S3 Object Lock

Risk Level: Low (generally tolerable level of risk)

Rule ID: S3-023

Ensure that the Object Lock feature is enabled for your Amazon S3 buckets in order to prevent the objects they store from being deleted. Object Lock is an Amazon S3 feature that blocks object version deletion during a user-defined retention period, to enforce retention policies as an additional layer of data protection and/or for strict regulatory compliance. The feature provides two ways to manage object retention: retention periods and legal holds. A retention period specifies a fixed time frame during which an S3 object remains locked, meaning that it can't be overwritten or deleted. You can configure the retention period for the available retention modes in the rule settings, in your Trend Micro Cloud One™ – Conformity account. A legal hold implements the same protection as a retention period, but without an expiration date. Instead, a legal hold remains active until you explicitly remove it.

This rule can help you with the following compliance standards:

NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Used in combination with object versioning, which protects S3 objects from being overwritten, Amazon S3 Object Lock enables you to store your S3 objects in an immutable form, providing an additional layer of protection against object changes and deletion. S3 Object Lock feature can also help you meet regulatory requirements for data protection within your organization.

Audit

To determine if your Amazon S3 buckets are configured to use the Object Lock feature, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Object Lock section, check the Object Lock configuration attribute value. If the attribute value is set to Disabled, the Object Lock feature is not enabled for the selected Amazon S3 bucket.

06 Repeat steps no. 3 – 5 to determine the Object Lock feature status for other Amazon S3 buckets created within your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
    "cc-project5-logs",
    "cc-project5-media"
]

03 Run get-object-lock-configuration command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier and custom query filters to describe the Object Lock feature configuration status available for the selected bucket:

aws s3api get-object-lock-configuration
	--bucket cc-project5-logs
	--query 'ObjectLockConfiguration.ObjectLockEnabled'

04 The command output should return the requested configuration information or the ObjectLockConfigurationNotFoundError error message if there is no Object Lock configuration defined for the specified S3 bucket:

An error occurred (ObjectLockConfigurationNotFoundError) when calling the GetObjectLockConfiguration operation: Object Lock configuration does not exist for this bucket

If the get-object-lock-configuration command output returns the ObjectLockConfigurationNotFoundError error message, as shown in the output example above, the Object Lock feature is not enabled for the selected Amazon S3 bucket.

05 Repeat step no. 3 and 4 to check the Object Lock feature configuration for other Amazon S3 buckets available in your AWS cloud account.

Remediation / Resolution

Amazon S3 does not currently support enabling Object Lock after a bucket has been created, therefore to enable the feature you have to re-create the bucket, place the S3 objects that you want to lock inside the bucket, then apply a retention period, a legal hold, or both, to the S3 objects that you want to protect. To re-create the S3 bucket and enable the Object Lock feature in order to prevent objects from being deleted and help ensure data integrity, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable S3 Object Lock",
  "Resources": {
    "ProtectedS3Bucket": {
      "Properties": {
        "BucketName": "cc-project5-protected-logs",
        "AccessControl": "Private",
        "VersioningConfiguration": {
          "Status": "Enabled"
        },
        "ObjectLockEnabled": true,
        "ObjectLockConfiguration": {
          "ObjectLockEnabled": "Enabled",
          "Rule": {
            "DefaultRetention": {
              "Mode": "GOVERNANCE",
              "Days": "90"
            }
          }
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable S3 Object Lock
Resources:
  ProtectedS3Bucket:
    Properties:
      BucketName: cc-project5-protected-logs
      AccessControl: Private
      VersioningConfiguration:
        Status: Enabled
      ObjectLockEnabled: true
      ObjectLockConfiguration:
        ObjectLockEnabled: Enabled
        Rule:
          DefaultRetention:
            Mode: GOVERNANCE
            Days: '90'
    Type: AWS::S3::Bucket

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region = "us-east-1"
}

resource "aws_s3_bucket" "protected-bucket" {
  bucket = "cc-project5-protected-logs"
  acl = "private"

  versioning {
    enabled = true
  }

  object_lock_configuration {
    object_lock_enabled = "Enabled"
    rule {
      default_retention {
        mode = "GOVERNANCE"
        days = 90
      }
    }
  }
}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Choose Create bucket from the console top menu to create a new Amazon S3 bucket.

04 On the Create bucket setup page, perform the following actions:

For General configuration:
- Provide a unique name for the new bucket in the Bucket name box.
- From the AWS Region dropdown list, select the AWS cloud region where the new S3 bucket will be created (must match the source bucket region).
- Choose bucket under Copy settings from existing bucket, select the source (non-compliant) S3 bucket, and Choose bucket.
For Block Public Access settings for bucket, select Block all public access to ensure that all public access to this bucket and its objects is blocked. For more details about this feature, see this conformity rule.
For Bucket Versioning, choose Enable to enable bucket versioning for the new bucket. Amazon S3 Object Lock requires S3 object versioning.
(Optional) For Tags, use the Add tag button to create and apply user-defined tags to the S3 bucket. You can track storage cost and other criteria by tagging your bucket.
For Default encryption, select Enable under Server-side encryption, and choose one of the encryption key types available, based on your requirements. For more details about Amazon S3 Server-Side Encryption (SSE), see this conformity rule.
For Advanced settings, choose Enable under Object Lock to enable the Object Lock feature. Choose I acknowledge that enabling Object Lock will permanently allow objects in this bucket to be locked for confirmation.
Choose Create bucket to create your new Amazon S3 bucket.

05 Click on the name of the newly created Amazon S3 bucket.

06 Select the Properties tab from the console menu to access the bucket properties.

07 In the Object Lock section, choose Edit to configure the feature settings available for the S3 objects that are uploaded without Object Lock configuration.

08 Within Object Lock configuration section, choose Enable under Default retention and select one of the following default retention modes. These retention modes apply different levels of protection to the objects within the selected bucket:

Select Governance so that users cannot overwrite or delete an S3 object version or alter its lock settings unless they have special permissions (e.g. root account). Governance mode enables you to protect objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if required. In the Default retention period box, enter the number of days required to protect an object version. Click Save changes to apply the changes.
Select Compliance so that a protected object version cannot be overwritten or deleted by any user, including the root account user. Once an S3 object is locked in Compliance mode, its retention mode cannot be reconfigured and its retention period cannot be shortened. This retention mode ensures that an object version can't be overwritten or deleted for the duration of the retention period, specified in the Default retention period box. Click Save changes to apply the configuration changes.

09 Now you can transfer the S3 objects from the source bucket, the one with the Object Lock feature disabled, to the destination bucket, the one that has Object Lock enabled.

10 (Optional) Once all your S3 objects are copied from the source S3 bucket to the destination bucket, you can remove the source bucket in order to stop incurring charges for it. To delete the required S3 bucket, perform the following actions:

Select the non-compliant bucket that you want to remove.
Choose Delete from the Amazon S3 console top menu.
Inside Delete bucket <bucket-name> confirmation box, enter the name of the selected bucket, and choose Delete bucket to remove the S3 bucket from your AWS account.

11 Repeat steps no. 3 – 10 to enable and configure the Object Lock feature for other Amazon S3 buckets created within your AWS cloud account.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the required Amazon S3 bucket and enable the S3 Object Lock feature for all the objects uploaded to this bucket, by using the --object-lock-enabled-for-bucket command parameter:

aws s3api create-bucket
	--bucket cc-project5-protected-logs
	--region us-east-1
	--acl private
	--object-lock-enabled-for-bucket

02 The command output should return the name of the newly created S3 bucket:

{
    "Location": "/cc-project5-protected-logs"
}

03 Define the Object Lock feature configuration parameters by specifying the default retention mode and the default retention period for the new S3 bucket. The following example enables the Governance retention mode for 90 days. Governance mode ensures that users cannot overwrite or delete an S3 object version or alter its lock settings unless they have special permissions (e.g. root account access). The Governance mode enables you to protect objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if required. Save the following configuration parameters to a JSON file named object-lock-config.json:

{
  "ObjectLockEnabled": "Enabled",
  "Rule": {
    "DefaultRetention": {
      "Mode": "GOVERNANCE",
      "Days": 90
    }
  }
}

04 Run put-object-lock-configuration command (OSX/Linux/UNIX) using the configuration parameters defined at the previous step to apply your S3 Object Lock configuration to the newly created S3 bucket (if successful, the command does not produce an output):

aws s3api put-object-lock-configuration
	--bucket cc-project5-protected-logs
	--object-lock-configuration file://object-lock-config.json

05 Transfer your S3 objects from the source bucket, the one with the Object Lock feature disabled, to the destination bucket, the one with Object Lock enabled, created at the previous steps.

06 (Optional) Once all your S3 objects are copied from the source S3 bucket to the destination bucket, you can remove the source bucket in order to stop incurring AWS charges. To delete the required S3 bucket, run delete-bucket command (OSX/Linux/UNIX) using the name of the bucket that you want to delete as the identifier parameter (the command should not produce an output):

aws s3api delete-bucket
	--region us-east-1
	--bucket cc-project5-logs

07 Repeat steps no. 1 – 6 to enable and configure the Object Lock feature for other Amazon S3 buckets available in your AWS cloud account.

References

AWS Command Line Interface (CLI) Documentation
s3api
list-buckets
get-object-lock-configuration
put-object-lock-configuration
create-bucket
create-bucket
create-bucket

CloudFormation Documentation
AWS::S3::Bucket

Terraform Documentation
AWS Provider

Publication date Feb 13, 2019

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

S3 Object Lock

Risk Level: Low

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related S3 rules