Object Lock (WORM)

S3 Object Lock stores objects using a write-once-read-many (WORM) model, so they cannot be deleted or overwritten until a retention date passes or a legal hold is removed.

There are two retention modes:

• GOVERNANCE — privileged users (with s3:BypassGovernanceRetention) can still delete.
• COMPLIANCE — no one can overwrite or delete the object until retention expires.

Enable Object Lock on a bucket

Object Lock can only be enabled when the bucket is created, and it automatically enables versioning:

s3m cb backup/vault --object-lock

WARNING

The target bucket must already have Object Lock enabled. Uploading lock settings into a plain bucket is rejected by S3 (InvalidRequest); s3m surfaces a hint to recreate the bucket with --object-lock.

Set retention or legal hold while uploading

Pass lock settings on any upload (regular, multipart, --pipe, compressed, or encrypted). --object-lock-mode and --retain-until must be used together; the date is RFC 3339:

# Retain in COMPLIANCE mode until a fixed date
s3m /path/to/backup.tar backup/vault/backup.tar \
  --object-lock-mode COMPLIANCE --retain-until 2027-01-01T00:00:00Z

# GOVERNANCE retention plus a legal hold
s3m /path/to/db.sql backup/vault/db.sql \
  --object-lock-mode GOVERNANCE --retain-until 2027-01-01T00:00:00Z --legal-hold

# Legal hold only (no fixed retention date)
s3m /path/to/report.pdf backup/vault/report.pdf --legal-hold

Bucket default retention

Instead of passing lock flags on every upload, set a default retention once and S3 applies it to every new object automatically. The bucket default uses a duration (--days or --years), not a fixed date:

# Every new object gets 30 days of COMPLIANCE retention
s3m object-lock set backup/vault --mode COMPLIANCE --days 30

# View the bucket's Object Lock configuration
s3m object-lock get backup/vault
s3m object-lock get backup/vault --json

Retention & legal hold on existing objects

When the target is an object (host/bucket/key), get/set operate on that object instead of the bucket.

# Show an object's retention + legal hold
s3m object-lock get backup/vault/file.dat

# Set or extend per-object retention (a date, like uploads)
s3m object-lock set backup/vault/file.dat \
  --mode GOVERNANCE --retain-until 2027-01-01T00:00:00Z

# Toggle a legal hold
s3m object-lock set backup/vault/file.dat --legal-hold on
s3m object-lock set backup/vault/file.dat --legal-hold off

Shortening a GOVERNANCE retention requires an explicit bypass:

s3m object-lock set backup/vault/file.dat \
  --mode GOVERNANCE --retain-until 2026-07-01T00:00:00Z --bypass-governance

A specific version can be targeted with --version-id <id>, and --json is available on get for machine-readable output.

TIP

--days/--years apply to a bucket target (default retention); --retain-until applies to an object target. s3m validates that you use the right one.