago307 views
2 Answers
Accepted Answer

A retention period protects an object version for a fixed amount of time. When you place a retention period on an object version, Amazon S3 stores a timestamp in the object version's metadata to indicate when the retention period expires. After the retention period expires, the object version can be overwritten or deleted.

With Object Lock, you can also place a legal hold on an object version. Like a retention period, a legal hold prevents an object version from being overwritten or deleted. However, a legal hold doesn't have an associated fixed amount of time and remains in effect until removed. Legal holds can be freely placed and removed by any user who has the s3:PutObjectLegalHold permission.

Suppose that you place a legal hold on an object version and that object version is also protected by a retention period. If the retention period expires, the object doesn't lose its WORM protection. Rather, the legal hold continues to protect the object until an authorized user explicitly removes the legal hold. Similarly, if you remove a legal hold while an object version has a retention period in effect, the object version remains protected until the retention period expires. https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html

The legal hold will hold it until someone releases that has the correct level of access. If you retain an object then after it expires anyone with DeleteObject can delete the object. But if a legal hold is in place, no one even with delete can remove an object. Grant PutObjectLegalHold to a limited number of individuals.

If you are in a legal mitigation/court case you place the object on Legal Hold until such case the lawyers release it etc.

profile picture
answered 2 months ago
profile picture
reviewed 2 months ago

The difference between the two is whether the retention period is fixed.

The retention period of data is usually determined by the organization's rules, so the Retention Period is used.

The following blog article may be helpful.


profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions