The NAS’s user has ListObject, PutObject, and DeleteObject. The bucket has versioning enabled, and DeleteObject doesn’t allow deleting prior versions. So the NAS can delete what’s immediately visible in the bucket, but it can’t permanently delete things.
The upside of versioning over Object Lock, for my use case, is that the backup scripts can be very simple, because they don’t have to deal with what happens if they want to clean up a file but don’t have permissions to. They just do their thing, and I’m confident that old versions are retained. The downside of this approach is that my S3 usage will increase over time, because I’m retaining all old content. So eventually it’ll cost enough for me to decide to either switch to Object Lock or figure out a safe way to prune old content.
