AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-06-19 · Security-related medium

File: AmazonS3/latest/userguide/object-lock.md

Summary

Added clarification that Object Lock-protected objects (GOVERNANCE/COMPLIANCE modes) prohibit annotation modifications and require new object versions for changes.

Security assessment

Explicitly states that Object Lock security controls override annotation operations and that BypassGovernanceRetention permissions don't apply, addressing potential data integrity risks for locked objects.

Diff

diff --git a/AmazonS3/latest/userguide/object-lock.md b/AmazonS3/latest/userguide/object-lock.md
index 132bba215..ca25e1439 100644
--- a//AmazonS3/latest/userguide/object-lock.md
+++ b//AmazonS3/latest/userguide/object-lock.md
@@ -29,0 +30,4 @@ If you put an object into a bucket that already contains an existing protected o
+###### Note
+
+Objects protected by Object Lock (both GOVERNANCE and COMPLIANCE modes) do not allow annotation modifications (create, update, or delete). The `BypassGovernanceRetention` permission does not apply to annotation operations. To add annotations to a locked object, create a new object version. The new version is not subject to the previous version's retention settings unless you explicitly apply retention to it.
+