Write-once-read-many (WORM) protection

You can create write-once-read-many (WORM) buckets to protect data and metadata. You configure the WORM buckets to allow the creation of new objects and to prevent overwrites or deletion of existing content. Use one of the approaches described here.

To ensure that overwrites are always denied, you can:

Setting DeleteObject to DENY in an S3 Policy does not prevent ILM from deleting objects when a rule such as "zero copies after 30 days" exists. For more information, see the Administrator Guide.
Even when all of these rules and policies are applied, they do not guard against concurrent writes (see Situation A). They do guard against sequential completed overwrites (see Situation B).

Situation A — Concurrent writes (does not guard against)

PUT#1 ---> OK
PUT#2 -------> OK

Situation B — Sequential completed overwrites (guards against)

PUT#1 -------> PUT#2 ---X (denied)

For an example using the PutOverwriteObject permission, see Example: PutOverwriteObject permission.