Ensure that the Amazon S3 buckets associated with your CloudTrail trails have Object Lock feature enabled in order to prevent the objects they store (i.e. trail log files) from being deleted and meet regulatory compliance. Object Lock is an Amazon S3 feature that blocks object version deletion during a user-defined retention period, to enforce retention policies as an additional layer of data protection. The feature provides two retention modes which apply different levels of protection to your S3 objects:
Governance mode – this mode enables you to protect your S3 objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if it's really required.
Governance mode – this mode enables you to protect your S3 objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if it's really required.
Using S3 buckets with Object Lock enabled for your Amazon CloudTrail trails will help ensure log data integrity as the log files stored within these buckets cannot be accidentally or intentionally deleted. S3 Object Lock feature can also help meet regulatory requirements within your organization when it comes to CloudTrail log data protection.
Audit
To determine if the S3 buckets associated with your CloudTrail trails are using Object Lock feature, perform the following actions:
Remediation / Resolution
Enabling Object Lock after an S3 bucket has been created is not currently supported, therefore to enable the feature you have to re-create the necessary bucket. To re-create the S3 buckets associated with your Amazon CloudTrail trails and enable Object Lock feature in order to help ensure trail data integrity, perform the following actions:
References
- AWS Documentation
- General S3 FAQs
- Locking Objects Using Amazon S3 Object Lock
- Amazon S3 Object Lock Overview
- Managing Amazon S3 Object Locks
- AWS CloudTrail FAQs
- Updating a Trail
- Creating, Updating, and Managing Trails with the AWS Command Line Interface
- AWS Command Line Interface (CLI) Documentation
- s3api
- get-object-lock-configuration
- create-bucket
- put-object-lock-configuration
- cloudtrail
- describe-trails
- update-subscription
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Enable Object Lock for CloudTrail S3 Buckets
Risk level: Medium