AWS S3 Object Lock Configuration Not Preventing Deletion as Expected
I tried several approaches but none seem to work. I've looked through the documentation and I'm still confused about I'm working with a peculiar scenario while trying to implement S3 Object Lock on my bucket. I have configured the bucket using the AWS SDK for Python (Boto3) to enable Object Lock with a governance mode retention period of 1 year. However, I noticed that users with the necessary IAM permissions can still delete objects that I expected to be protected by this configuration. Here's the code snippet I used to create the bucket with Object Lock: ```python import boto3 s3 = boto3.client('s3') response = s3.create_bucket( Bucket='my-locked-bucket', CreateBucketConfiguration={ 'LocationConstraint': 'us-west-2' } ) s3.put_object_lock_configuration( Bucket='my-locked-bucket', ObjectLockConfiguration={ 'ObjectLockEnabled': 'Enabled', 'Rule': { 'DefaultRetention': { 'Mode': 'GOVERNANCE', 'Days': 365 } } } ) ``` After creating the bucket, I uploaded a test object and set a retention period, but when I ran the following command to delete the object: ```bash aws s3 rm s3://my-locked-bucket/my-object.txt ``` I received a success message, which is unexpected since I assumed the Object Lock would prevent deletion during the retention period. Iβve ensured that the IAM policies for the user do not allow the `s3:DeleteObject` permission specifically, but it still seems to allow deletion. I've also checked if the Object Lock was correctly set with: ```bash aws s3api get-object-lock-configuration --bucket my-locked-bucket ``` This command returns the expected configuration. I'm not sure if there's a step I'm missing or if the governance model doesnβt work as I assumed. Can someone help clarify what might be going wrong here? This is part of a larger CLI tool I'm building. What's the best practice here?